Cookie notice.
ifySEO sets the minimum number of cookies it needs to operate. There is no analytics SDK, no marketing pixel, and no third-party tracker on the marketing pages today. This page is the full inventory.
Summary
We set three first-party cookies, all strictly necessary: one for your Supabase Auth session, one for the post-Stripe-checkout signup gate, and one (short-lived) to carry a typed URL across sign-up so the scan auto-fires on first login.
We do not run Google Analytics, PostHog, Mixpanel, Segment, Plausible, Fathom, Hotjar, Meta Pixel, Google Tag Manager, or any other analytics or marketing pixel on the marketing or product pages. If we ever add one, this page changes first and a consent banner ships alongside.
The cookies we set
| Name | Purpose | Type | Lifetime | Set by |
|---|---|---|---|---|
| sb-<project-ref>-auth-token (+ refresh + code-verifier) | Carries your Supabase Auth session so you stay signed in across requests. Set by the Supabase SSR cookie helpers; the exact names vary by project ref. | Strictly necessary | Session + refresh window (Supabase default) | Supabase Auth |
| ifyseo-welcome | HMAC-signed gate cookie set after Stripe Checkout. Binds the browser that paid to the browser that lands on /welcome to complete signup. Without it, a leaked Checkout Session id alone cannot claim an account. | Strictly necessary | 1 hour | ifySEO |
| ifyseo-pending-scan | Carries a URL an anonymous visitor typed into the landing-page scan panel across the sign-up step, so the audit auto-fires after you create your account. | Strictly necessary | 15 minutes | ifySEO |
All three are httpOnly (not readable by client JavaScript), set with SameSite=Lax, and marked Secure in production. They are scoped to the ifySEO domain and never sent to third parties.
Third-party cookies you'll see
A few pages route you to a third-party service that sets its own cookies — under that third party's policy, not ours:
- Stripe Checkout sets cookies on
checkout.stripe.comwhile you are paying. They are used for fraud prevention and to keep your checkout state. See Stripe's cookie policy. - Stripe Customer Portal (reached from
/account) similarly runs on a Stripe-hosted page and sets Stripe's own cookies there. - GitHub sets its own cookies if you sign in with GitHub or install the ifySEO GitHub App. See GitHub's privacy statement.
These cookies are set on third-party domains while you're on those domains. They are not set by us and we do not have access to them.
What we don't run
For clarity, on every ifySEO page (marketing, app, dashboard, report) the following things are not present:
- No analytics tag (Google Analytics, Plausible, Fathom, PostHog, Mixpanel, …);
- No tag manager (Google Tag Manager, Segment);
- No advertising or retargeting pixel (Meta Pixel, LinkedIn Insight, TikTok, …);
- No session replay (Hotjar, FullStory, LogRocket, …);
- No A/B testing platform (Optimizely, VWO, …);
- No customer-messaging widget that sets cookies (Intercom, Drift, …).
That is why there is no cookie consent banner today: under the GDPR / Dutch implementation, only strictly-necessary cookies are exempt from consent — and the three cookies above are all strictly necessary.
Controlling cookies in your browser
If this changes
If we add a non-essential cookie — for instance, an analytics tag — this page is updated first, the "Last updated" date moves, and a cookie consent banner ships alongside the new cookie. We do not add silent tracking.
Contact
Questions about cookies — email lab@ifyseo.com.