Cookie Policy
Last updated: March 2026
1. What Are Cookies
Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites work efficiently and to provide information to the site owners.
2. How We Use Cookies
ScopeShift uses only cookies that are strictly necessary for the Service to function correctly. Because we only use strictly necessary cookies, explicit cookie consent is not required under UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
3. Cookies We Use
Strictly Necessary Cookies (Application)
These cookies are essential for the ScopeShift application to work. They enable core functionality such as authentication and security. You cannot opt out of these cookies as the Service would not function without them.
| Cookie | Purpose | Duration |
|---|---|---|
| auth_token | Authentication — contains your encrypted session token (JWT). Keeps you signed in and verifies your identity on each request. HttpOnly, Secure, SameSite=Lax. | 1 hour |
| XSRF-TOKEN | CSRF protection — prevents cross-site request forgery attacks. Readable by JavaScript by design so it can be included in request headers. Secure, SameSite=Lax. | Session |
Strictly Necessary Cookies (Client Portal)
| Cookie | Purpose | Duration |
|---|---|---|
| client_auth_token | Client portal authentication — used when external clients access the client approval portal. HttpOnly, Secure, SameSite=Lax. | 1 hour |
Analytics (Vercel Analytics)
Our marketing website uses Vercel Analytics to understand how visitors use our site. Vercel Analytics is a privacy-focused, cookie-less analytics service — it does not set any cookies on your device and does not track individual users across sessions. Data collected includes page views, referrer, country, device type, and browser. IP addresses are not stored.
We present a cookie consent banner on your first visit. If you choose "Essential Only," we respect that preference. We do not use Google Analytics, Facebook Pixel, Hotjar, or any advertising/marketing tracking services.
4. Third-Party Cookies
Our payment processor (Stripe) may set cookies on Stripe's own domain when you interact with payment forms. These are strictly necessary for secure payment processing and are subject to Stripe's own cookie policy.
Cloudflare (our CDN and DDoS protection provider) may set strictly necessary cookies on ScopeShift domains for bot management and DDoS challenge clearance. These cannot be disabled as they are required for security and availability.
5. Local Storage
The application uses browser localStorage (not cookies) for non-sensitive display data such as cached user profile information and selected company ID. localStorage is never transmitted to the server automatically and is only read by JavaScript running on the ScopeShift domain.
6. Mobile Application
The ScopeShift mobile app (Android) does not use browser cookies. Authentication tokens are stored securely using Expo SecureStore (encrypted device storage) and SQLite (encrypted local database for offline data caching).
7. Managing Cookies
Most web browsers allow you to control cookies through their settings. You can typically find these settings in the "Options" or "Preferences" menu of your browser. Please note that blocking or deleting the auth_token or XSRF-TOKEN cookies will prevent you from using the ScopeShift application.
For more information about managing cookies in popular browsers:
- Google Chrome: Settings > Privacy and Security > Cookies
- Mozilla Firefox: Settings > Privacy & Security > Cookies
- Safari: Preferences > Privacy
- Microsoft Edge: Settings > Cookies and Site Permissions
8. Changes to This Policy
We may update this Cookie Policy from time to time. Changes will be posted on this page with an updated "Last updated" date.
9. Contact Us
If you have any questions about our use of cookies, please contact us at support@scopeshift.co.uk.
For security or privacy enquiries: security@scopeshift.co.uk.