A "cookie" is a small text file that a website places on your browser or device when you visit the site. Cookies allow the site to recognize your device across requests, remember your preferences, keep you signed in, and gather aggregate information about how the site is used.
Cookies are widely used across the modern web. They are not programs and cannot read other data on your device or run code on your machine. They can, however, be used to associate your activity across visits — which is why their use is regulated by privacy laws including the EU ePrivacy Directive (2002/58/EC), the GDPR, the California Consumer Privacy Act (CCPA / CPRA), the UK PECR, and similar regulations.
In this Policy, "cookies" includes:
This Cookie Policy explains what cookies ShelfPic sets, what they do, and how you can control them. It is incorporated by reference into the Privacy Policy.
We organize our cookies into the categories below. The cookies in Strictly Necessary and Functional are set without prior consent because the Service cannot function without them. Analytics, affiliate, advertising, and other marketing technologies are treated as non-essential and are loaded only after you accept non-essential cookies.
These cookies are required for the Service to operate. Disabling them will break authentication, security, and core features.
| Cookie / storage key | Source | Purpose | Duration |
|---|---|---|---|
better-auth.session_token | ShelfPic | Authentication session token used by better-auth | Session or up to 30 days (remember me) |
better-auth.csrf | ShelfPic | Cross-site request forgery protection | Session |
NEXT_LOCALE | ShelfPic | Persists your selected language (en / zh) | 365 days |
shelfpic_cookie_consent / cookie-consent-v2 | ShelfPic | Stores whether you accepted or rejected non-essential cookies | 365 days |
shelfpic_social_signup_consent | ShelfPic | Temporarily records Terms/Privacy acknowledgement during OAuth sign-up | 10 minutes |
shelfpic_social_signup_marketing | ShelfPic | Temporarily records optional marketing consent during OAuth sign-up | 10 minutes |
cf_clearance | Cloudflare | Bot-protection challenge passage | 30 days |
__cf_bm | Cloudflare | Bot-management heuristics on a per-request basis | 30 minutes |
__cflb | Cloudflare | Load-balancer affinity | Session |
vercel-cdn-cache-control | Vercel | Edge-cache control | Short-lived per request |
Legal basis: GDPR Art. 6(1)(b) (contractual necessity) and ePrivacy Directive Art. 5(3) "strictly necessary" exemption.
These cookies remember your preferences and convenience choices. They are not strictly necessary, but disabling them degrades the experience.
| Cookie / storage key | Source | Purpose | Duration |
|---|---|---|---|
theme | ShelfPic | Persists your dark / light theme preference | 365 days |
tutorial-dismissed-{key} | ShelfPic | Tracks which one-time onboarding hints you have dismissed | 365 days |
banner-dismissed-{key} | ShelfPic | Tracks which one-time banners you have closed | 90 days |
last-used-tool | ShelfPic | Remembers your most recently used tool for the homepage CTA | 90 days |
aspect-ratio-default | ShelfPic | Remembers your last-selected aspect ratio in generators | 30 days |
Legal basis: GDPR Art. 6(1)(f) (legitimate interest in providing a coherent experience), where allowed without consent. In jurisdictions where consent is required for functional cookies, we obtain consent.
These cookies help us understand how the Service is used so we can improve it. In the current implementation, analytics scripts and cookies are not loaded unless you accept non-essential cookies.
| Cookie / storage key | Source | Purpose | Duration |
|---|---|---|---|
_vercel_speed_insights_* | Vercel | Performance metrics (Core Web Vitals) | Session |
_vercel_analytics_* | Vercel | Aggregate page-view analytics | 90 days |
_ga, _ga_* | Google Analytics, if enabled | Analytics and conversion measurement | Up to 2 years |
_clck, _clsk | Microsoft Clarity, if enabled | Product analytics, session interaction measurement | Up to 1 year |
plausible_* or equivalent | Plausible, if enabled | Privacy-oriented aggregate analytics | Up to 1 year |
op_* or equivalent | OpenPanel, if enabled | Product analytics events | Up to 1 year |
utm_source | ShelfPic | Stores campaign source after consent for attribution | 30 days |
Analytics providers are configured as optional integrations. The exact cookies may vary by provider configuration and browser behavior.
Legal basis: GDPR Art. 6(1)(a) (consent) where required; Art. 6(1)(f) (legitimate interest) where consent is not required.
Advertising, affiliate, and marketing technologies are treated as non-essential in ShelfPic and are loaded only after you accept non-essential cookies. Depending on production configuration, these technologies may include Google AdSense, affiliate attribution providers such as Affonso or PromoteKit, and conversion measurement scripts. Some of these technologies may be considered advertising or "sharing" technologies under privacy laws.
When these technologies are enabled, we will:
Legal basis: GDPR Art. 6(1)(a) (consent), CCPA / CPRA opt-out under §1798.135.
A "third-party cookie" is a cookie set in your browser by a domain other than the one you are visiting. We use the following third-party services that may set cookies in your browser when you interact with ShelfPic:
When you reach the checkout flow, payment processors such as Creem, Stripe, or PayPal may set cookies on their own domains to maintain your checkout session, prevent fraud, process payment, support subscriptions, and store processor-side payment-method tokens. These cookies are governed by the relevant processor's privacy policy.
Vercel's edge network and analytics may set cookies for routing, caching, performance measurement, and (with consent) first-party analytics. These cookies are governed by Vercel's Privacy Policy.
When you access ShelfPic, Cloudflare sets cookies in the Strictly Necessary category to identify abusive bots, mitigate DDoS attacks, and ensure session continuity through their CDN. These cookies are governed by Cloudflare's Privacy Policy.
If you choose to sign in with Google, GitHub, or another OAuth provider we make available, that provider may set cookies on its own domain during the OAuth flow. These are not set by ShelfPic, but you may encounter them as part of the sign-in process. They are governed by the relevant provider's privacy policy.
After you accept non-essential cookies, configured providers such as Google Analytics, Microsoft Clarity, Plausible, OpenPanel, Google AdSense, Affonso, PromoteKit, Crisp, or Tawk may set cookies, local storage entries, or similar identifiers to measure usage, attribute referrals, provide support chat, prevent abuse, and measure conversions. These providers operate under their own privacy policies.
You have multiple ways to control cookies.
When you first visit ShelfPic, you will see a cookie consent banner unless you have already saved a choice. Through the banner, you can:
We currently provide an accept/reject choice rather than category-level controls. You can change your choice by clearing ShelfPic site data for shelfpic_cookie_consent and cookie-consent-v2, then revisiting the Site.
All major browsers allow you to manage cookies through their settings. You can:
Help articles for popular browsers:
If you disable Strictly Necessary cookies in your browser, the Service will not function:
You should only disable Strictly Necessary cookies if you intend not to use the Service.
If you disable Functional cookies, you will experience:
If you disable Analytics cookies:
Some browsers offer a "Do Not Track" (DNT) header that sites can read to detect a user's preference to opt out of tracking. The DNT specification has not been widely adopted as a binding standard, and there is no clear industry consensus on how to honor it.
ShelfPic does not currently honor DNT signals as a substitute for our consent banner. We disclose this transparently. If a regulatory framework in your jurisdiction makes DNT a binding opt-out signal in the future, we will update this Policy accordingly.
For California residents, Global Privacy Control (GPC) is a browser-level opt-out signal recognized by the California Attorney General under CPRA. ShelfPic recognizes GPC signals as an opt-out of "sale" and "sharing" under CCPA / CPRA. We do not sell personal information for money. If advertising, affiliate, or analytics technologies enabled on the Site are considered "sharing" for cross-context behavioral advertising, we will treat GPC as an opt-out signal for California Users.
If we send you an HTML email (transactional or marketing), it may contain a tracking pixel that tells us whether the email was opened and which links were clicked. We use this to:
To prevent email tracking pixels from loading:
You may also unsubscribe from marketing emails entirely via the unsubscribe link in every marketing email.
ShelfPic does not currently publish a native mobile application. If we publish one in the future, it will use:
We will update this Policy to reflect mobile-specific practices when relevant.
We may update this Cookie Policy from time to time. The current version is reflected in the effective_date and version fields in the document frontmatter at the top of this page.
For changes that materially expand the categories of cookies we set or the third parties to which we share cookie data, we will:
Non-material clarifications (formatting, typographical correction, third-party cookie expiry adjustments) may take effect upon posting. The version field is incremented for all changes.
For questions about this Cookie Policy or how to manage cookies:
This Cookie Policy is incorporated into the Privacy Policy. Together, they describe our use of cookies and personal information.