Cookie & Consent Policy
Effective Date: May 20, 2026
Version: 1.0
Provider: VEREID, a product of AIARCO Pty Ltd, ABN [TBD: counsel review], NSW, Australia.
TCF compliance: IAB Europe Transparency & Consent Framework v2.2.
Scope domains: vereid.com, app.vereid.com, m.vereid.com, auth.vereid.com, dashboard.vereid.com, id.vereid.com, api.vereid.com (cookies emitted by error pages only).
1. How consent works
- EEA, UK, Switzerland, Brazil: Strict prior consent. Banner shows on first visit. Only Necessary cookies set before consent. Granular toggles for Functional, Analytics, Marketing.
- California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon (and other US states with comprehensive privacy laws): Opt-out banner with "Do Not Sell or Share My Personal Information" link respecting the Global Privacy Control (GPC) signal in the browser. We do not sell or share for cross-context behavioural advertising; the link is provided to be safe.
- Australia: Notice with opt-out. No analytics or marketing cookies for users who opt out.
- Other jurisdictions: Notice + manage-cookies link in footer.
- The banner records consent into the immutable
consent_eventstable: timestamp, IP truncated, banner version hash, locale, consent string per TCF v2.2. - Consent is re-prompted on material change to cookie categories or sub-processors, and at least every 12 months.
- The "Reject all" path is as easy as "Accept all" — one click. This is a hard product rule.
2. Categories (TCF-aligned)
2.1 Strictly Necessary
Required to run the Service; cannot be disabled. Lawful basis: legitimate interest / contract performance.
2.2 Functional
Remember preferences (language, theme, "remember this device"). Off by default in EEA/UK; on with explicit consent.
2.3 Analytics
Pseudonymous usage analytics. Off by default in EEA/UK/California. PostHog is the only analytics vendor; we use IP truncation and disable session replay on any page that may render PII.
2.4 Marketing
Off by default everywhere. We do not currently set marketing cookies. If we add them, this policy and the banner will be updated 30 days before they go live and consent will be re-prompted.
3. Cookie tables per domain
The lists below are deliberately exhaustive. If a cookie or local-storage key not listed here appears on a VEREID surface, that is a bug — report to privacy@vereid.com.
3.1 vereid.com (marketing site)
| Name | Category | Purpose | Provider | Expiry |
|---|---|---|---|---|
__cf_bm | Necessary | Cloudflare bot management | Cloudflare | 30 min |
cf_clearance | Necessary | Cloudflare challenge result | Cloudflare | 1 year |
vereid_consent | Necessary | Stores the user's consent decisions (TCF string + extended preferences) | VEREID | 6 months |
vereid_locale | Functional | Selected language | VEREID | 12 months |
vereid_theme | Functional | Light / dark / system theme | VEREID | 12 months |
ph_*_phc_* | Analytics | PostHog distinct id + flags (EU/US region per subject) | PostHog | 12 months |
ph_*_window_id | Analytics | PostHog session window | PostHog | 30 min |
3.2 app.vereid.com / m.vereid.com (Social end-user app)
| Name | Category | Purpose | Provider | Expiry |
|---|---|---|---|---|
vereid_session | Necessary | Authenticated session (HttpOnly, Secure, SameSite=Lax) | VEREID | Session / 24h sliding |
vereid_refresh | Necessary | Refresh token reference (HttpOnly, Secure, SameSite=Strict) | VEREID | 14 days |
vereid_csrf | Necessary | CSRF protection | VEREID | Session |
vereid_device | Necessary | Device fingerprint hash for ATO defence | VEREID | 12 months |
vereid_consent | Necessary | Consent decisions | VEREID | 6 months |
vereid_locale | Functional | Selected language | VEREID | 12 months |
vereid_theme | Functional | Theme | VEREID | 12 months |
vereid_feed_order | Functional | Last chosen feed sort | VEREID | 90 days |
ph_*_phc_* | Analytics | PostHog | PostHog | 12 months |
sentry-trace | Analytics | Error-trace correlation (no PII) | Sentry | Request-scoped |
3.3 auth.vereid.com / dashboard.vereid.com (Auth product)
| Name | Category | Purpose | Provider | Expiry |
|---|---|---|---|---|
vereid_auth_session | Necessary | Hosted-login session | VEREID | Session / 24h |
vereid_auth_refresh | Necessary | Refresh token reference | VEREID | 14 days |
vereid_auth_csrf | Necessary | CSRF | VEREID | Session |
vereid_auth_state | Necessary | OIDC state parameter | VEREID | 10 min |
vereid_auth_nonce | Necessary | OIDC nonce parameter | VEREID | 10 min |
vereid_tenant_brand | Functional | Tenant brand cache (logo URL, colours) | VEREID | 1 day |
vereid_consent | Necessary | Consent (where end-user is in scope) | VEREID | 6 months |
__cf_bm | Necessary | Cloudflare | Cloudflare | 30 min |
ph_*_phc_* (dashboard only, Customer staff) | Analytics | PostHog | PostHog | 12 months |
No analytics cookies are set on the hosted-login surface for end-users — that surface is for the Customer's end-users, not ours.
3.4 id.vereid.com (Identity product — landing + Customer-branded verification UI)
| Name | Category | Purpose | Provider | Expiry |
|---|---|---|---|---|
vereid_id_session | Necessary | Verification job session token | VEREID | 1 hour |
vereid_id_state | Necessary | Anti-CSRF state for the verification flow | VEREID | 1 hour |
vereid_id_tenant | Necessary | Which Customer tenant initiated this verification | VEREID | 1 hour |
vereid_id_consent | Necessary | Biometric + processing consent (per BIOMETRIC_RETENTION_POLICY.md) | VEREID | 1 hour (re-prompted each verification) |
__cf_bm | Necessary | Cloudflare | Cloudflare | 30 min |
No analytics or marketing cookies on
id.vereid.com— verifications are too sensitive for telemetry.
4. Local storage / session storage / IndexedDB
| Key | Category | Domain | Purpose |
|---|---|---|---|
vereid:feature_flags | Functional | app.vereid.com | Cached flag set, 5 min TTL |
vereid:onboarding_step | Functional | app.vereid.com | Resume signup mid-flow |
vereid:queued_actions | Functional | app.vereid.com | Offline outbox for posts |
vereid:auth:pkce_verifier | Necessary | auth.vereid.com | PKCE flow |
vereid:id:livecam_buffer | Necessary | id.vereid.com | Liveness frame buffer; cleared on submit/abort |
5. Server-side fingerprints (non-cookie)
For fraud and ATO defence we compute a server-side device fingerprint (UA + accept-language + canvas hash + audio hash + WebGL hash). Fingerprints are hashed at the edge and stored as device_id_hash. They are not used for cross-site tracking; they are tied to your authenticated user_id only.
6. Third-party cookies
We do not set third-party advertising cookies. The only third-party cookies we set are:
- Cloudflare (
__cf_bm,cf_clearance) — security. - PostHog (
ph_*) — analytics, EU region for EEA/UK.
We do not embed Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, Twitter / X Pixel, LinkedIn Insight Tag, or Mixpanel anywhere.
7. Consent record format (in consent_events)
{
"event_id": "uuid",
"subject_id_hash": "hex",
"domain": "app.vereid.com",
"banner_version": "1.0.0",
"banner_version_hash": "sha256:...",
"tcf_v22_consent_string": "CQ...",
"categories": {
"necessary": true,
"functional": false,
"analytics": false,
"marketing": false
},
"occurred_at": "2026-05-20T05:00:00Z",
"ip_truncated": "203.0.113.0/24",
"user_agent_hash": "sha256:...",
"gpc_signal_received": false,
"locale": "en-AU"
}
This row is append-only and is retained for the lifetime of the account + 7 years (legal-defence).
8. Withdrawing consent
- In-product: footer link "Cookie preferences" on every page.
- Via privacy@vereid.com.
- Via browser: deleting our cookies and visiting again will re-show the banner.
- Withdrawal is honoured within the session and replicated to our server immediately.
9. Children
We do not knowingly collect children's data; the banner does not differentiate by age but the underlying products require age ≥ 16 (see PRIVACY_POLICY.md §10).
10. Banner UX rules (binding on engineering and design)
These are product hard-rules and a counsel-review tripwire. They are restated here so any future redesign must address them explicitly.
- Symmetry. "Reject all" and "Accept all" buttons are identically sized, identically coloured, and identically positioned. No dark patterns. No pre-ticked toggles.
- No nag re-prompt. A user who clicks "Reject all" is not re-prompted for 12 months unless cookie categories change materially.
- No cookie wall. Refusing analytics or marketing does not block content; the only cookies that may be set pre-consent are Strictly Necessary.
- Single-purpose toggles. Each category toggle controls only that category — toggling Analytics does not also toggle Marketing.
- Per-purpose granularity for any future advertising/measurement vendors will follow TCF v2.2 purpose codes 1–11.
- GPC honour. A browser sending
Sec-GPC: 1is treated as having declined Analytics and Marketing. The banner still shows once (so the user has a record) but the toggles are pre-set off and disabled with an explanatory tooltip. - DNT — Do-Not-Track is also honoured (treated as GPC) for legacy clients.
- Locale. The banner and policy are rendered in the user's accept-language; we ship en, es, fr, de, pt-BR, ja, zh-CN, zh-TW, ar, hi at v1.
- Accessibility. WCAG 2.2 AA. Keyboard reachable; aria-labelled; focus trap on the banner is allowed but Escape dismisses to "Reject all".
- Server enforcement. The cookie set is determined server-side by the consent string — front-end cannot smuggle in a cookie that the server has not allowed.
11. Vendor disclosures (TCF v2.2 Article 28 transparency)
For each non-Necessary vendor we list, in the policy and in the banner second-layer:
- Vendor legal name.
- Purpose(s) per TCF v2.2 purpose codes.
- Legal basis claimed.
- Data categories collected.
- Retention.
- Link to vendor privacy policy and to TCF entry.
At v1 only PostHog is in scope. We do not publish a Global Vendor List entry until/unless we onboard adtech vendors.
12. Change history
| Date | Version | Change | Approver |
|---|---|---|---|
| 2026-05-20 | 1.0 | Initial publication | DPO |
[TBD: counsel review — final review of TCF v2.2 vendor list disclosures; review of GPC honour; review for compliance with Quebec Law 25; final list of approved third-party cookies.]
