1. Strictly necessary cookies

These cookies are required for the site to work and load without your consent.

next-auth.session-token / __Secure-next-auth.session-token — keeps you signed in once you log in. First-party. Expires when the session ends or after 30 days, whichever comes first.
next-auth.csrf-token — prevents cross-site request forgery on login forms. First-party. Session.
__cf_bm, cf_clearance — Cloudflare bot management. Set by Cloudflare to distinguish humans from bots. Required to reach the site.
cookiesAccepted / cookiesDeclined — stored in your browser's localStorage so we do not ask again. First-party. Persists until you clear browser storage.

2. Functional cookies

Set when you use specific features. Off by default; enabled when you opt in or use the feature.

oneclick:onboarding:* — sessionStorage entries that hold your draft, chosen template, and uploaded photos during the funnel so you can refresh without losing work. First-party. Cleared when you close the tab.
preferredLanguage — remembers your chosen UI language. First-party. 1 year.

Loaded only after you accept cookies in the banner. Used to count visits and understand which pages help people, in aggregate.

Umami — first-party, no cross-site tracking. Stores a salted daily hash of (visitor + site + user-agent), not a persistent identifier. Hash rotates every 24 hours.
Vercel Web Analytics — first-party page-view counter. No personal identifier, no cross-site tracking.

Sentry session-replay — sampled at less than 1% of sessions to debug rare failures. Form fields, passwords, and payment inputs are masked before transmission. You can disable replay entirely by declining cookies.

The banner at the bottom of the page lets you accept or decline non-essential cookies on first visit.
Clear browser storage to be asked again, or to revoke a previous choice.
Most browsers also let you block or delete cookies in their privacy settings. Blocking strictly necessary cookies will break sign-in.