Cookies policy
What we set, why, and how to turn it off.
LAST UPDATED · MAY 18 · 2026 · EFFECTIVE IMMEDIATELYWhat this policy covers
This policy explains the cookies and similar storage technologies (localStorage, sessionStorage) that VidFlow ("we," "us") sets when you visit our site or use the studio. It runs alongside the Privacy policy — that document covers what data we collect; this one covers the mechanics.
By continuing to use the Service you consent to the cookies described below. You can disable non-essential cookies in your browser at any time; some features will not work without them.
Strictly necessary
These keep the Service working — turning them off breaks sign-in, billing, and CSRF protection. We do not require consent for these under GDPR or ePrivacy because they are essential to deliver the Service you asked for.
authjs.session-token (or __Secure-authjs.session-token over HTTPS): your encrypted login session. Set on sign-in, cleared on sign-out. Lifetime: 30 days.
authjs.csrf-token: prevents cross-site request forgery on the auth endpoints. Session-scoped.
authjs.callback-url: remembers where to send you after sign-in. Session-scoped.
Functional
These remember your preferences. They are not required to use the Service, but disabling them resets your in-app state on every visit.
vf-theme: remembers your light/dark preference. Lifetime: 1 year.
localStorage entries (vf-*): UI state we keep on your device — recently used styles, last open project, sidebar collapse state. Never transmitted to our servers.
Third-party services
When you use the Service, certain vendors may set their own cookies. We share only what is necessary to operate the feature; see the Privacy policy for the full data-flow per vendor.
Stripe (payments): sets its own cookies during checkout for fraud prevention. Only loaded when you reach the checkout page. Stripe's cookie policy: stripe.com/cookies-policy/legal.
Sentry (error monitoring): does not set tracking cookies in our integration, but does attach an in-memory session ID to error reports.
Resend (email delivery): no browser cookies — server-side only.
AWS / Cloudflare R2 (hosting): may set load-balancer cookies under our domain to keep your requests on a consistent edge.
MiniMax / ElevenLabs (voice synthesis): only invoked server-side during a generation job; no browser cookies set by these vendors on our pages.
Analytics
We run privacy-respecting product analytics on aggregate, anonymized usage (page views, feature engagement, error rates). The analytics cookie is first-party, IP-truncated, and does not cross-link to ad networks. Lifetime: 1 year.
We do not run advertising trackers. We do not embed Meta Pixel, Google Ads, or TikTok Pixel. We do not sell, rent, or share analytics data with third parties.
How to control cookies
Browser settings: every major browser lets you block or delete cookies per-site (Chrome → Settings → Privacy and security → Cookies; Firefox → Settings → Privacy & Security → Cookies and Site Data; Safari → Settings → Privacy → Manage Website Data).
Opting out of analytics: send "Do Not Track" or a Global Privacy Control (GPC) signal from your browser — we honor both. Or email [email protected] and we'll exclude your account.
Effect of disabling: blocking strictly-necessary cookies will sign you out and break checkout. Blocking functional cookies will reset your UI preferences on each visit. Blocking analytics has no visible effect.
Changes to this policy
We update this policy when we add or remove cookies / vendors. Material changes will be flagged via email and an in-app notice 14 days before they take effect. The "last updated" date below tells you when this version went live.
Contact
Questions about cookies, or want a manual opt-out? Email [email protected] — we respond within 24 hours.