Skip to content
Legal

Cookie & consent policy

How VEREID uses cookies and obtains consent.

Cookie & Consent Policy

Effective Date: May 20, 2026 Version: 1.0 Provider: VEREID, a product of AIARCO Pty Ltd, ABN [TBD: counsel review], NSW, Australia. TCF compliance: IAB Europe Transparency & Consent Framework v2.2. Scope domains: vereid.com, app.vereid.com, m.vereid.com, auth.vereid.com, dashboard.vereid.com, id.vereid.com, api.vereid.com (cookies emitted by error pages only).


  • EEA, UK, Switzerland, Brazil: Strict prior consent. Banner shows on first visit. Only Necessary cookies set before consent. Granular toggles for Functional, Analytics, Marketing.
  • California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon (and other US states with comprehensive privacy laws): Opt-out banner with "Do Not Sell or Share My Personal Information" link respecting the Global Privacy Control (GPC) signal in the browser. We do not sell or share for cross-context behavioural advertising; the link is provided to be safe.
  • Australia: Notice with opt-out. No analytics or marketing cookies for users who opt out.
  • Other jurisdictions: Notice + manage-cookies link in footer.
  • The banner records consent into the immutable consent_events table: timestamp, IP truncated, banner version hash, locale, consent string per TCF v2.2.
  • Consent is re-prompted on material change to cookie categories or sub-processors, and at least every 12 months.
  • The "Reject all" path is as easy as "Accept all" — one click. This is a hard product rule.

2. Categories (TCF-aligned)

2.1 Strictly Necessary

Required to run the Service; cannot be disabled. Lawful basis: legitimate interest / contract performance.

2.2 Functional

Remember preferences (language, theme, "remember this device"). Off by default in EEA/UK; on with explicit consent.

2.3 Analytics

Pseudonymous usage analytics. Off by default in EEA/UK/California. PostHog is the only analytics vendor; we use IP truncation and disable session replay on any page that may render PII.

2.4 Marketing

Off by default everywhere. We do not currently set marketing cookies. If we add them, this policy and the banner will be updated 30 days before they go live and consent will be re-prompted.


The lists below are deliberately exhaustive. If a cookie or local-storage key not listed here appears on a VEREID surface, that is a bug — report to privacy@vereid.com.

3.1 vereid.com (marketing site)

NameCategoryPurposeProviderExpiry
__cf_bmNecessaryCloudflare bot managementCloudflare30 min
cf_clearanceNecessaryCloudflare challenge resultCloudflare1 year
vereid_consentNecessaryStores the user's consent decisions (TCF string + extended preferences)VEREID6 months
vereid_localeFunctionalSelected languageVEREID12 months
vereid_themeFunctionalLight / dark / system themeVEREID12 months
ph_*_phc_*AnalyticsPostHog distinct id + flags (EU/US region per subject)PostHog12 months
ph_*_window_idAnalyticsPostHog session windowPostHog30 min

3.2 app.vereid.com / m.vereid.com (Social end-user app)

NameCategoryPurposeProviderExpiry
vereid_sessionNecessaryAuthenticated session (HttpOnly, Secure, SameSite=Lax)VEREIDSession / 24h sliding
vereid_refreshNecessaryRefresh token reference (HttpOnly, Secure, SameSite=Strict)VEREID14 days
vereid_csrfNecessaryCSRF protectionVEREIDSession
vereid_deviceNecessaryDevice fingerprint hash for ATO defenceVEREID12 months
vereid_consentNecessaryConsent decisionsVEREID6 months
vereid_localeFunctionalSelected languageVEREID12 months
vereid_themeFunctionalThemeVEREID12 months
vereid_feed_orderFunctionalLast chosen feed sortVEREID90 days
ph_*_phc_*AnalyticsPostHogPostHog12 months
sentry-traceAnalyticsError-trace correlation (no PII)SentryRequest-scoped

3.3 auth.vereid.com / dashboard.vereid.com (Auth product)

NameCategoryPurposeProviderExpiry
vereid_auth_sessionNecessaryHosted-login sessionVEREIDSession / 24h
vereid_auth_refreshNecessaryRefresh token referenceVEREID14 days
vereid_auth_csrfNecessaryCSRFVEREIDSession
vereid_auth_stateNecessaryOIDC state parameterVEREID10 min
vereid_auth_nonceNecessaryOIDC nonce parameterVEREID10 min
vereid_tenant_brandFunctionalTenant brand cache (logo URL, colours)VEREID1 day
vereid_consentNecessaryConsent (where end-user is in scope)VEREID6 months
__cf_bmNecessaryCloudflareCloudflare30 min
ph_*_phc_* (dashboard only, Customer staff)AnalyticsPostHogPostHog12 months

No analytics cookies are set on the hosted-login surface for end-users — that surface is for the Customer's end-users, not ours.

3.4 id.vereid.com (Identity product — landing + Customer-branded verification UI)

NameCategoryPurposeProviderExpiry
vereid_id_sessionNecessaryVerification job session tokenVEREID1 hour
vereid_id_stateNecessaryAnti-CSRF state for the verification flowVEREID1 hour
vereid_id_tenantNecessaryWhich Customer tenant initiated this verificationVEREID1 hour
vereid_id_consentNecessaryBiometric + processing consent (per BIOMETRIC_RETENTION_POLICY.md)VEREID1 hour (re-prompted each verification)
__cf_bmNecessaryCloudflareCloudflare30 min

No analytics or marketing cookies on id.vereid.com — verifications are too sensitive for telemetry.


4. Local storage / session storage / IndexedDB

KeyCategoryDomainPurpose
vereid:feature_flagsFunctionalapp.vereid.comCached flag set, 5 min TTL
vereid:onboarding_stepFunctionalapp.vereid.comResume signup mid-flow
vereid:queued_actionsFunctionalapp.vereid.comOffline outbox for posts
vereid:auth:pkce_verifierNecessaryauth.vereid.comPKCE flow
vereid:id:livecam_bufferNecessaryid.vereid.comLiveness frame buffer; cleared on submit/abort

For fraud and ATO defence we compute a server-side device fingerprint (UA + accept-language + canvas hash + audio hash + WebGL hash). Fingerprints are hashed at the edge and stored as device_id_hash. They are not used for cross-site tracking; they are tied to your authenticated user_id only.


6. Third-party cookies

We do not set third-party advertising cookies. The only third-party cookies we set are:

  • Cloudflare (__cf_bm, cf_clearance) — security.
  • PostHog (ph_*) — analytics, EU region for EEA/UK.

We do not embed Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, Twitter / X Pixel, LinkedIn Insight Tag, or Mixpanel anywhere.


{
  "event_id": "uuid",
  "subject_id_hash": "hex",
  "domain": "app.vereid.com",
  "banner_version": "1.0.0",
  "banner_version_hash": "sha256:...",
  "tcf_v22_consent_string": "CQ...",
  "categories": {
    "necessary": true,
    "functional": false,
    "analytics": false,
    "marketing": false
  },
  "occurred_at": "2026-05-20T05:00:00Z",
  "ip_truncated": "203.0.113.0/24",
  "user_agent_hash": "sha256:...",
  "gpc_signal_received": false,
  "locale": "en-AU"
}

This row is append-only and is retained for the lifetime of the account + 7 years (legal-defence).


  • In-product: footer link "Cookie preferences" on every page.
  • Via privacy@vereid.com.
  • Via browser: deleting our cookies and visiting again will re-show the banner.
  • Withdrawal is honoured within the session and replicated to our server immediately.

9. Children

We do not knowingly collect children's data; the banner does not differentiate by age but the underlying products require age ≥ 16 (see PRIVACY_POLICY.md §10).


10. Banner UX rules (binding on engineering and design)

These are product hard-rules and a counsel-review tripwire. They are restated here so any future redesign must address them explicitly.

  1. Symmetry. "Reject all" and "Accept all" buttons are identically sized, identically coloured, and identically positioned. No dark patterns. No pre-ticked toggles.
  2. No nag re-prompt. A user who clicks "Reject all" is not re-prompted for 12 months unless cookie categories change materially.
  3. No cookie wall. Refusing analytics or marketing does not block content; the only cookies that may be set pre-consent are Strictly Necessary.
  4. Single-purpose toggles. Each category toggle controls only that category — toggling Analytics does not also toggle Marketing.
  5. Per-purpose granularity for any future advertising/measurement vendors will follow TCF v2.2 purpose codes 1–11.
  6. GPC honour. A browser sending Sec-GPC: 1 is treated as having declined Analytics and Marketing. The banner still shows once (so the user has a record) but the toggles are pre-set off and disabled with an explanatory tooltip.
  7. DNT — Do-Not-Track is also honoured (treated as GPC) for legacy clients.
  8. Locale. The banner and policy are rendered in the user's accept-language; we ship en, es, fr, de, pt-BR, ja, zh-CN, zh-TW, ar, hi at v1.
  9. Accessibility. WCAG 2.2 AA. Keyboard reachable; aria-labelled; focus trap on the banner is allowed but Escape dismisses to "Reject all".
  10. Server enforcement. The cookie set is determined server-side by the consent string — front-end cannot smuggle in a cookie that the server has not allowed.

11. Vendor disclosures (TCF v2.2 Article 28 transparency)

For each non-Necessary vendor we list, in the policy and in the banner second-layer:

  • Vendor legal name.
  • Purpose(s) per TCF v2.2 purpose codes.
  • Legal basis claimed.
  • Data categories collected.
  • Retention.
  • Link to vendor privacy policy and to TCF entry.

At v1 only PostHog is in scope. We do not publish a Global Vendor List entry until/unless we onboard adtech vendors.

12. Change history

DateVersionChangeApprover
2026-05-201.0Initial publicationDPO

[TBD: counsel review — final review of TCF v2.2 vendor list disclosures; review of GPC honour; review for compliance with Quebec Law 25; final list of approved third-party cookies.]