1. What's a cookie?
Cookies are small text files a website stores in your browser. They let the site recognize you across page loads โ log you in, remember your cart, attribute a click to a creator. Some are essential; others are optional and exist for analytics or personalization.
This Cookie Policy is part of our Privacy Policy. Use this page to understand specifically what we set.
2. Categories we use
We use three categories. Two are essential and can't be disabled; one is optional.
- Strictly necessary โ login session, CSRF token, fraud signals. Service won't work without these.
- Attribution โ when you click a creator's tracking link, a 14- or 30-day cookie remembers the creator so commission is paid correctly. Standard affiliate tracking. Required for the marketplace to function.
- Analytics โ anonymized usage events (page views, clicks). Optional. We use PostHog (EU-hosted) so the data stays in EU regions for EU users.
What we don't use: ad-targeting cookies (Google Ads, Facebook Pixel, etc.). PPToGo doesn't run paid acquisition through ad networks, so we don't need to share buyer behavior with them. If we ever do, we'll opt-in only and update this policy 30 days in advance.
3. Cookies we set
| Name | Category | Purpose | TTL |
|---|---|---|---|
| __pptogo_session | Necessary | Authenticated session token (encrypted, HttpOnly, SameSite=Lax) | 14 days |
| __pptogo_csrf | Necessary | CSRF protection token; rotates per session | Session |
| __pptogo_fp | Necessary | Anonymous device fingerprint hash for fraud detection (self-purchase / velocity) | 90 days |
| __pptogo_attr | Attribution | Stores the creator handle, campaign ID, and click timestamp when you arrive via a tracking link | 14 days (default) / 30 days (per campaign) |
| __pptogo_consent | Necessary | Stores your cookie-consent choices for analytics | 12 months |
| ph_* | Analytics | PostHog anonymous session and event tracking. EU-hosted. | 12 months |
| __pptogo_aud | Analytics | Remembers your audience preference (humans vs agents) on /tools so you don't have to re-toggle each visit | 90 days |
4. Third-party cookies
Embedded third-party services may set their own cookies on the pages where they appear:
- Stripe (checkout) โ required for payment processing. PCI-DSS Level 1. Stripe's cookie policy.
- Shopify Buy Button (Type A merchant pages) โ Shopify sets cookies during checkout. Shopify's cookie policy.
- Cloudflare (CDN) โ sets
__cf_bmfor bot management. Strictly necessary. Cloudflare's privacy policy.
5. How to manage your cookies
You can control non-essential cookies via the consent panel below (illustrative on this page; the real one appears on first visit and from Account Settings).
You can also block cookies at the browser level โ see allaboutcookies.org for instructions per browser. Note: disabling strictly-necessary or attribution cookies will break login or break commission attribution to creators.
6. Changes to this policy
If we add or remove cookies, we update this page and the effective date. Material changes (new analytics provider, new tracking, etc.) are announced 30 days in advance via email and a banner on pptogo.com.
7. Contact
Questions about cookies: privacy@pptogo.com
