Cookie Policy
Effective: 2026-04-24
This Cookie Policy explains how Unshift LLC ("Unshift", "we", "us", "our") uses cookies and similar technologies on the marketing website at https://unshift.ai and the Unshift Studio at https://studio.unshift.ai (together, the "Services"). It supplements our Privacy Policy.
This policy applies to the Services. It does not apply to websites you build and publish using Unshift; those sites' cookie behavior is under your control and is your responsibility as operator.
1. What cookies and similar technologies are
A cookie is a small text file placed on your device when you visit a website. Cookies let a site remember information between requests. We also use similar technologies such as:
- Local storage and session storage: browser-side key-value stores that persist small amounts of data.
- Pixels and web beacons: tiny requests embedded in pages or emails that fire on load, used for measurement.
- SDKs in our own code: first-party scripts that collect events and send them to analytics providers.
For simplicity, this policy refers to all of them as "cookies".
2. Categories of cookies we use
We categorize cookies consistent with the ePrivacy Directive and UK PECR. We set only strictly necessary cookies by default. Analytics and session replay cookies are set only after you opt in to each category separately in the cookie banner. We do not currently use marketing or advertising cookies.
2.1 Strictly necessary (always on)
These cookies are required for the Services to function. They do not track you across sites and do not require consent.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
sb-access-token | Supabase session token; keeps you signed in | First-party | Session |
sb-refresh-token | Supabase refresh token | First-party | 7 days |
unshift.csrf | CSRF protection on state-changing API routes | First-party | Session |
__cf_bm | Cloudflare bot-management; blocks automated abuse | Third-party (Cloudflare) | 30 minutes |
cf_clearance | Cloudflare challenge-response clearance | Third-party (Cloudflare) | 30 minutes to 1 year |
unshift.cookie-consent | Stores your choice on the cookie banner | First-party | 12 months |
unshift.theme | Dark/light mode preference | First-party | 12 months |
2.2 Analytics (consent required)
Set only if you accept analytics cookies in the banner. You can change your choice at any time via "Cookie settings" in the footer.
| Cookie | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
_ga | GA4 user identifier (marketing site only) | Third-party | 2 years | |
_ga_<property> | GA4 session and property identifier (marketing site only) | Third-party | 2 years | |
ph_* | PostHog | Product-analytics events and feature flags (Studio) | First-party (proxied via studio.unshift.ai/ingest) | 1 year |
PostHog is loaded in the Studio only if you accept the "Product analytics" category. PostHog requests are proxied through studio.unshift.ai/ingest, so the cookies are first-party and the data is delivered to PostHog's EU Cloud region (Frankfurt, Germany).
2.3 Session replay (separate consent required)
Session replay records an anonymized video-like reconstruction of your Studio session so we can diagnose UI bugs and confusing flows. Because replay captures materially more than analytics events, we treat it as a separate consent category and it is off unless you explicitly enable it via the Session replay toggle in the cookie banner.
Form inputs, on-screen text, and any element marked sensitive in our code are masked at the moment of recording. Network request and response bodies are never captured.
| Cookie | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
ph_session_* | PostHog | Session replay continuity | First-party (proxied via studio.unshift.ai/ingest) | 1 year |
2.4 Marketing and advertising
We do not currently run marketing or advertising cookies, remarketing pixels, or cross-site tracking. We will not enable them without updating this policy and the cookie banner to request consent.
2.5 Functional (case-by-case, consent where required)
We may occasionally embed content from third parties (for example, a YouTube video in a blog post, a Stripe Checkout session during billing). These embeds set their own cookies governed by the provider's cookie notice. We ask for consent before loading embeds that set non-necessary cookies in EEA/UK sessions.
3. How to manage cookies
3.1 Our banner
On your first visit from an EEA, UK, or Swiss IP, we display a cookie banner offering Accept all, Reject non-necessary, and Customize. Customize lets you toggle Product analytics and Session replay independently. Your choice is stored for 12 months. You can revisit the banner any time by clicking Cookie settings in the footer.
For users in other jurisdictions, analytics and session replay default to off and can be enabled via the banner. This is stricter than what some jurisdictions require, but it keeps our behavior consistent.
3.2 Browser controls
Most browsers let you block or delete cookies. Blocking strictly necessary cookies will break the Services. Helpful resources:
- Chrome: https://support.google.com/chrome/answer/95647
- Firefox: https://support.mozilla.org/kb/cookies-information-websites-store-on-your-computer
- Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471
- Edge: https://support.microsoft.com/microsoft-edge
3.3 Global Privacy Control and Do Not Track
We honor the Global Privacy Control (GPC) signal where technically feasible; we treat it as an opt-out of analytics and, if we ever enable them, marketing cookies. We do not recognize the older "Do Not Track" header because it has no consistent meaning across browsers.
3.4 Opting out at the vendor level
- Google Analytics opt-out browser add-on: https://tools.google.com/dlpage/gaoptout
- PostHog opt-out: via Unshift's cookie banner; PostHog also respects the global opt-out cookie it sets
4. Log files and server-side analytics
Our servers and Cloudflare collect access logs (IP address, user agent, URL, response code, timestamp) independent of cookies. These logs are used for security, fraud prevention, abuse response, and basic aggregate analytics. We retain logs for up to 12 months. Server-side logs do not require cookie consent because they are necessary for the operation and security of the Services and do not involve storage on your device.
5. Do we combine cookie data with other data?
For logged-in users who have accepted analytics cookies, we may associate analytics events with your user ID to understand product usage. We do not cross-reference analytics data with public ad networks or data brokers.
For logged-out visitors, analytics data is associated with a pseudonymous client ID only.
6. Changes to this policy
We may update this Cookie Policy to reflect changes in the cookies we use. The updated version is posted here with a new "Effective" date. Material changes that introduce new cookie categories (for example, marketing cookies) trigger a refreshed consent request.
7. Contact
- Privacy inquiries: privacy@unshift.ai
- General support: support@unshift.ai
- Postal address: Unshift LLC, 1309 Coffeen Avenue STE 1200, Sheridan, Wyoming 82801, United States