Cookie Policy

The short version

• withherald.co (this site) sets no cookies. Browse the marketing site, read the blog, check the changelog — no cookies are written to your browser. We use localStorage to remember your light/dark theme preference; it is scoped to this origin and never leaves your device.
• app.withherald.co sets cookies only after you sign in. These are strictly necessary for the application to function. There are no advertising cookies, no analytics cookies, no cross-site tracking pixels anywhere in the Herald product.

Strictly necessary cookies (app.withherald.co)

These cookies are required to keep the application working. You cannot opt out of them and continue to use the signed-in application; if you prefer not to have them set, do not sign in.

Authentication cookies (Better Auth)

Herald uses Better Auth — an open-source authentication library running on Herald's own infrastructure — to handle sign-in, session management, and organization membership. Better Auth stores session state in Cloudflare D1, which is Herald's own database. No third-party authentication provider has access to your credentials or session.

When you sign in, Better Auth writes one or two session cookies to app.withherald.co:

• Session cookie (better-auth.session_token or similar). Contains an opaque session ID that maps to your session record in Cloudflare D1. The actual session data — user ID, expiry, organization membership — is stored server-side. The cookie is HttpOnly (not readable by JavaScript), Secure (sent only over HTTPS), and SameSite=Lax (not sent on cross-site requests except top-level navigations). Duration: 30 days by default; renewed on activity.
• CSRF token cookie (better-auth.csrf_token or similar). A short-lived token used to prevent cross-site request forgery on form submissions. This cookie is SameSite=Strict and expires at the end of the browser session.

Neither cookie contains any personal data beyond the opaque session ID. Session cookies are invalidated when you sign out or when you delete your account.

Route-level caching cookies

Cloudflare's edge may set a small number of __cf_* cookies for its own infrastructure functions — bot detection, challenge pages, and load-balancing affinity. These are first-party cookies set by Cloudflare on our behalf; they are not advertising cookies and do not track you across other sites. See Cloudflare's cookie documentation for the full list.

Cookies we do not set

To be explicit about what Herald does not do:

• No analytics cookies. We run no Google Analytics, Mixpanel, Amplitude, PostHog, Segment, or similar analytics trackers on the marketing site or the application.
• No advertising cookies. We run no advertising campaigns that require pixel or cookie-based attribution. No Meta Pixel, no Google Ads remarketing tag, no LinkedIn Insight Tag.
• No cross-site tracking. We do not use cookies or other storage mechanisms to track you across sites you visit after leaving withherald.co.
• No third-party session replay or heat-map tools. No FullStory, Hotjar, or equivalent running on any Herald surface.

Managing cookies

Your browser gives you control over cookies. You can view, block, or delete cookies from any site — including Herald — through your browser's settings. Blocking the session cookie will prevent you from staying signed in to the application; all other Herald functionality will continue to work without cookies.

Related documents

• Privacy Policy §3 — full list of what we collect
• Privacy Policy §10 — cookies and local storage (summary)
• Terms & Conditions — the master service agreement

Contact

Questions about cookies or data handling: write to privacy@withherald.co.