ShelfPicShelfPic
  • ImageVideoUpscalerPricing

Cookie Policy

How ShelfPic uses cookies and similar technologies, the categories we set, and how you can control them.
Effective: May 21, 2026Updated: Jul 14, 2026Version: 1.2.0

1. What Are Cookies?

A "cookie" is a small text file that a website places on your browser or device when you visit the site. Cookies allow the site to recognize your device across requests, remember your preferences, keep you signed in, and gather aggregate information about how the site is used.

Cookies are widely used across the modern web. They are not programs and cannot read other data on your device or run code on your machine. They can, however, be used to associate your activity across visits — which is why their use is regulated by privacy laws including the EU ePrivacy Directive (2002/58/EC), the GDPR, the California Consumer Privacy Act (CCPA / CPRA), the UK PECR, and similar regulations.

In this Policy, "cookies" includes:

  • HTTP cookies in the strict technical sense;
  • Local storage and session storage entries in your browser;
  • IndexedDB entries used for offline-capable features;
  • Pixel tags / web beacons in HTML emails or pages;
  • Software development kit (SDK) instrumentation in any future mobile app.

This Cookie Policy explains what cookies ShelfPic sets, what they do, and how you can control them. It is incorporated by reference into the Privacy Policy.

2. Categories of Cookies We Use

We organize our cookies into the categories below. The cookies in Strictly Necessary and Functional are set without prior consent because the Service cannot function without them. Analytics, affiliate, advertising, and other marketing technologies are treated as non-essential and are loaded only after you accept non-essential cookies.

2.1 Strictly Necessary Cookies

These cookies are required for the Service to operate. Disabling them will break authentication, security, and core features.

Cookie / storage keySourcePurposeDuration
better-auth.session_token (in production: __Secure-better-auth.session_token)ShelfPicAuthentication session token used by better-authSession or up to 30 days (remember me)
NEXT_LOCALEShelfPicPersists your selected language (en / zh)365 days
shelfpic_cookie_consent / cookie-consent-v2ShelfPicStores whether you accepted or rejected non-essential cookies365 days
sp_geo_consent_v1ShelfPicLocal storage entry: caches whether your region requires opt-in cookie consent (the result of our region lookup), so the consent banner behaves consistently across visits7 days
shelfpic_social_signup_consentShelfPicTemporarily records Terms/Privacy acknowledgement during OAuth sign-up10 minutes
shelfpic_social_signup_marketingShelfPicTemporarily records optional marketing consent during OAuth sign-up10 minutes
cf_clearanceCloudflareBot-protection challenge passage30 days
__cf_bmCloudflareBot-management heuristics on a per-request basis30 minutes
__cflbCloudflareLoad-balancer affinitySession
vercel-cdn-cache-controlVercelEdge-cache controlShort-lived per request

Legal basis: GDPR Art. 6(1)(b) (contractual necessity) and ePrivacy Directive Art. 5(3) "strictly necessary" exemption.

2.2 Functional Cookies

These cookies remember your preferences and convenience choices. They are not strictly necessary, but disabling them degrades the experience.

Cookie / storage keySourcePurposeDuration
themeShelfPicLocal storage entry: persists your dark / light theme preferenceUntil cleared
shelfpic-directionShelfPicPersists your visual-direction preference (editorial / darkroom palette) so pages render in your chosen look without a flash365 days
shelfpic-sidebar-collapsedShelfPicLocal storage entry: remembers whether you collapsed the in-app sidebarUntil cleared
shelfpic-bg-exportShelfPicLocal storage entry: remembers your last-selected export preset in the Background toolUntil cleared
top-banner-dismissed:{id}ShelfPicLocal storage entry: tracks which one-time announcement banners you have closed7 days
sp_signup_methodShelfPicShort-lived cookie set at account creation that carries your chosen signup method (email / social) through the OAuth redirect so the sign-up is recorded once10 minutes
utm_sourceShelfPicFirst-party campaign attribution: records the utm_source parameter from your landing URL so a later signup can be attributed to the marketing channel that brought you here30 days

Note on utm_source: this is a first-party attribution technology, not a cross-site tracker. It is set when you first arrive at the Site only if your landing URL carries a utm_source query parameter, it is set at landing regardless of your consent choice, and it expires after 30 days. It is used solely so that, if you later create an Account, we can attribute the signup to the marketing channel that brought you here. It is not shared with third parties and is not used for cross-context behavioral advertising.

Legal basis: GDPR Art. 6(1)(f) (legitimate interest in providing a coherent experience), where allowed without consent. In jurisdictions where consent is required for functional cookies, we obtain consent.

2.3 Analytics Cookies

These cookies help us understand how the Service is used so we can improve it. Whether they load depends on your region. If you visit from the EEA, the UK, or Switzerland — or if we cannot determine your region — analytics scripts and cookies are not loaded unless you accept non-essential cookies through our consent banner. In other regions, analytics may load automatically on your first visit; you can prevent or remove them at any time using the controls in Section 4 (including your browser settings).

Cookie / storage keySourcePurposeDuration
_vercel_speed_insights_*VercelPerformance metrics (Core Web Vitals)Session
_vercel_analytics_*VercelAggregate page-view analytics90 days
_ga, _ga_*Google Analytics, if enabledAnalytics and conversion measurementUp to 2 years
_clck, _clskMicrosoft Clarity, if enabledProduct analytics, session interaction measurementUp to 1 year
plausible_* or equivalentPlausible, if enabledPrivacy-oriented aggregate analyticsUp to 1 year
op_* or equivalentOpenPanel, if enabledProduct analytics eventsUp to 1 year

Analytics providers are configured as optional integrations. The exact cookies may vary by provider configuration and browser behavior.

Legal basis: GDPR Art. 6(1)(a) (consent) where required; Art. 6(1)(f) (legitimate interest) where consent is not required.

2.4 Marketing Cookies

Advertising, affiliate, and marketing technologies are treated as non-essential in ShelfPic and are loaded only after you accept non-essential cookies. Depending on production configuration, these technologies may include Google AdSense, affiliate attribution providers such as Affonso or PromoteKit, and conversion measurement scripts. Some of these technologies may be considered advertising or "sharing" technologies under privacy laws.

When these technologies are enabled, we will:

  • Update this Cookie Policy with the specific cookies, their sources, and durations;
  • Load them only after non-essential cookie consent where required;
  • Provide an opt-out mechanism through the consent banner, browser controls, recognized opt-out signals, and [email protected].

Legal basis: GDPR Art. 6(1)(a) (consent), CCPA / CPRA opt-out under §1798.135.

3. Third-Party Cookies

A "third-party cookie" is a cookie set in your browser by a domain other than the one you are visiting. We use the following third-party services that may set cookies in your browser when you interact with ShelfPic:

3.1 Payment Processors

When you reach the checkout flow, payment processors such as Creem, Stripe, or PayPal may set cookies on their own domains to maintain your checkout session, prevent fraud, process payment, support subscriptions, and store processor-side payment-method tokens. These cookies are governed by the relevant processor's privacy policy.

3.2 Vercel (Hosting, Edge, Analytics)

Vercel's edge network and analytics may set cookies for routing, caching, performance measurement, and (with consent) first-party analytics. These cookies are governed by Vercel's Privacy Policy.

3.3 Cloudflare (Bot Management, CDN)

When you access ShelfPic, Cloudflare sets cookies in the Strictly Necessary category to identify abusive bots, mitigate DDoS attacks, and ensure session continuity through their CDN. These cookies are governed by Cloudflare's Privacy Policy.

3.4 OAuth Sign-In

If you choose to sign in with Google, GitHub, or another OAuth provider we make available, that provider may set cookies on its own domain during the OAuth flow. These are not set by ShelfPic, but you may encounter them as part of the sign-in process. They are governed by the relevant provider's privacy policy.

3.5 Analytics, Ads, Affiliate, and Support Chat

After you accept non-essential cookies, configured providers such as Google Analytics, Microsoft Clarity, Plausible, OpenPanel, Google AdSense, Affonso, PromoteKit, Crisp, or Tawk may set cookies, local storage entries, or similar identifiers to measure usage, attribute referrals, provide support chat, prevent abuse, and measure conversions. These providers operate under their own privacy policies.

4. How to Control Cookies

You have multiple ways to control cookies.

4.1 Our Consent Banner

If you visit from the EEA, the UK, or Switzerland — or if we cannot determine your region — you will see a cookie consent banner on your first visit, unless you have already saved a choice. In other regions we do not display the banner and non-essential cookies may load automatically; you can still reject or remove them using your browser settings (Section 4.2) and the site-data controls described below. Where the banner is shown, you can:

  • Accept all cookies;
  • Reject non-essential cookies, including analytics, affiliate, advertising, support chat, and marketing technologies.

We currently provide an accept/reject choice rather than category-level controls. You can change your choice by clearing ShelfPic site data for shelfpic_cookie_consent and cookie-consent-v2, then revisiting the Site.

4.2 Browser Settings

All major browsers allow you to manage cookies through their settings. You can:

  • Block all cookies (this will break the Service);
  • Block third-party cookies only;
  • Allow only first-party cookies;
  • Delete cookies on each browser close;
  • Manage cookies on a per-domain basis.

Help articles for popular browsers:

  • Google Chrome: https://support.google.com/chrome/answer/95647
  • Mozilla Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
  • Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
  • Apple Safari (macOS): https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac
  • Apple Safari (iOS): https://support.apple.com/en-us/HT201265

4.3 Effect of Disabling Strictly Necessary Cookies

If you disable Strictly Necessary cookies in your browser, the Service will not function:

  • You will not be able to sign in;
  • Authenticated requests, including generation requests, will be rejected;
  • Your language preference will reset on every visit;
  • Cloudflare bot protection may flag your session as untrusted, leading to challenge pages or blocks.

You should only disable Strictly Necessary cookies if you intend not to use the Service.

4.4 Effect of Disabling Functional Cookies

If you disable Functional cookies, you will experience:

  • Theme and visual-direction preferences resetting to default on every visit;
  • Banners you have dismissed reappearing;
  • In-app preferences (sidebar state, Background-tool export preset) resetting.

4.5 Effect of Disabling Analytics Cookies

If you disable Analytics cookies:

  • Your traffic will not be included in our aggregate usage analytics;
  • Vercel Speed Insights will not report your device's Core Web Vitals;
  • The Service will function normally.

5. Do Not Track

Some browsers offer a "Do Not Track" (DNT) header that sites can read to detect a user's preference to opt out of tracking. The DNT specification has not been widely adopted as a binding standard, and there is no clear industry consensus on how to honor it.

ShelfPic does not currently honor DNT signals as a substitute for our consent banner. We disclose this transparently. If a regulatory framework in your jurisdiction makes DNT a binding opt-out signal in the future, we will update this Policy accordingly.

5.1 Global Privacy Control (GPC)

For California residents, Global Privacy Control (GPC) is a browser-level opt-out signal recognized by the California Attorney General under CPRA. We do not sell personal information for money, and we do not share personal information for cross-context behavioral advertising — so we honor the intent of GPC for all users by default, consistent with our Privacy Policy. Fully automated handling of the GPC browser signal is planned; until it ships, the protections above apply regardless of whether your browser sends the signal.

6. Cookies in Email

If we send you an HTML email (transactional or marketing), it may contain a tracking pixel that tells us whether the email was opened and which links were clicked. We use this to:

  • Confirm transactional emails were delivered (receipts, password resets);
  • Measure marketing email engagement at an aggregate level.

To prevent email tracking pixels from loading:

  • Disable image loading in your email client; or
  • Use an email client that strips or rewrites tracking pixels (some clients do this by default).

You may also unsubscribe from marketing emails entirely via the unsubscribe link in every marketing email.

7. Mobile Applications

ShelfPic does not currently publish a native mobile application. If we publish one in the future, it will use:

  • Device-level identifiers (Advertising ID on Android, IDFA on iOS) only with explicit consent on iOS, in accordance with Apple's App Tracking Transparency framework, and with parallel disclosure on Android;
  • In-app storage equivalent to cookies for authentication, preferences, and analytics.

We will update this Policy to reflect mobile-specific practices when relevant.

8. Updates to This Policy

We may update this Cookie Policy from time to time. The current version is reflected in the effective_date and version fields in the document frontmatter at the top of this page.

8.1 Notice of Material Changes

For changes that materially expand the categories of cookies we set or the third parties to which we share cookie data, we will:

  • Update the consent banner to surface the change to existing Users;
  • Provide notice via this Policy at least fourteen (14) days before the new cookies are deployed;
  • For marketing cookies, require fresh consent before they are set.

8.2 Non-Material Changes

Non-material clarifications (formatting, typographical correction, third-party cookie expiry adjustments) may take effect upon posting. The version field is incremented for all changes.

9. Contact

For questions about this Cookie Policy or how to manage cookies:

  • Privacy / DPO: [email protected]
  • General support: [email protected]

This Cookie Policy is incorporated into the Privacy Policy. Together, they describe our use of cookies and personal information.

ShelfPicShelfPic

AI product photography for e-commerce sellers. Any photo in, listing-ready out.

Tools
AI ReshootProduct Shorts4K UpscaleBackground RemovalAI Photoshoot
Product
How it worksPricingAll Tools
Resources
BlogChangelogHelp Center
Legal
Terms of ServicePrivacy PolicyRefund PolicyCookie PolicyAcceptable Use PolicyDMCA Policy
© 2026 ShelfPic, All rights reserved
All systems operational