Cookie Policy

Effective date: April 28, 2026

This Cookie Policy explains how Doclator ("we", "us", "our") uses cookies and similar storage technologies on doclator.com and related domains. It should be read together with our Privacy Policy.

By continuing to use the Service, you consent to the use of cookies and storage technologies as described below. You can withdraw consent at any time by clearing your browser storage or by using the controls described in Section 6.

1. What Are Cookies and Similar Technologies?

Cookies are small text files placed on your device by a website. They help the website remember information about your visit, such as your preferred language and login state, so subsequent visits are faster and more useful.

Local storage and session storage are similar mechanisms built into modern browsers that allow a website to store small amounts of data on your device. Doclator uses local storage instead of cookies to hold authentication tokens, because it provides better cross-origin behavior for our API.

We refer to all of these technologies collectively as "cookies" throughout this policy unless we need to be specific.

2. Why We Use Cookies

We use cookies and similar storage to:

Keep you signed in across pages and tabs (essential).
Remember your theme and language preferences (functional).
Detect and prevent abuse, fraud, and automated bots (security).
Measure aggregate site performance and feature usage (analytics).
Diagnose and report errors so we can fix them (performance monitoring).

We do not use cookies for advertising, retargeting, or building marketing profiles. We do not sell or share cookie-derived data with advertising networks.

3. Categories of Cookies We Use

3.1 Strictly Necessary

Required for the Service to function. They cannot be disabled without breaking core functionality.

Name	Purpose	Storage	Duration
access_token	JWT used to authenticate API calls	Local storage	Up to 7 days
refresh_token	Opaque token to silently rotate the access token	Local storage	Up to 30 days
realtime_token	Short-lived JWT for live job-progress channel	Local storage	Up to 1 hour

3.2 Functional

Remember your preferences so the Service feels personalized.

Name	Purpose	Storage	Duration
theme	Light, dark, or system theme preference	Local storage	Persistent until cleared
NEXT_LOCALE	Selected interface language	Cookie	1 year

3.3 Security and Anti-Abuse

Used to detect bots, enforce rate limits, and protect against fraud.

Source	Purpose	Duration
Vercel	DDoS protection and request routing	Session
Upstash Redis	Rate-limit identifiers (server-side, not stored in your browser)	Up to 24 hours

3.4 Analytics

Help us understand how the Service is used in aggregate.

Provider	Purpose	Duration
Vercel Analytics	Page views, top pages, traffic sources (privacy-friendly, no fingerprinting)	24 hours per visitor

3.5 Performance Monitoring

Capture errors so we can debug and fix them quickly.

Provider	Purpose	Duration
Sentry	Crash reports, stack traces, slow-transaction tracing	90 days

4. Third-Party Cookies

Some pages of the Service include third-party features that may set their own cookies:

Stripe / Lemon Squeezy / Paddle checkout pages — handle the secure payment flow. Each provider sets cookies under its own domain, governed by its own privacy and cookie policies.
Google / Microsoft OAuth — when you sign in with Google or Microsoft, or connect Google Drive / OneDrive, the provider may set authentication cookies on its own domain.
Supabase Realtime — uses a WebSocket connection that may set a cookie for routing; no personal data is stored in this cookie.

We have no control over third-party cookies. Please consult each provider's policy: Stripe, Lemon Squeezy, Paddle, Google, Microsoft.

5. Local Storage Note

Authentication tokens (access_token, refresh_token, realtime_token) are stored in your browser's local storage rather than HTTP-only cookies. This is a deliberate trade-off to support cross-origin API access without CSRF tokens. We mitigate the corresponding XSS risk through a strict Content Security Policy, automatic React output escaping, and short-lived tokens that rotate on every login.

6. How to Manage Cookies and Storage

You can control cookies and local storage in several ways:

Browser settings: most browsers let you view, block, or delete cookies and clear site data. Look for "Privacy", "Site settings", or "Clear browsing data".
Sign out: signing out of Doclator removes your authentication tokens from local storage.
Clear site data: clearing site data for doclator.com removes all our cookies and local storage entries.
Do Not Track: we honor browser-level Global Privacy Control (GPC) signals where applicable. Because we do not run advertising trackers, the impact of GPC is limited.
Opt out of analytics: Vercel Analytics is privacy-friendly by design and does not require an opt-out cookie. If you wish to opt out completely, install a browser extension that blocks vercel-analytics.com or use private/incognito browsing.

Disabling strictly necessary cookies will break sign-in, file uploads, and other core features.

7. Changes to This Policy

We may update this Cookie Policy from time to time to reflect new features or regulatory guidance. Material changes will be flagged in this page's effective date and, where required, by an in-app notice. Continued use of the Service after the updated effective date constitutes acceptance of the revised policy.

8. Contact

Questions about cookies or storage? Email us at privacy@doclator.com.

Last updated: April 28, 2026

Back to TranslatorBack

Doclator