Cookies, storage, and signals we use.

This policy describes the cookies and equivalent storage technologies (localStorage, sessionStorage, IndexedDB, and similar mechanisms) that VeryQuery uses across three distinct surfaces:

• The marketing site at veryquery.com and its subdomains.
• The dashboard at dashboard.veryquery.com, including the admin console.
• The storefront embeds we ship as part of the Shopify integration and the public storefront API.

We use the term "cookies" throughout for readability, but the technical details below distinguish actual HTTP cookies from other browser storage mechanisms where the distinction matters.

We do not use cookies to deliver advertising, build cross-site advertising profiles, or share data with advertising networks. We have no advertising business and no plans to start one. See §06.

On the marketing site we use three categories of cookies and storage:

Strictly necessary

None today. The marketing site is largely static and renders the same way for every visitor; we do not set cookies to deliver it.

Performance and analytics

Google Analytics 4 (cookie names beginning _ga) for aggregated visitor analytics. Used to understand which pages are visited and how long visitors stay. Data is sent to Google in a region appropriate to our settings; we do not link Analytics data to a specific named visitor.

Functional

None on the marketing site today beyond what Analytics requires.

You can opt out of Google Analytics by installing Google's opt-out browser add-on, by configuring your browser's "Do Not Track" signal (Google's compliance with which depends on the version of Analytics), or by blocking the Analytics domain at the network or browser level.

The dashboard is an authenticated application. It uses browser storage to manage your session and your in-product context:

Authentication

An HTTP-only refresh-token cookie scoped to dashboard.veryquery.com. Used to mint short-lived access tokens for API calls. Required for the dashboard to function; cannot be opted out of while signed in.

Access tokens

Short-lived JSON Web Tokens kept in localStorage on the dashboard origin. Used as bearer credentials on API requests. Required for the dashboard to function.

Context

sessionStorage entries that hold your current Org and Property selections per browser tab, with a corresponding localStorage seed used when you open a fresh tab. These let two tabs operate against different Orgs simultaneously. Functional, not analytical.

Analytics

Google Analytics 4 on the dashboard origin, as on the marketing site, for aggregated usage analytics.

The authentication and context storage are first-party only; they are not shared with any third party.

The storefront embed runs on your shoppers' browsers when they visit a merchant's online store that has installed our Shopify app or otherwise embedded our storefront script. The embed does not set persistent cookies on the shopper's browser.

Session identifier

A random opaque identifier generated in the shopper's browser and held in sessionStorage. Used to correlate the shopper's search queries, similar-item views, and cart actions within a single browsing session so the merchant's intelligence aggregates can be computed. Cleared automatically when the shopper closes the tab.

Cart-action correlation

Hash-only identifiers of items the shopper interacted with, used to compute conversion signals at the merchant's catalog level. Held only in sessionStorage.

No persistent cookies

The embed does not write any HTTP cookies. It does not use localStorage or IndexedDB. Closing the browser tab clears all storefront-embed state.

We do not collect personally-identifiable information about shoppers through the embed. We do not have access to a shopper's name, email address, payment information, shipping address, or any other identifier the merchant collects through the storefront. The session identifier is not linked to a named person on our side.

The session-storage mechanism we use is not, in the strict GDPR sense, a "cookie." Some consent-management frameworks nonetheless categorize sessionStorage-based identifiers as functional or strictly-necessary cookies for the purposes of disclosure. Merchants should configure their consent banner to map our integration as they consider appropriate to their own legal framework.

We use Google Analytics 4 on our marketing site and dashboard for aggregated visitor and usage analytics. We do not configure Analytics to share data with Google for advertising purposes, do not enable Google Signals, and do not pass User-ID data to Google.

We do not use any other third-party analytics, measurement, or session-replay vendor on any VeryQuery-controlled property as of the effective date above.

VeryQuery does not run an advertising business. We do not:

• Place advertising on the marketing site, dashboard, or storefront embed.
• Use cookies, identifiers, or browser fingerprinting to build profiles for advertising.
• Share data with advertising networks, demand-side platforms, or ad-targeting vendors.
• Permit our integration on a merchant's storefront to set advertising cookies on the merchant's behalf.

The only third-party cookies we cause to be set on a VeryQuery-controlled origin are Google Analytics 4's first-party-ish cookies for aggregated usage measurement, as described in §05.

You can manage cookies through your browser's settings: most browsers let you block third-party cookies, clear cookies on exit, or block specific domains. Doing so on dashboard.veryquery.com will sign you out and prevent the dashboard from holding your context across tabs.

You can install a content-blocker (uBlock Origin, AdGuard, etc.) and disable the script source for Google Analytics if you want to opt out of analytics while continuing to use the dashboard.

We do not maintain a separate consent-management surface on the marketing site or dashboard at this time. We may add one if the deployment of additional analytics or marketing tooling requires it.

The third parties whose code or services receive data from cookies or browser storage on our origins are listed in the Sub-Processor List. As of the effective date the relevant entries are Google Analytics 4 and Cloudflare (for CDN and security-only purposes; Cloudflare does not receive analytics data from the marketing site or dashboard).

We will update this policy if we add new tracking technologies, change the categories of cookies we use, or onboard a new analytics or measurement vendor. Material changes are subject to the change-of-terms procedure in the Terms of Service. Non-material clarifications may be posted without notice.

Questions about cookies and tracking: [email protected].