Cookie Policy for Rekomi

1. Your choices

On your first visit we show a consent banner with three categories. You can accept all, reject all (which keeps only Essential cookies running), or customize per category. You can change your decision anytime via the Manage cookies link in the site footer. Each decision is recorded server-side in our append-only consent log so we can demonstrate compliance and respond to data-subject requests.

2. Cookie categories

Essential (always on)

Required for the site to function. These cannot be rejected because the product does not work without them.

Clerk session cookies (__session, __client, et al). Authenticated session. Set by Clerk on our domain.
Theme preference (localStorage). Remembers light/dark choice.
Consent record (localStorage rekomi-cookie-consent-v2 + an anonymous session id rekomi-anon-session). Stores your choice so we do not re-prompt.
Stripe Checkout cookies (set on stripe.com during a checkout session). Required for billing flows; only set when you initiate a checkout.
Affiliate attribution (_rkmi, legacy _rekomi_aff). Records which affiliate referred a visit so a resulting sale, lead, or click is credited. Set first-party on a brand's tracking domain and on api.rekomi.com. The value is only the public affiliate slug, no personal data. (When cost-per-click and cost-per-lead links roll out, the same cookie will also be set on our neutral rekomi.link domain.)

Analytics (opt-in)

Helps us see which product features are useful. Disabled until you accept this category.

PostHog (ph_*, ph_phc_*_posthog). Anonymous product analytics. We do not enable session replay.
Google Analytics 4 (_ga, _ga_*). Aggregate traffic + marketing attribution across rekomi.com and app.rekomi.com. IP addresses are anonymized by GA before storage.

Marketing (opt-in)

Powers our support chat and identification. Disabled until you accept this category.

Intercom Messenger (intercom-id-*, intercom-session-*, intercom-device-id-*). Lets us answer your chat without you re-introducing yourself on every page. Set by Intercom; we never see the third-party cookie values directly.

3. Always-on with no consent requirement

Sentry error monitoring runs on every page to catch crashes and broken flows. Sentry does not plant identification cookies; it attaches an in-memory request id to error reports. We treat this as a legitimate-interest processing activity under GDPR Article 6(1)(f), consistent with how application monitoring is commonly handled.

4. On customer affiliate-tracking domains

When a Rekomi customer uses our tracking script on their site, we set a first-party affiliate-attribution cookie (e.g. _rekomi_aff). This cookie identifies the affiliate that referred the visitor and persists for the program's configured cookie window (60 days by default, configurable per program).

Cookie handling on customer domains is governed by the customer's own privacy and cookie policies, not this one.

5. Do Not Track

We honor the Do Not Track signal where reasonable. PostHog is configured to respect DNT when initialized.

6. Audit + data subject access

Each consent decision is recorded with an anonymous session id, a hash of your IP address, your browser user agent, and the policy version you consented to. Records are retained as part of the append-only audit log. On a Data Subject Access Request we can produce the full consent timeline for any session.

7. Changes

Material changes (adding a third-party cookie, changing a category mapping) trigger a re-prompt and are reflected in the policy version and the “Last updated” date above.