Start free trial
Legal

Cookie Policy

Last updated: June 3, 2026

This Cookie Policy explains how Shand Enterprises LLC ("Clyro", "we", "us") uses cookies and similar technologies across the Clyro marketing site, the operator dashboard, the API, and the funnel pages our customers publish through Clyro. It should be read together with our Privacy Policy.

Cookies are small text files a site stores in your browser. "Similar technologies" include browser storage such as localStorage, sessionStorage, and IndexedDB, which serve related purposes but are not cookies. Clyro keeps all of these to a minimum: we use essential cookies to keep operators signed in and to protect requests, and we set almost nothing on the funnel pages that visitors actually see.

Two surfaces, two different sets of cookies

The cookies you encounter depend on which Clyro surface you are on, and there is a deliberate security boundary between them.

Operator surfaces (clyro.io)

The marketing site (clyro.io), the operator dashboard (platform.clyro.io), and the API (api.clyro.io) all sit on the operator domain. This is where we set our essential authentication and security cookies so operators stay signed in and their requests are protected.

Published funnel pages (separate content domain)

Funnels that operators publish are served from a separate registrable content domain as <tenant>.<content-domain>, plus any custom domains an operator connects. Because the operator login cookie is scoped to the operator domain, a browser will not send it to a funnel page — by design, author-controlled scripts on a funnel page cannot read an operator's session cookie. The result is that funnel pages carry almost no Clyro cookies at all: the only first-party cookie Clyro itself sets there is a signed A/B-test assignment cookie, and only while an experiment is actively running.

This separation is a security feature, not a limitation. It keeps the operator authentication cookie out of reach of anything running on a published funnel page.

Cookies Clyro sets

The table below lists every first-party cookie Clyro itself sets, where it applies, and how long it lasts. "Session" means the cookie is removed when you close your browser.

CookieWhereTypePurposeLifetime
tokenOperator dashboard & APIEssential (authentication)Keeps you signed in to the Clyro dashboard; httpOnly, signed, SameSite=Lax, Secure in production7 days
CSRF-protection cookie (set by our security library)Operator dashboard & APIEssential (security)Protects against cross-site request forgery; httpOnly, SameSite=Strict, Secure in productionSession
admin_tokenClyro admin panel (internal)Essential (authentication)Authenticates Clyro staff in the internal admin panel7 days
__clyro_exp_… (one per running experiment)Published funnel pagesFunctional (A/B testing)Keeps a visitor in the same A/B test variant across visits; signed, httpOnly, SameSite=Lax, Secure in production. Set ONLY when an experiment is actively running.90 days

The essential cookies on the operator surfaces are required for the dashboard to function — without them you cannot sign in or submit changes safely — so they cannot be turned off while you use the dashboard.

Other browser storage on funnel pages

On published funnel pages, Clyro relies more on browser storage than on cookies. The items below are not cookies — they are stored locally in your browser (in sessionStorage, localStorage, or IndexedDB), are not sent automatically with every request, and exist to make the page work properly:

  • Form input recovery — a sessionStorage entry that remembers what you have typed into a funnel form so your in-progress input is not lost if the page reloads.
  • Pop-up dismissal — a localStorage entry per pop-up that remembers which pop-ups you have already dismissed, so a closed pop-up does not keep reappearing.
  • Analytics delivery queue — an IndexedDB store (with a localStorage fallback) that briefly queues analytics events so they can be delivered reliably even on a flaky connection; queued entries are cleared after about 7 days.

The analytics collected through this queue are processed on behalf of the operator who runs the funnel; see the Privacy Policy for how that data is handled.

Device identification is cookieless

Funnel pages identify devices using FingerprintJS Pro, which is cookieless. It runs in the browser to recognize returning devices and to flag bots, fraud, and abuse, but it does not set a persistent Clyro identity cookie.

Because FingerprintJS Pro does not rely on a Clyro identity cookie, device recognition on funnel pages happens without us storing a tracking cookie on your browser.

Operator-added and third-party cookies

Operators can add their own tracking to the funnels they build, in two ways:

  • Custom code the operator pastes into their funnel — for example Google Tag Manager, Hotjar, or similar tools.
  • Connected integrations the operator enables — for example Meta Pixel, TikTok Pixel, Google Analytics 4, or Google Ads.

These tools are configured and controlled by the operator, not by Clyro, and they may set their own cookies on the funnel page. Clyro does not control those cookies. The operator who runs the funnel is responsible for disclosing them and for obtaining any consent the law requires. For the service providers Clyro itself uses, see our Sub-processors list.

How to manage cookies

You can control and delete cookies through your browser settings. Most browsers let you view stored cookies, block cookies from specific sites, and clear cookies and other site data. Browsers also provide controls for clearing local storage such as localStorage, sessionStorage, and IndexedDB.

Please note that blocking or deleting the essential cookies on the operator dashboard will prevent you from signing in or using the dashboard. Clearing storage on a funnel page may, for example, cause an already-dismissed pop-up to reappear or in-progress form input to be lost. For instructions, consult the help documentation for your specific browser.

For cookies set by an operator's own tracking or integrations on a funnel page, manage your choices through any controls that operator provides; those cookies are outside Clyro's control.

Changes to this policy

We may update this Cookie Policy from time to time as our use of cookies and similar technologies evolves. When we do, we will revise the "Last updated" date at the top of this page. Your continued use of the Service after an update means you accept the revised policy.

Contact us

For any question about this Cookie Policy or our use of cookies, contact Shand Enterprises LLC at team@clyro.io.