Cookie Policy
Last updated: 2026-05-28.
We use cookies sparingly, and only the ones we need to run the service. Every cookie listed here is strictly necessary under EU and UK cookie law (PECR / GDPR ePrivacy) — there are no advertising, fingerprinting, or third-party analytics cookies on this domain.
That's why the banner on our site is one-tap "Got it" rather than a two-screen Yes/No flow: there's nothing to opt out of.
Cookies we set
| Cookie | Purpose | Lifetime | Type |
|---|---|---|---|
session |
Logged-in session for the tenant admin and end-user inbox | 14 days from last activity | Strictly necessary |
csrf_token |
Anti-forgery token paired with the session | Same as session | Strictly necessary |
tenant_brand |
Caches the tenant's selected brand colors so a page can render before its first API call (UX only) | 30 days | Strictly necessary |
All cookies are scoped to inbox.<tenant-domain> and marked
HttpOnly, Secure, and SameSite=Lax.
Cookies we DON'T set
We do not set advertising cookies. We do not embed third-party analytics (Google Analytics, Mixpanel, Segment, etc.). We do not embed social sharing widgets that fingerprint visitors. There is no cross-site tracking on this domain.
If we add anything in the future that requires opt-in consent, we'll update this page and show a real consent banner — not a faux one.
How to control cookies
You can clear our cookies the same way you'd clear any other site's: in your browser's privacy settings. Doing so will log you out of the inbox, but no other functionality depends on them.
Subprocessors set cookies on their own domains
When you use Stripe Checkout to subscribe, stripe.com sets cookies
on its own domain. Their policy is at
https://stripe.com/cookie-settings.
Similarly Cloudflare may set a single bot-check cookie (__cf_bm) on
its own edge, with the sole purpose of stopping bots from filling up
our signup form. Their policy is at
https://www.cloudflare.com/cookie-policy/.
We don't set or read either cookie.
Contact
Questions about how we use cookies: privacy@talkingunicorn.email.