Legal · Cookies & tracking

Cookies Policy

Last updated 2026-05-18 · PayStream BV · KvK 76406954 · applies to the marketing site and the embedded admin UI

Summary

We do not use cookies for analytics, advertising, retargeting, or behavioural tracking. StoreBack's embedded admin UI sets no cookies of its own. The marketing site loads no third-party scripts. The only cookies that may touch your browser are essential — required for security or delivery — and they are described in full below.

What a cookie is

A cookie is a small text file stored by your browser on behalf of a website. Cookies can persist across browser sessions (persistent) or be cleared when you close the tab (session). Similar technologies — localStorage, sessionStorage, and the Shopify session-token JWT used by App Bridge — are also covered by this policy where they play an equivalent role.

Cookies on the embedded admin UI (inside Shopify admin)

The StoreBack admin UI runs inside your Shopify admin via Shopify's App Bridge. Authentication uses a short-lived session-token JWT (~1 minute lifetime) that App Bridge mints in the browser and our backend verifies on each request. No cookie of ours is set; no cookie of ours is read.

Cookies that Shopify itself may set in the surrounding admin frame are governed by Shopify's own cookie policy and are outside StoreBack's control.

Cookies on the marketing site (storeback.app)

The marketing site is statically served. It loads no analytics SDK, no advertising pixel, no error tracker, and no third-party widget. The only cookies it may emit are technical, first-party cookies set by our CDN at the edge:

Cookie Set by Purpose Duration
__cf_bm Cloudflare Bot-management; distinguishes humans from automated requests at the CDN edge. 30 minutes
cf_clearance Cloudflare Set only after passing an interactive challenge (rare). Records that the browser cleared a security check, so the user is not re-challenged on every navigation. Up to 30 days

These cookies are classified as strictly necessary under the EU ePrivacy Directive (Article 5(3) exemption for cookies indispensable to provide a service explicitly requested by the user — here, a working website protected against automated abuse). They are not used to track you across sites.

Cookies on the operator backoffice

The operator backoffice — used by the Storeback team, not by merchants — is gated by Pomerium SSO. Pomerium sets one essential session cookie for the duration of the operator's session. Merchants never see this surface; the cookie is mentioned here for completeness.

What we explicitly do not do

  • No Google Analytics, no Plausible, no Fathom, no Matomo, no first-party analytics either.
  • No advertising pixels (Meta, Google Ads, LinkedIn Insight, TikTok, X).
  • No retargeting or behavioural tracking — we have no use for it, and we sell no data.
  • No error trackers (Sentry, Bugsnag, Rollbar) on the marketing site or in the embedded shell. Backend logs include shop domain + operation id only — they are server-side and do not require a cookie.
  • No consent-management platform — because there is no opt-in cookie category to consent to.
  • No third-party fonts that set cookies. Marketing site fonts are loaded from Google Fonts' cookieless CDN (fonts.googleapis.com / fonts.gstatic.com).

How to control or remove cookies

Because we set no analytics or advertising cookies, there is no "Reject all" button to provide. If you want to remove the Cloudflare technical cookies described above, use your browser's standard controls:

Blocking __cf_bm or cf_clearance may, in rare cases, cause Cloudflare to present a challenge page before serving the site.

Changes to this policy

We will update this page if our cookie posture changes. The "Last updated" date at the top reflects the most recent version. There is no scheduled review cadence beyond change-driven updates.

Contact

Questions about cookies, tracking, or any of the claims on this page — write to support@storeback.app. See also the Privacy Notice and the Terms & Conditions.