Cookie policy — Crossdeck

1. The 30-second summary

We set two first-party functional cookies on cross-deck.com (crossdeck:anon_id and crossdeck:cdcust_id) — the same two our SDK installs on our customers' sites. They keep your visitor identity stable across sessions so we can show you accurate analytics on your own dashboard. No advertising data, no third-party ad pixels, no fingerprinting.

We also load Firebase Analytics (Google Analytics 4) on our marketing pages — that's how we count returning visitors and measure which pages help people understand the product. GA4 sets _ga and related cookies. You can opt out using the controls in section 7.

On the dashboard (cross-deck.com/dashboard), Firebase Authentication stores your sign-in state, and on the billing page, Stripe.js sets fraud-prevention cookies. Behind the scenes, Cloudflare may set a bot-management cookie.

Everything is detailed below with cookie names, lifetimes, and the specific reason it exists. If anything is unclear, email privacy@cross-deck.com.

2. What is a cookie?

A cookie is a small text file a website asks your browser to store. The browser sends the cookie back to the same website on the next request, which is how the website "remembers" things — that you're signed in, what time zone you're in, whether you've already dismissed a banner.

This page also covers similar technologies (localStorage and IndexedDB) which work like cookies but are stored differently in your browser. We disclose them here even where the law strictly only requires "cookie" disclosure, because we believe in clarity, not loopholes.

Cookies fall into a few categories:

First-party cookies are set by the site you're visiting. Ours.
Third-party cookies are set by external services (e.g. Google, Stripe).
Functional cookies make the site work — sign-in state, preferences.
Analytics cookies help us understand traffic and improve the product.
Marketing cookies track ads and personalisation across sites. We do not use any.

3. Cookies we set ourselves

These are our own first-party cookies on the cross-deck.com domain. The Crossdeck Web SDK is also installed on our marketing site (we use our own product to measure it), so the same cookie names appear here as on our customers' sites — see section 5 for the full source-code reference.

Cookie / Storage entry	Type	Lifetime	Purpose
`crossdeck:anon_id`	1st-party · functional / analytics Cookie + `localStorage`	2 years (7 days on Safari due to ITP)	Random anonymous visitor ID. Lets us count returning visitors as the same person across sessions on cross-deck.com. Contains no personal data.
`crossdeck:cdcust_id`	1st-party · functional Cookie + `localStorage`	2 years (7 days on Safari due to ITP)	Crossdeck customer record ID. Set after you sign in. Opaque internal identifier — not your email, not a billing token.
`crossdeck.workspaceCache`	1st-party · functional `localStorage`	Until you sign out / clear browser storage	Cached project name + workspace state for instant first-paint of the dashboard. Wiped on sign-out and replaced on every successful workspace fetch. No personal data.
`crossdeck.env`	1st-party · functional `localStorage`	Until you change it / clear browser storage	Stores whether you're viewing your sandbox or production environment in the dashboard. Just `"sandbox"` or `"production"`.
`crossdeck.onboarding.lastWorkspace`	1st-party · functional `localStorage`	Until you sign out	Caches your in-progress onboarding state so the page renders instantly when you return. Wiped on sign-out.

Cookie attributes. All Crossdeck-set cookies use Path=/, SameSite=Lax, Secure when served over HTTPS, and Max-Age=63072000 (2 years). Cookies are NOT marked HttpOnly because the SDK reads them on the client to honour the redundancy contract (the same security model used by Stripe.js, Segment, and PostHog).

4. Cookies set by third parties on our pages

We use a small number of third-party services to make cross-deck.com work — sign-in, payments, security, analytics. Each one sets cookies under its own domain (or under ours where required for their flows). They are listed exhaustively below.

Firebase Authentication

Firebase Auth (Google) handles sign-in and session state on the dashboard. It primarily uses IndexedDB rather than cookies; the entries are functional / strictly necessary for keeping you signed in.

Storage entry	Type	Lifetime	Purpose
`firebaseLocalStorageDb`	1st-party · strictly necessary IndexedDB (Firebase Auth SDK)	Until you sign out	Stores your auth tokens (ID token + refresh token) so you stay signed in across page loads. Same posture as Google's other Firebase Auth deployments.
`firebase:authUser:<projectId>:[DEFAULT]`	1st-party · strictly necessary `localStorage`	Until you sign out	Cached representation of the signed-in user record. Wiped on sign-out.

Firebase Analytics (Google Analytics 4)

We load Firebase Analytics on the marketing site to measure traffic. Google describes these cookies in detail at business.safety.google/cookies.

Cookie	Type	Lifetime	Purpose
`_ga`	1st-party · analytics (set by Google)	2 years	Distinguishes unique visitors with a randomly generated client ID. Same cookie across our property.
`_ga_PHT98L8WBY`	1st-party · analytics (set by Google)	2 years	GA4 session and campaign attribution for our specific GA property.
`_gat_gtag_…`	1st-party · analytics (set by Google)	1 minute	Throttles requests so a chatty page doesn't overwhelm GA's collection endpoint. Effectively zero data signal.

Stripe.js (loaded on /dashboard/billing only)

Stripe.js is loaded only on the billing page when you're managing your Crossdeck subscription. Stripe sets fraud-prevention cookies under their own domain. Stripe's cookie disclosure lives at stripe.com/cookie-settings.

Cookie	Type	Lifetime	Purpose
`__stripe_mid`	1st-party (Stripe) · strictly necessary	1 year	Fraud prevention — long-lived merchant ID Stripe uses to detect device-level patterns.
`__stripe_sid`	1st-party (Stripe) · strictly necessary	30 minutes	Fraud prevention — short-lived session ID for the active billing flow.
`m`	3rd-party (Stripe) · strictly necessary	2 years	Cross-merchant device-recognition signal Stripe uses across all sites running Stripe.js.

Cloudflare

We route api.cross-deck.com through Cloudflare for DDoS protection and performance. Cloudflare may set a bot-management cookie. Cloudflare's full disclosure: developers.cloudflare.com/fundamentals/reference/policies-compliances/cloudflare-cookies.

Cookie	Type	Lifetime	Purpose
`__cf_bm`	3rd-party (Cloudflare) · strictly necessary	30 minutes	Bot management — Cloudflare uses it to distinguish humans from automated traffic, blocking abuse before it reaches our infrastructure. No advertising use.

Inter font (rsms.me) and Google Fonts (fonts.googleapis.com)

We load typography from rsms.me/inter and Google Fonts. Neither sets cookies. Both, however, can see your IP address when your browser fetches the font file. Google's font terms: developers.google.com/fonts/faq/privacy.

5. Our SDK on customer sites

When you visit a website that has the Crossdeck Web SDK installed (@cross-deck/web), the SDK writes the same two cookies covered in section 3 on that site's domain — not on ours. Crossdeck never receives those cookies; they exist purely to keep the visitor's identity continuous on the site running the SDK.

That site's privacy / cookie policy is responsible for disclosing this to you. If you're a developer building this disclosure, we publish a copy-paste template at cross-deck.com/docs/cookie-policy-template.

For full source-code transparency, the relevant SDK files are public:

identity.ts — what gets written, when, and the redundancy contract.
storage.ts — the cookie attributes (Path, SameSite, Max-Age, Secure).
device-info.ts — every device field collected on each event.

6. Legal basis

Under the EU GDPR and the UK Data Protection Act 2018, we rely on two lawful bases depending on the cookie:

Strictly-necessary cookies (Firebase Auth on the dashboard, Stripe.js on billing, Cloudflare bot management) — necessary to deliver the service you've signed up for. No consent required under ePrivacy / GDPR Article 6(1)(b) (contractual necessity).
Functional / analytics cookies (Crossdeck SDK + Firebase Analytics on marketing pages) — placed on the basis of your consent (GDPR Article 6(1)(a) + ePrivacy Directive Article 5(3)). For visitors outside the EU/UK, we rely on legitimate interests (GDPR Article 6(1)(f)) — operating an analytics surface for our own product is necessary for us to run the business and has minimal privacy impact (no personal data, no profiling, no ad use).

Under the California Consumer Privacy Act (CCPA/CPRA), no Crossdeck-set cookie meets the definition of a "sale" or "share" of personal information. We are happy to honour "Do Not Sell or Share" preferences, the Global Privacy Control signal, and access / deletion requests — please write to privacy@cross-deck.com.

Under POPIA (South Africa) and similar regimes, the same posture applies: minimum necessary data, clear purpose, and the ability for any data subject to exercise their access / correction / deletion rights.

7. Manage your preferences

You can disable or delete cookies in any modern browser. Each major browser publishes instructions:

Opt out of Firebase Analytics specifically

Install Google's Google Analytics Opt-out Browser Add-on, which prevents the GA cookies from being set on any site you visit. If you'd prefer a purely first-party opt-out, clearing the _ga* cookies in your browser settings has the same effect for cross-deck.com specifically.

Manage your preferences for cross-deck.com

Re-opens the consent panel where you can toggle individual categories. Your choice takes effect immediately — no reload required. We re-prompt automatically when this policy changes materially (a version bump invalidates the saved record).

Opt out of Crossdeck's SDK persistence specifically

On a site that runs the Crossdeck SDK, you can clear the crossdeck:anon_id and crossdeck:cdcust_id cookies in your browser settings. The site will re-create a fresh anonymous ID on your next visit. To prevent any persistence at all, developers can install the SDK with persistIdentity: false behind a consent banner — documentation here.

Global Privacy Control

cross-deck.com honours the Global Privacy Control signal where it applies under CCPA/CPRA. If your browser sends GPC, we treat it as a "Do Not Sell or Share" instruction — though we don't sell or share data anyway, so functionally nothing changes.

8. Changes to this policy

When we change what cookies we set, this page changes — same week as the underlying release. Each release that affects the cookie surface is noted in the SDK changelog and (if it's a marketing- site change) in our deployment log. The "Last updated" date at the top of this page is the most recent revision.

For material changes (new third-party services, new categories of data), we will email registered customers at least 14 days before the change takes effect.

9. Contact

For privacy questions, data subject access requests, or anything that doesn't fit the shape of this page, email privacy@cross-deck.com. We aim to acknowledge within 5 business days and resolve within 30 days under GDPR Article 12(3).

Data controller for cross-deck.com: VistaApps (Pty) Ltd, South Africa. Trading as "Crossdeck."

Data processor when our SDK is installed on your site: VistaApps (Pty) Ltd, processing on behalf of you, the site operator, under the terms of our Data Processing Addendum.