Cookie Policy
- Effective:
- May 12, 2026
- Last updated:
- May 9, 2026
Applies to vicaso.com, properties.vicaso.com, and all Vicaso services.
This is a baseline policy prepared for review by qualified legal counsel before production deployment. If you have questions, email privacy@vicaso.com.
1. What This Policy Covers
This Cookie Policy explains how Vicaso, LLC (“Vicaso,” “we,” “us”) uses cookies and similar tracking technologies on vicaso.com, properties.vicaso.com, the property-website pages at vicaso.com/p/[slug], and the client, photographer, editor, and admin portals (collectively, the “Service”).
This Policy is a supplement to our Privacy Policy. Capitalized terms not defined here have the meanings given in the Privacy Policy.
2. What Cookies Are
A cookie is a small text file that a website stores on your device through your browser. Cookies allow the website to remember information about your visit (such as your login session, preferences, or pages you have viewed) so the next interaction is faster and more useful.
We also use similar technologies, including:
- Local and session storage — small data caches in your browser used by the Service to keep you signed in and to store UI preferences;
- Pixels and beacons — tiny embedded images that record when content is viewed;
- SDKs and scripts — JavaScript loaded into the Service that may set cookies or local storage on behalf of the providers we use.
Throughout this Policy, references to “cookies” include these similar technologies unless context indicates otherwise.
Cookies can be:
- First-party — set by Vicaso directly;
- Third-party — set by services we embed (such as analytics providers);
- Session — deleted when you close your browser;
- Persistent — retained for a set period or until cleared.
3. Categories of Cookies We Use
We organize cookies into four categories:
3.1 Strictly necessary
These cookies are required for the Service to function. They cannot be disabled while you use the Service. Examples:
- Authentication and session. Keeps you signed in to your account; expires according to your session length.
- Security and CSRF. Protects against cross-site request forgery and other attacks.
- Routing and load-balancing. Routes your requests to the correct server (set by Vercel).
- Cookie-consent state. Records your cookie preferences so we don’t ask repeatedly.
- Stripe Checkout / Elements. Required to process payments securely.
Strictly necessary cookies are exempt from consent requirements under most laws because they are essential to providing the Service you requested.
3.2 Performance and analytics
These cookies help us understand how the Service is used so we can improve it. They are typically set by analytics providers, with IP truncation and other privacy controls enabled where supported.
3.3 Functionality
These cookies remember choices you make (language, time zone, dashboard layout, “remember this device” preferences) so the Service feels personal.
3.4 Marketing
We use a limited set of cookies to measure the effectiveness of our marketing campaigns (for example, attributing a signup back to a Google Ads click). We do not engage in cross-context behavioral advertising for the purpose of selling personal information, and we do not use cookies to build third-party advertising profiles.
4. Specific Cookies We Use
The list below describes the specific cookies and similar technologies in use as of the Effective Date. Cookie names, providers, and durations are subject to change as the underlying services update; we will keep this list reasonably current.
4.1 Strictly necessary
| Cookie / token | Provider | Purpose | Duration |
|---|---|---|---|
sb-<project-ref>-auth-token, sb-<project-ref>-auth-token-code-verifier | Supabase Auth (first-party) | Maintains your authenticated session in the Service | Session / up to 1 year (refreshing) |
sb-<project-ref>-auth-token.0, .1, etc. | Supabase Auth (first-party) | Chunked auth-token storage | Same as above |
__Host-next-auth.csrf-token (or analogous CSRF cookie) | Vicaso (first-party) | Cross-site request forgery protection | Session |
vicaso_consent | Vicaso (first-party) | Stores your cookie-banner preferences | 12 months |
__cf_bm | Cloudflare / Vercel infrastructure | Bot protection on selected endpoints | Up to 30 minutes |
__stripe_mid, __stripe_sid | Stripe (third-party) | Stripe checkout, fraud prevention, and payment session | __stripe_mid ~1 year; __stripe_sid ~30 minutes |
m | Stripe (third-party) | Anti-fraud signal during checkout | ~2 years |
4.2 Performance and analytics
| Cookie / technology | Provider | Purpose | Duration |
|---|---|---|---|
| Vercel Analytics request beacons | Vercel, Inc. | Aggregated, privacy-friendly page-view and Core Web Vitals measurement; no individual user profile | Per-request (no persistent cookie) |
_ga, _ga_<container-id> | Google Analytics 4 | Distinguishes unique browsers and stores session state for aggregated analytics; we enable IP truncation | _ga 2 years; _ga_* 2 years |
_clck, _clsk, MUID | Microsoft Clarity | Heatmaps, scrolling, and session-replay analytics with PII masking enabled | _clck ~1 year; _clsk ~1 day; MUID ~1 year |
4.3 Functionality
| Cookie / technology | Provider | Purpose | Duration |
|---|---|---|---|
vicaso_theme, vicaso_view, vicaso_tz | Vicaso (first-party local storage) | Remembers UI theme, default calendar/inbox views, and detected time zone | Persistent (until cleared) |
vicaso_recent_orders | Vicaso (first-party local storage) | Quick access to recently viewed orders | Persistent |
4.4 Marketing and email engagement
| Cookie / technology | Provider | Purpose | Duration |
|---|---|---|---|
| Brevo click-tracking pixel and link wrapping | Brevo SAS | When you open or click a Vicaso email, Brevo records delivery, opens, and click events; the pixel does not set a persistent cookie in your browser | Per-event |
UTM query parameters (utm_source, utm_medium, etc.) and short-lived first-party vicaso_utm cookie | Vicaso (first-party) | Attribution of signups to marketing campaigns | 30 days |
We do not use third-party advertising cookies (such as Facebook Pixel or Google Ads remarketing pixels) on vicaso.com as of the Effective Date. If we add them, we will update this Policy and, where required, request your consent before activating them.
5. Third-Party Cookies
Some cookies described above are set by third parties when you interact with embedded features (Stripe payments, Google Analytics, Microsoft Clarity, Vercel Analytics, Brevo email pixels). We do not control how those third parties use the data they collect; please review their privacy and cookie policies:
- Stripe — stripe.com/privacy and stripe.com/cookies-policy/legal
- Google (Analytics, Maps, OAuth, Gemini) — policies.google.com/technologies/cookies
- Microsoft Clarity — privacy.microsoft.com/privacystatement
- Vercel — vercel.com/legal/privacy-policy
- Brevo — brevo.com/legal/privacypolicy
6. How to Control Cookies
6.1 Vicaso preferences page
A cookie-preferences control is available on the Vicaso cookie banner that appears on your first visit and at any time from the footer link Cookie preferences (or /legal/cookies#preferences). You can:
- Accept all cookies;
- Reject non-essential cookies (you may still see the banner option to “Reject all”);
- Customize per-category — turn analytics, functionality, or marketing cookies on or off.
Strictly necessary cookies cannot be disabled because the Service will not function without them.
If you reject analytics or marketing cookies, the Service will continue to work; we just won’t see aggregated usage data and we won’t be able to attribute conversions for those activities.
6.2 Browser controls
All major browsers allow you to view, manage, and delete cookies. You can configure your browser to refuse all cookies, accept only first-party cookies, or notify you before a cookie is set. Helpful links:
- Chrome: support.google.com/chrome/answer/95647
- Firefox: support.mozilla.org/kb/cookies-information-websites-store-on-your-computer
- Safari (macOS): support.apple.com/guide/safari/manage-cookies
- Edge: support.microsoft.com/microsoft-edge/delete-cookies-in-microsoft-edge
6.3 Mobile device controls
Both iOS and Android offer device-level controls for advertising identifiers and tracking. We do not currently use mobile advertising IDs.
6.4 Industry opt-out tools
For analytics opt-outs:
- Google Analytics opt-out browser add-on: tools.google.com/dlpage/gaoptout
- Microsoft Clarity opt-out: privacy.microsoft.com/privacystatement
If you want to delete cookies already on your device, do so through your browser settings.
7. Do Not Track Signals
Some browsers transmit a “Do Not Track” (“DNT”) header. There is no consensus industry standard for DNT, and the Service does not currently respond to DNT signals. We will reconsider this position if a consensus standard emerges. You can still control cookie usage as described in Section 6.
8. Global Privacy Control
We make commercially reasonable efforts to honor recognized privacy signals such as the Global Privacy Control (GPC) in jurisdictions where doing so is required (including California). Because Vicaso does not “sell” or “share” personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA, the practical impact of GPC on the Service today is limited; nevertheless, where you transmit a GPC signal, we will treat it as a request to opt out of any future sale or sharing.
9. Changes to This Policy
We may update this Cookie Policy as we add, remove, or change the technologies we use. The “Last Updated” date at the top of this document will reflect the latest revision. For material changes (such as adding marketing-tracking cookies), we will give you reasonable advance notice and, where required, obtain consent before activating new cookies on your account.
10. Contact
For questions about this Cookie Policy or to exercise privacy rights:
Vicaso, LLC
Privacy Office
Seattle, Washington, United States
- Email: privacy@vicaso.com
- General support: support@vicaso.com