A "cookie" is a small text file that a website places on your browser or device when you visit the site. Cookies allow the site to recognize your device across requests, remember your preferences, keep you signed in, and gather aggregate information about how the site is used.
Cookies are widely used across the modern web. They are not programs and cannot read other data on your device or run code on your machine. They can, however, be used to associate your activity across visits — which is why their use is regulated by privacy laws including the EU ePrivacy Directive (2002/58/EC), the GDPR, the California Consumer Privacy Act (CCPA / CPRA), the UK PECR, and similar regulations.
In this Policy, "cookies" includes:
This Cookie Policy explains what cookies ShelfPic sets, what they do, and how you can control them. It is incorporated by reference into the Privacy Policy.
We organize our cookies into the categories below. The cookies in Strictly Necessary and Functional are set without prior consent because the Service cannot function without them. Analytics, affiliate, advertising, and other marketing technologies are treated as non-essential and are loaded only after you accept non-essential cookies.
These cookies are required for the Service to operate. Disabling them will break authentication, security, and core features.
| Cookie / storage key | Source | Purpose | Duration |
|---|---|---|---|
better-auth.session_token (in production: __Secure-better-auth.session_token) | ShelfPic | Authentication session token used by better-auth | Session or up to 30 days (remember me) |
NEXT_LOCALE | ShelfPic | Persists your selected language (en / zh) | 365 days |
shelfpic_cookie_consent / cookie-consent-v2 | ShelfPic | Stores whether you accepted or rejected non-essential cookies | 365 days |
sp_geo_consent_v1 | ShelfPic | Local storage entry: caches whether your region requires opt-in cookie consent (the result of our region lookup), so the consent banner behaves consistently across visits | 7 days |
shelfpic_social_signup_consent | ShelfPic | Temporarily records Terms/Privacy acknowledgement during OAuth sign-up | 10 minutes |
shelfpic_social_signup_marketing | ShelfPic | Temporarily records optional marketing consent during OAuth sign-up | 10 minutes |
cf_clearance | Cloudflare | Bot-protection challenge passage | 30 days |
__cf_bm | Cloudflare | Bot-management heuristics on a per-request basis | 30 minutes |
__cflb | Cloudflare | Load-balancer affinity | Session |
vercel-cdn-cache-control | Vercel | Edge-cache control | Short-lived per request |
Legal basis: GDPR Art. 6(1)(b) (contractual necessity) and ePrivacy Directive Art. 5(3) "strictly necessary" exemption.
These cookies remember your preferences and convenience choices. They are not strictly necessary, but disabling them degrades the experience.
| Cookie / storage key | Source | Purpose | Duration |
|---|---|---|---|
theme | ShelfPic | Local storage entry: persists your dark / light theme preference | Until cleared |
shelfpic-direction | ShelfPic | Persists your visual-direction preference (editorial / darkroom palette) so pages render in your chosen look without a flash | 365 days |
shelfpic-sidebar-collapsed | ShelfPic | Local storage entry: remembers whether you collapsed the in-app sidebar | Until cleared |
shelfpic-bg-export | ShelfPic | Local storage entry: remembers your last-selected export preset in the Background tool | Until cleared |
top-banner-dismissed:{id} | ShelfPic | Local storage entry: tracks which one-time announcement banners you have closed | 7 days |
sp_signup_method | ShelfPic | Short-lived cookie set at account creation that carries your chosen signup method (email / social) through the OAuth redirect so the sign-up is recorded once | 10 minutes |
utm_source | ShelfPic | First-party campaign attribution: records the utm_source parameter from your landing URL so a later signup can be attributed to the marketing channel that brought you here | 30 days |
Note on
utm_source: this is a first-party attribution technology, not a cross-site tracker. It is set when you first arrive at the Site only if your landing URL carries autm_sourcequery parameter, it is set at landing regardless of your consent choice, and it expires after 30 days. It is used solely so that, if you later create an Account, we can attribute the signup to the marketing channel that brought you here. It is not shared with third parties and is not used for cross-context behavioral advertising.
Legal basis: GDPR Art. 6(1)(f) (legitimate interest in providing a coherent experience), where allowed without consent. In jurisdictions where consent is required for functional cookies, we obtain consent.
These cookies help us understand how the Service is used so we can improve it. Whether they load depends on your region. If you visit from the EEA, the UK, or Switzerland — or if we cannot determine your region — analytics scripts and cookies are not loaded unless you accept non-essential cookies through our consent banner. In other regions, analytics may load automatically on your first visit; you can prevent or remove them at any time using the controls in Section 4 (including your browser settings).
| Cookie / storage key | Source | Purpose | Duration |
|---|---|---|---|
_vercel_speed_insights_* | Vercel | Performance metrics (Core Web Vitals) | Session |
_vercel_analytics_* | Vercel | Aggregate page-view analytics | 90 days |
_ga, _ga_* | Google Analytics, if enabled | Analytics and conversion measurement | Up to 2 years |
_clck, _clsk | Microsoft Clarity, if enabled | Product analytics, session interaction measurement | Up to 1 year |
plausible_* or equivalent | Plausible, if enabled | Privacy-oriented aggregate analytics | Up to 1 year |
op_* or equivalent | OpenPanel, if enabled | Product analytics events | Up to 1 year |
Analytics providers are configured as optional integrations. The exact cookies may vary by provider configuration and browser behavior.
Legal basis: GDPR Art. 6(1)(a) (consent) where required; Art. 6(1)(f) (legitimate interest) where consent is not required.
Advertising, affiliate, and marketing technologies are treated as non-essential in ShelfPic and are loaded only after you accept non-essential cookies. Depending on production configuration, these technologies may include Google AdSense, affiliate attribution providers such as Affonso or PromoteKit, and conversion measurement scripts. Some of these technologies may be considered advertising or "sharing" technologies under privacy laws.
When these technologies are enabled, we will:
Legal basis: GDPR Art. 6(1)(a) (consent), CCPA / CPRA opt-out under §1798.135.
A "third-party cookie" is a cookie set in your browser by a domain other than the one you are visiting. We use the following third-party services that may set cookies in your browser when you interact with ShelfPic:
When you reach the checkout flow, payment processors such as Creem, Stripe, or PayPal may set cookies on their own domains to maintain your checkout session, prevent fraud, process payment, support subscriptions, and store processor-side payment-method tokens. These cookies are governed by the relevant processor's privacy policy.
Vercel's edge network and analytics may set cookies for routing, caching, performance measurement, and (with consent) first-party analytics. These cookies are governed by Vercel's Privacy Policy.
When you access ShelfPic, Cloudflare sets cookies in the Strictly Necessary category to identify abusive bots, mitigate DDoS attacks, and ensure session continuity through their CDN. These cookies are governed by Cloudflare's Privacy Policy.
If you choose to sign in with Google, GitHub, or another OAuth provider we make available, that provider may set cookies on its own domain during the OAuth flow. These are not set by ShelfPic, but you may encounter them as part of the sign-in process. They are governed by the relevant provider's privacy policy.
After you accept non-essential cookies, configured providers such as Google Analytics, Microsoft Clarity, Plausible, OpenPanel, Google AdSense, Affonso, PromoteKit, Crisp, or Tawk may set cookies, local storage entries, or similar identifiers to measure usage, attribute referrals, provide support chat, prevent abuse, and measure conversions. These providers operate under their own privacy policies.
You have multiple ways to control cookies.
If you visit from the EEA, the UK, or Switzerland — or if we cannot determine your region — you will see a cookie consent banner on your first visit, unless you have already saved a choice. In other regions we do not display the banner and non-essential cookies may load automatically; you can still reject or remove them using your browser settings (Section 4.2) and the site-data controls described below. Where the banner is shown, you can:
We currently provide an accept/reject choice rather than category-level controls. You can change your choice by clearing ShelfPic site data for shelfpic_cookie_consent and cookie-consent-v2, then revisiting the Site.
All major browsers allow you to manage cookies through their settings. You can:
Help articles for popular browsers:
If you disable Strictly Necessary cookies in your browser, the Service will not function:
You should only disable Strictly Necessary cookies if you intend not to use the Service.
If you disable Functional cookies, you will experience:
If you disable Analytics cookies:
Some browsers offer a "Do Not Track" (DNT) header that sites can read to detect a user's preference to opt out of tracking. The DNT specification has not been widely adopted as a binding standard, and there is no clear industry consensus on how to honor it.
ShelfPic does not currently honor DNT signals as a substitute for our consent banner. We disclose this transparently. If a regulatory framework in your jurisdiction makes DNT a binding opt-out signal in the future, we will update this Policy accordingly.
For California residents, Global Privacy Control (GPC) is a browser-level opt-out signal recognized by the California Attorney General under CPRA. We do not sell personal information for money, and we do not share personal information for cross-context behavioral advertising — so we honor the intent of GPC for all users by default, consistent with our Privacy Policy. Fully automated handling of the GPC browser signal is planned; until it ships, the protections above apply regardless of whether your browser sends the signal.
If we send you an HTML email (transactional or marketing), it may contain a tracking pixel that tells us whether the email was opened and which links were clicked. We use this to:
To prevent email tracking pixels from loading:
You may also unsubscribe from marketing emails entirely via the unsubscribe link in every marketing email.
ShelfPic does not currently publish a native mobile application. If we publish one in the future, it will use:
We will update this Policy to reflect mobile-specific practices when relevant.
We may update this Cookie Policy from time to time. The current version is reflected in the effective_date and version fields in the document frontmatter at the top of this page.
For changes that materially expand the categories of cookies we set or the third parties to which we share cookie data, we will:
Non-material clarifications (formatting, typographical correction, third-party cookie expiry adjustments) may take effect upon posting. The version field is incremented for all changes.
For questions about this Cookie Policy or how to manage cookies:
This Cookie Policy is incorporated into the Privacy Policy. Together, they describe our use of cookies and personal information.