Cookie Policy

A cookie is a small file your browser stores on your device when you visit a website. It lets the site recognise you on later visits or across pages of the same session. We also use localStorage and sessionStoragein places — these aren’t technically cookies but they work the same way for the purpose of this policy and are covered here too.

We group what we store into three plain categories. There is no fourth “advertising” bucket because we don’t use one.

These keep you signed in and protect your session. Without them the product simply won’t work, so they can’t be turned off from inside ShipWorks (you can still block them in your browser, but you won’t be able to log in).

• Access token cookie — short-lived signed token that authenticates each request to the ShipWorks backend. HttpOnly, Secure, SameSite-Lax.
• Refresh token cookie — longer-lived signed token used to silently renew the access token without forcing you to log in again. HttpOnly, Secure, SameSite-Lax. Rotated on every refresh.
• CSRF / anti-forgery markers — set as needed by the auth flow to prevent cross-site request forgery on sensitive endpoints.

These remember small choices you’ve made so the interface stays the way you set it.

• Theme preference — light / dark / system, remembered locally so the next page load matches your last choice. Stored in localStorage.
• Sidebar and layout state — collapsed/expanded state, table column widths, and similar UI preferences. Stored in localStorage.

We use Google Analytics 4 (GA4) to understand which features get used and where users get stuck. This is product analytics — not advertising. GA4 sets first-party cookies (_ga and _ga_*) so repeat visits from the same browser can be counted as one journey.

• We keep GA4 in its product-analytics configuration — Google’s advertising features (Google Signals, ads personalisation, and Google Ads linking) are turned off, so this data is not used to build advertising audiences.
• We do not run third-party ad pixels (no Facebook Pixel, no Google Ads conversion tag, etc.).
• Event payloads are limited to product interactions (which button was clicked, which funnel step completed). We do not capture keystrokes, form contents, or session video.

If you’d rather not be counted, the simplest path is to block the Google Analytics domains (googletagmanager.com / google-analytics.com) in your browser or use a tracking-blocker extension — the rest of ShipWorks continues to work normally.

• No advertising cookies.We don’t serve ads and don’t buy retargeting.
• No cross-site tracking pixels.
• No session-replay tools like Hotjar, FullStory, or LogRocket.
• No data brokers.We don’t sell or rent cookie-derived data to anyone.

Two third parties can set cookies on pages where their functionality appears:

• Razorpay — only on the checkout step. Razorpay uses cookies to secure the payment session and prevent fraud. Their cookies are governed by their own privacy notice.
• Google — only if you sign in with Google. The sign-in popup is operated by Google and sets cookies on their domain; we never see them.

• Session cookies — deleted when you close the browser.
• Access token — minutes (short-lived).
• Refresh token — days to weeks; rotated on each renewal and revoked on logout.
• Theme & UI preferences — persistent until you clear browser storage.
• Google Analytics identifier (_ga) — up to 24 months.

• Logout from your dashboard to revoke and clear the auth cookies for that session.
• Clear site data from your browser to remove everything ShipWorks has stored on your device (including theme and layout preferences).
• Block third-party cookiesin your browser settings — this affects Razorpay’s payment flow on some browsers, but auth and core product features will keep working.

When we add or remove storage of any kind, we update this page and the “Last updated” date above. Material changes are announced in-product.

Questions about cookies — write to [email protected]. See also our Privacy Policy and Terms of Service.