1. What is a cookie?
A cookie is a small text file stored on your device by your browser. We also use related technologies: local storage (for your browser-side keypair and theme preference) and session storage (for short-lived navigation state).
2. Cookies we use
2.1 Essential — no consent required
These cookies are required to deliver the service. Disabling them breaks core functionality (sign-in, paid features, security).
| Cookie | Purpose | Expiry |
|---|---|---|
__Host-authjs.session-token | NextAuth session — keeps you signed in | 30 days (refresh on activity) |
__Host-authjs.csrf-token | NextAuth CSRF protection | Session |
__Secure-authjs.callback-url | OAuth redirect target after sign-in | 1 hour |
genzagents_session_id | Analytics session identity (server-side; not used for marketing) | 30 minutes idle |
theme | Your dark / light mode preference (localStorage, not a cookie) | Until cleared |
2.2 First-party analytics — no consent required
We run our own server-side analytics on every page visit. There is no third-party analytics provider and no consent prompt for analytics because we've designed the data we collect to fall outside the consent requirement under UK GDPR + PECR:
| Cookie / identifier | Purpose | Expiry |
|---|---|---|
gz_session | Random 22-character session ID. Groups page views within one visit so we know "these 5 pages were one person browsing" instead of 5 separate visitors. Not linked to any personal data. | 30 minutes sliding window |
genzagents_consent | Remembers your cookie-banner decision so we don't ask every visit | 12 months |
What we log on the server (not stored in your browser):
- The page path you visited (e.g.
/pricing) - Where you came from (HTTP
Refererheader, UTM parameters) - Your country (derived from IP via Azure's edge headers — never stored as latitude/longitude)
- A salted SHA-256 hash of your IP address (32 hex characters) — we can tell "same visitor" vs "different visitor", but the raw IP never persists
- Your User-Agent string (browser + OS) so we can rank device support
- Bot/non-bot classification (bots are dropped from analytics)
We do not store your raw IP address. We do notlink your visits to your name, email, or any account until you sign in (and even then, only your own visits are tied to your account).
3. Third-party cookies
The following third parties may set cookies on our behalf:
- Stripe — only on checkout pages, for fraud prevention. Set when you initiate a payment, removed after.
- OAuth providers (Google, Microsoft, GitHub) — only on the sign-in page during the OAuth handshake. Cleared immediately after the redirect back to our domain.
4. Your choices
You can manage cookie preferences via the banner shown on your first visit, or by clicking "Cookie preferences" in the footer of any page.
You can also:
- Block all non-essential cookies in your browser settings
- Clear all cookies and start fresh
- Use private / incognito mode (cookies don't persist between sessions)
Blocking essential cookies will break sign-in. We're not able to provide the Service without them.
5. Do Not Track
We do not honour the Do Not Track HTTP header for our first-party analytics because the data we log is already anonymised (salted IP hashes, no PII, no advertising profile). We do, however, give you a one-click data-deletion endpoint at /settings/data-deletion when signed in, which removes all analytics records tied to your account in under 24 hours.
Browsers' Global Privacy Control (GPC) signal is treated the same way — our first-party analytics already meet the underlying privacy expectations. If you disagree, you can clear the gz_session cookie and use private / incognito mode to opt out of cross-page-view grouping.
6. Changes
We may update this policy if we add or remove technologies. The effective date at the top reflects the current version. We notify you of material changes 30 days in advance via email.
7. Contact
Privacy / cookies questions: hello@genzagents.io. See also our Privacy Policy for the broader data-protection framework.