Cookie Policy
Last updated: 19 June 2026
This Cookie Policy explains how ReRooted uses cookies and similar technologies when you use our website and service.
1. What Are Cookies?
Cookies are small text files that are stored on your device (computer, tablet, or mobile) when you visit a website. They are widely used to make websites work efficiently and provide information to website owners.
2. Cookies We Use
ReRooted uses essential cookies that are necessary for the operation of our service, together with a limited set of analytics and advertising technologies that help us understand how the service is used and measure the effectiveness of our marketing. Analytics runs by defaultwherever you are, and you can switch it off at any time through the "Your Privacy Choices" link in the footer (see Section 5). Advertising (the Meta Pixel) runs by default for visitors outside the EEA and UK; for EEA and UK visitors we do not run itunless you turn it on yourself. We do not use cookies to build advertising profiles that follow you around the web beyond the conversion-measurement use described in Section 2.3, we honour Global Privacy Control / Do Not Track as an opt-out of advertising "sharing" everywhere, and we apply protective defaults (described below) to the third-party tools we do use.
- Essential (always on): authentication, session management, and security. These are described in Section 2.1 below and cannot be switched off.
- Analytics:PostHog and Google Analytics 4, used to understand how the product is used so we can improve it. On by default everywhere; you can switch it off via "Your Privacy Choices".
- Advertising (optional): the Meta (Facebook) Pixel, which shares limited activity with Meta for advertising measurement. Outside the EEA and UK it loads by default and you can switch it off at any time; for EEA and UK visitors it does not load unless you turn it on. It never loads when your browser sends a Global Privacy Control or Do-Not-Track signal.
Analytics runs by default everywhere and advertising runs by default outside the EEA and UK; EEA and UK visitors are not served the advertising Pixel unless they turn it on. You can turn any non-essential category off (or, in the EEA/UK, advertising on) at any time via the "Your Privacy Choices" link. See Section 2.3 for the specific providers and Section 5 to change your choices at any time.
2.1 Session Cookies (Essential)
| Purpose | Cookie Name | Description | Duration |
|---|---|---|---|
| Authentication | rerooted.* | Keeps you signed in while you use ReRooted. This cookie is set when you log in and allows you to access your account securely. | 7 days (refreshed on activity) |
| Session Cache | rerooted.* | Caches session data to reduce database lookups during session validation, improving page load performance. | 5 minutes |
| CSRF Protection | _csrf | Protects against cross-site request forgery attacks. This security measure ensures that actions are performed by you and not by malicious third parties. | 1 hour |
2.2 Cookie Security
Our cookies are configured with the following security attributes:
- HttpOnly: Cookies cannot be accessed by JavaScript, protecting against cross-site scripting (XSS) attacks
- Secure: In production, cookies are only transmitted over HTTPS encrypted connections
- SameSite=Lax: Cookies are not sent with cross-site requests, providing additional protection against cross-site request forgery
2.3 Analytics & Advertising (Non-Essential)
We use the following third-party tools to measure usage and marketing performance, each configured conservatively as noted. You control them through the "Your Privacy Choices" link (Section 5) and can also block them through your browser settings — either way without affecting your ability to use the service.
| Provider | Purpose | Storage | Default posture |
|---|---|---|---|
| Vercel Analytics | Aggregate page-traffic analytics | None (cookieless) | No cross-site identifier; no advertising use |
| PostHog | First-party product analytics (which features are used) | First-party localStorage + cookie holding an anonymous device identifier | Loaded only after you allow analytics; no session recording; no advertising use; not shared for advertising |
| Google Analytics 4 | Aggregate behavioural analytics | _ga and related analytics cookies | Loaded by default (you can switch analytics off); advertising features (ad_storage, ad_user_data, ad_personalization) granted by default outside the EEA/UK, denied for EEA/UK visitors |
| Meta (Facebook) Pixel | Measuring ad conversions (e.g., sign-ups from our campaigns) | _fbp advertising cookie set by Meta | On by default outside the EEA/UK (you can switch it off); not loaded for EEA/UK visitorsunless you turn it on; Meta Limited Data Use enabled; never loads when your browser sends a Global Privacy Control or Do Not Track signal |
3. Session Management
Our session cookies work as follows:
- Session duration: Your session remains active for up to 7 days from your last activity
- Sliding window: If you use ReRooted within the last 24 hours before your session expires, it is automatically extended by another 7 days
- Sign out: When you explicitly sign out, your session is immediately invalidated and the cookies are cleared
- Inactivity: Sessions that remain inactive for 7 days are automatically expired
4. Third-Party Cookies
The analytics and advertising tools described in Section 2.3 (Google Analytics, PostHog, and the Meta Pixel) set their own cookies through the scripts they load. These are not loaded until you opt in and can be turned off at any time via "Your Privacy Choices" (Section 5). In addition, the following third-party services may set their own cookies when you interact with them:
- Stripe: Our payment processor may set cookies necessary for secure payment processing. These cookies are subject to Stripe's Privacy Policy.
- Google: If you sign in using Google, cookies may be set during the authentication process. These are subject to Google's Privacy Policy.
- Facebook: If you sign in using Facebook, cookies may be set during the authentication process. These are subject to Meta's Privacy Policy.
Social login providers are only active when configured. Not all sign-in methods may be available at all times.
5. Managing Cookies
"Your Privacy Choices". The analytics and advertising categories described in Section 2 run by default (except the advertising Pixel for EEA/UK visitors, which is off unless you turn it on). You can review and change these at any time using the Your Privacy Choices link in the site footer, which opens a preferences panel where you can Accept all, Reject non-essential, or toggle the analytics and advertising categories individually. Your selection is remembered on your device (via a cookie and local storage) so it persists across visits.
You can also control and delete cookies through your browser settings. However, please note that if you disable our essential cookies:
- You will not be able to stay signed in to your account
- Some security features may not work properly
- You may need to sign in each time you visit
Browser Cookie Settings
Most web browsers allow you to manage cookies through their settings. Here are links to instructions for common browsers:
6. Do Not Track & Global Privacy Control
Browser "Do Not Track" (DNT) signals are not standardised and there is no agreed legal meaning for how a service must respond, so we do not promise to honour them uniformly across every tool. As a matter of practice:
- Meta Pixel (advertising): does notload when your browser sends a Global Privacy Control (GPC) or Do-Not-Track signal, so no advertising data is sent to Meta from your browser in that case. GPC is a recognised opt-out of advertising "sharing" under California law, which we honour automatically for the Pixel. We apply this as a floor even if you select "Accept all" in your privacy choices. Separately from the Pixel — and not set by cookies — we send Meta limited conversion measurement events directly from our servers (the Conversions API) for advertising attribution. Upper-funnel advertising events, such as paid landing-page views, are sent only when advertising is enabled for you; signup and purchase conversion mirrors are sent with Meta's "Limited Data Use" mode enabled and are described in our Privacy Policy.
- First-party product analytics (PostHog) and Google Analytics:these measure aggregate usage of our own service and do not change their behaviour based on a DNT signal. They run by default and are instead governed by your choice in "Your Privacy Choices" (Section 5), and you can also block them via your browser settings.
We do not track you across other websites for advertising beyond the conversion measurement described in Section 2.3.
7. Changes to This Policy
We may update this Cookie Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.
8. Related Policies
For more information about how we handle your data, please also review:
9. Contact Us
If you have any questions about our use of cookies, please contact us through our support channels.