Cookie policy
Last updated: April 2026. Policy version: 1
Cookies are small files a website stores in your browser so it can remember things between page loads. Whaily uses as few as possible. This page lists every single one, what it does, and how long it sticks around. If something here is unclear, write to us at hello@whaily.com and we will fix the wording.
Your choice
Use the buttons below to record or change your consent. Strictly necessary cookies stay on either way — they are required for Whaily to function.
You have not set a choice yet
Strictly necessary
These cookies are required for Whaily to function. Signing in, staying signed in, protecting against cross-site attacks, and keeping automated bots out of our sign-up flow all depend on them. There is no consent toggle for this category because the site would not work without it, and these cookies are exempt from consent under ePrivacy Article 5(3).
| Cookie | Set by | Purpose | Duration |
|---|---|---|---|
| authjs.session-token (or __Secure-authjs.session-token in production) | Whaily (Auth.js) | Keeps you signed in. Signed JWT containing your user id and active brand. | 30 days |
| authjs.csrf-token | Whaily (Auth.js) | Prevents cross-site request forgery on Auth.js endpoints. | Session |
| authjs.callback-url | Whaily (Auth.js) | Where to send you after a successful sign-in. | Session |
| whaily_current_org_slug | Whaily | Remembers which brand you were viewing when you have multiple brands in one account. | 1 year |
| whaily_impersonate | Whaily | System-admin only. Signed with HMAC. Pins your session to a brand you are viewing as admin. | Session |
| cf_chl_rc_m, __cf_bm, cf_clearance | Cloudflare (Turnstile) | Bot protection on sign-up, login, and invitation flows. Blocks automated account creation. | Session to 30 minutes |
| whaily_cookie_consent | Whaily | Remembers your consent choices for this site so the banner does not reappear. | 395 days |
Optional, with your consent
These are off by default. If you click Accept on the banner, we turn them on. If you click Reject, they stay off. You can change your mind at any time via the link in the footer.
| Cookie or storage | Set by | Category | Purpose | Status |
|---|---|---|---|---|
| Bugsnag error and performance identifiers (localStorage) | Bugsnag (Insight Hub) | Analytics | Captures JavaScript errors and performance traces so we can diagnose bugs. Identifiers are per-browser, not tied to your Whaily user id. Technically localStorage rather than a cookie, but treated the same way under ePrivacy. | Off by default |
| Paddle checkout cookies (future) | Paddle | Marketing | When we enable paid plans, Paddle will set checkout and customer-portal cookies during the payment flow. | Not live yet |
How we honour your choice
When you click Reject, Bugsnag is never initialised on your browser. No error or performance data is sent. When you click Accept, Bugsnag starts immediately and begins capturing crashes and slow renders so we can fix them. If you later revoke consent by clicking Reject on the banner, new errors are no longer sent, but the Bugsnag SDK stays loaded for the current session. A page refresh fully removes it.
Third parties we name
- Cloudflare (bot protection via Turnstile). Strictly necessary.
- Bugsnag (error and performance monitoring). Optional, off by default.
- Vercel (our hosting provider). Sets no cookies of its own on your browser; infrastructure only.
- Resend (transactional email). No browser cookies. Listed here for completeness.
- Paddle (future payment processor). Will set checkout cookies only when paid billing ships and only with Marketing consent.
Changing your mind
Use the link in the footer of any page to reopen the banner and switch your choice. You can also clear cookies in your browser to reset everything; the banner will reappear on your next visit.
Related
See our Privacy Policy for a broader description of how we handle personal data, and Terms of Use for the overall legal framing of the service. For any questions, write to us at hello@whaily.com.