Cookie Policy

Last updated 28 March 2026

1. What Are Cookies

Cookies are small text files that are placed on your device (computer, tablet, or mobile phone) when you visit a website. They are widely used to make websites work more efficiently, provide information to website owners, and improve the user experience.

Cookies can be persistent (remaining on your device until they expire or are deleted) or session cookies (deleted automatically when you close your browser). They can also be classified by who sets them:

First-party cookies are set by the website you are visiting (e.g., webrec.app).
Third-party cookies are set by a domain other than the one you are visiting (e.g., a payment processor or OAuth provider).

In addition to cookies, websites may use other browser storage mechanisms such as localStorage and sessionStorage. These function similarly to cookies but are only accessible by the website that created them (same-origin policy) and are not automatically sent with HTTP requests.

This Cookie Policy explains what cookies and browser storage Webrec uses on our own website (webrec.app), what third-party services may set cookies, and what browser storage the Webrec SDK uses on customer websites.

2. Cookie Summary

At a glance, here is what Webrec does and does not use on our own website:

We use zero third-party analytics cookies. Webrec does not use Google Analytics, Meta Pixel, Hotjar, or any other third-party analytics or advertising tracker on webrec.app. We do not track your browsing behaviour for advertising or profiling purposes.

Category	Used?	Details
Essential (authentication) cookies	Yes	Required for login, CSRF protection, and session management
Functional (preference) storage	Yes	Theme preference and cookie consent choice (localStorage only)
Analytics cookies	No	We do not use any first-party or third-party analytics trackers
Advertising / marketing cookies	No	We do not serve ads or use retargeting pixels
Third-party cookies (Stripe, OAuth)	Conditional	Set only when you interact with billing or social login flows
SDK browser storage (on customer sites)	Yes	sessionStorage and localStorage only; no HTTP cookies

3. Cookies We Use on webrec.app

3.1 Essential Cookies

These cookies are strictly necessary for the website to function. They enable core features such as authentication, session management, and security. The website cannot function properly without them, and they cannot be disabled without breaking the login flow.

Name	Type	Purpose	Duration
authjs.session-token / __Secure-authjs.session-token	HTTP cookie (first-party)	Stores your authenticated session. Required to keep you logged in as you navigate the dashboard. The __Secure- variant is used on HTTPS connections.	30 days (persistent) or session
authjs.csrf-token / __Host-authjs.csrf-token	HTTP cookie (first-party)	Cross-Site Request Forgery (CSRF) protection token. Prevents malicious third-party sites from making requests on your behalf.	Session (cleared on browser close)
authjs.callback-url / __Secure-authjs.callback-url	HTTP cookie (first-party)	Stores the URL to redirect you to after authentication (e.g., the page you were visiting before logging in).	Session (cleared on browser close)

3.2 Functional Storage

These browser storage items remember your preferences and choices to provide a more personalised experience. They are stored in localStorage(not as HTTP cookies) and are never sent to our servers automatically.

Name	Type	Purpose	Duration
theme	localStorage	Remembers your light/dark mode preference so the correct theme loads on subsequent visits.	Persistent (until manually cleared)
webrec_cookie_consent	localStorage	Stores your cookie consent preference so the consent banner is not shown again on future visits.	Persistent (until manually cleared)

3.3 Analytics Cookies

We do not use any analytics cookies or third-party analytics trackers (such as Google Analytics, Plausible, Fathom, or Mixpanel) on our marketing website or dashboard. We respect your privacy and do not track your browsing behaviour for analytics or advertising purposes.

4. Third-Party Cookies

Certain third-party services used by Webrec may set their own cookies when you interact with them. We do not control these cookies, and they are only set when you actively engage with the relevant feature. They include:

Name	Type	Purpose	Duration
Stripe (__stripe_mid, __stripe_sid, and others)	Third-party HTTP cookie	Fraud prevention and payment processing. Set when you visit the billing page or enter payment details.	Session to 1 year (varies by cookie)
Google OAuth cookies	Third-party HTTP cookie	OAuth authentication. Set only when you use "Sign in with Google".	Varies (controlled by Google)
GitHub OAuth cookies	Third-party HTTP cookie	OAuth authentication. Set only when you use "Sign in with GitHub".	Varies (controlled by GitHub)

For more information about how these services handle your data, please see their respective privacy policies:

5. Webrec SDK Browser Storage

When Customers deploy the Webrec SDK (webrec) on their websites or applications, the SDK uses browser storage mechanisms to function. It is important to understand the distinction between storage set by Webrec on our own website (covered in sections 3-4 above) and storage set by the SDK on our customers' websites (covered here).

The Webrec SDK does not set traditional HTTP cookies. It uses only sessionStorage and localStorage, which are scoped to the customer's origin and cannot be used for cross-site tracking.

5.1 Storage Items Created by the SDK

The following storage items may be created on End User devices when visiting a website that has the Webrec SDK installed:

Name	Type	Purpose	Duration
wr_session	sessionStorage	Stores the current session identifier. Used to group user interactions into a single recording session. Automatically cleared when the browser tab is closed.	Tab session (cleared on tab/browser close)
wr_identity	localStorage	Stores the user identity set by the Customer via the identify() API. Only present if the Customer explicitly calls this method to associate a session with a known user.	Persistent (until cleared or overwritten)
wr_anonymous_id	localStorage	Stores an anonymous visitor identifier (a random UUID) to correlate sessions from the same visitor across page loads. This ID is scoped to the single origin and cannot be used for cross-site tracking.	Persistent (until cleared)

5.2 What the SDK Does Not Store

The SDK does not set traditional HTTP cookies on the customer's domain
The SDK does not store any personally identifiable information (PII) unless the Customer explicitly passes it via the identify() API
The SDK does not create any storage that is accessible by third-party domains
The SDK does not use fingerprinting or any technique that persists beyond standard browser storage

5.3 Important Notes

sessionStorage items are automatically cleared when the tab or browser is closed
localStorage items persist until explicitly cleared by the user, the website, or browser settings
All storage items are only accessible by the website that created them (same-origin policy) and cannot be used for cross-site tracking
If the user's browser has Do Not Track (DNT) or Global Privacy Control (GPC) enabled, the SDK does not create any storage items and does not record the session
Customers are responsible for disclosing the use of the Webrec SDK in their own privacy and cookie policies, and for obtaining any required consent from their End Users

6. ePrivacy Directive Compliance

The EU ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC), often referred to as the "Cookie Law", requires that websites obtain informed consent before storing or accessing information on a user's device, except where the storage is strictly necessary for the service requested by the user.

6.1 How Webrec Complies

Strictly necessary cookies (authentication, CSRF protection): These are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive because they are essential for providing the service you have requested. We set these without prior consent.
Functional storage (theme, consent preference): These localStorage items enhance your experience but are not essential. We consider them low-risk and provide clear information about them in this policy.
Third-party cookies (Stripe, OAuth): These are only set when you actively interact with the relevant feature (e.g., clicking "Sign in with Google" or visiting the billing page). They serve a specific function you have requested.
No analytics or advertising cookies: Because we do not use analytics or advertising cookies, no consent is required for these categories.

6.2 Guidance for Webrec Customers

If you are a Webrec Customer deploying the SDK on your website, you should be aware of the following:

The Webrec SDK uses sessionStorage and localStorage, which are covered by the ePrivacy Directive in the same way as cookies
Depending on your jurisdiction and the applicable national implementation of the Directive, you may need to obtain consent from your End Users before the SDK stores data on their devices
The SDK provides a programmatic API to delay initialisation until consent is obtained (see SDK documentation)
You are responsible for including the Webrec SDK storage items in your own cookie policy and consent banner

8. Managing Cookies

You can control and manage cookies and browser storage through your browser settings. Most browsers allow you to:

View what cookies are stored and delete them individually
Block all cookies or only third-party cookies
Clear all cookies and site data when you close the browser
Clear localStorage and sessionStorage via developer tools (Application tab)
Set per-site cookie permissions to allow or block cookies from specific domains

8.1 Browser-Specific Instructions

Instructions for managing cookies in popular browsers:

Google Chrome -- Settings > Privacy and Security > Cookies and other site data
Mozilla Firefox -- Settings > Privacy & Security > Cookies and Site Data
Apple Safari -- Preferences > Privacy > Manage Website Data
Microsoft Edge -- Settings > Cookies and site permissions > Manage and delete cookies
Opera -- Settings > Privacy & Security > Cookies
Brave -- Settings > Shields > Cookies

Please note: Blocking essential cookies will prevent you from logging into and using the Webrec dashboard. If you block all cookies, you will still be able to browse our marketing pages but will not be able to authenticate.

9. Do Not Track and Global Privacy Control

Webrec respects both the Do Not Track (DNT) browser signal and the Global Privacy Control (GPC) signal.

9.1 Do Not Track (DNT)

Do Not Track is a browser setting that sends a signal to websites requesting that they do not track the user. When the Webrec SDK detects that a user has DNT enabled, no session recording will occur and no browser storage items will be created. The SDK checks the navigator.doNotTrack property on every page load.

9.2 Global Privacy Control (GPC)

Global Privacy Control is a newer standard that allows users to signal their privacy preferences to websites. It is recognised under regulations such as the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA). When the Webrec SDK detects the GPC signal via navigator.globalPrivacyControl, no session recording will occur and no browser storage items will be created.

DNT and GPC signals are respected by default in the Webrec SDK. Customers do not need to configure anything additional to honour these user preferences. Both signals are checked before any recording or storage initialisation takes place.

10. Updates to This Policy

We may update this Cookie Policy from time to time to reflect changes in the cookies and storage we use, or for legal, operational, or regulatory reasons. We will update the "Last updated" date at the top of this policy when we make changes.

For material changes, we will provide notice through a prominent banner on our website or by email to registered users. We encourage you to review this policy periodically.

11. Contact

If you have questions about this Cookie Policy or our use of cookies and browser storage, please contact us:

Privacy inquiries: privacy@webrec.app
Legal inquiries: legal@webrec.app
General support: support@webrec.app

Rouic Ltd is a company registered in England and Wales. You can also write to our registered address if you prefer to contact us by post.

Related policies

Questions about our policies? Email privacy@webrec.app