Cookie policy

What cookies Shipset uses and how to control them.

Last updated · 13 May 2026

This is a draft document

Shipset is in pre-launch. These terms describe our intent but have not yet been reviewed by counsel. They are not a substitute for professional legal advice, and final wording may change before public launch.

1. What cookies are

Cookies are small text files stored on your device by your browser when you visit a website. They allow sites to remember your preferences across sessions and to keep you signed in.

2. Cookies we use

Strictly necessary (no consent required)

These cookies are essential for the service to function. Without them, sign-in, account recovery, and form submission would not work. We rely on these under § 25 (2) Nr. 2 TTDSG.

__Host-authjs.csrf-token — CSRF protection for sign-in. Session cookie, cleared when you close the browser.
__Secure-authjs.session-token — your authenticated session. Expires after 30 days of inactivity.
__Secure-authjs.callback-url — remembers where to send you after a successful sign-in.

Optional (consent required)

We currently do not load any analytics, advertising, or tracking cookies. If we add privacy-respecting analytics in the future (e.g. Plausible, self-hosted), you will see a consent banner first and your refusal will be persisted.

3. Third-party services that may set cookies

Cloudflare — sets the __cf_bm bot-management cookie on some assets. Strictly necessary for fraud and abuse prevention.
Cloudflare Turnstile — when the bot-check widget loads on sign-up / login / forgot-password, Turnstile may set short-lived cookies on its own domain. These never carry across sites.
Stripe — on the checkout pages, Stripe sets cookies for fraud detection. See Stripe's cookie settings.

4. Managing your cookies

You can clear cookies for shipset.dev at any time via your browser's privacy settings. Doing so will sign you out and clear preferences. Once the consent banner is live, you will be able to revisit your choices from the footer.

5. Contact

Questions about cookies: julio@shipset.dev. See also our Privacy policy.

2. Cookies we use

Strictly necessary (no consent required)

These cookies are essential for the service to function. Without them, sign-in, account recovery, and form submission would not work. We rely on these under § 25 (2) Nr. 2 TTDSG.

__Host-authjs.csrf-token — CSRF protection for sign-in. Session cookie, cleared when you close the browser.

__Secure-authjs.session-token — your authenticated session. Expires after 30 days of inactivity.

__Secure-authjs.callback-url — remembers where to send you after a successful sign-in.

Optional (consent required)

3. Third-party services that may set cookies

Cloudflare — sets the __cf_bm bot-management cookie on some assets. Strictly necessary for fraud and abuse prevention.

Cloudflare Turnstile — when the bot-check widget loads on sign-up / login / forgot-password, Turnstile may set short-lived cookies on its own domain. These never carry across sites.

Stripe — on the checkout pages, Stripe sets cookies for fraud detection. See Stripe's cookie settings.