This Cookie Policy explains how Craft Lab, SLU uses cookies and similar technologies (localStorage, sessionStorage, IndexedDB) on the Shipnest platform, what each category is for, what third-party cookies are set during specific actions, and how you can manage your preferences.
1. What are cookies and similar technologies?
A cookie is a small text file a website stores on your device. Cookies let a site recognise you between requests, remember your preferences, keep you signed in and measure how the site is being used.
Local storage (and the related sessionStorage / IndexedDB) is a browser API that lets a site persist key-value data on your device. It is not a cookie in the strict sense — the data never travels in request headers — but it serves a similar purpose, so we treat it under the same consent framework as cookies. We refer to all of the above collectively as “cookies” in this document.
2. Categories of cookies we use
2.1 Strictly necessary
Required for the platform to function. They keep you signed in, protect forms from cross-site request forgery, remember your theme choice and carry your accepted cookie preferences. These cookies cannot be disabled — disabling them would break the service. We rely on them on the basis of Art. 22.2 LSSI-CE (Spanish ePrivacy implementation) and Art. 6(1)(b) GDPR (contract performance), so no consent is required.
2.2 Functional
Optional cookies that remember your sidebar collapse state, table column layouts, saved filters and other UI preferences. They make the app more convenient but are not essential. Set after you accept them in the cookie banner.
2.3 Analytics
Optional cookies that help us understand aggregate usage (which pages are visited, where users drop off, load-time metrics). Data is aggregated and never sold. You can opt out at any time. Currently no third-party analytics provider is loaded in production; we plan to use a privacy-respecting solution (Plausible or similar) and will update this section before enabling it.
2.4 Marketing
We do not currently run advertising campaigns, but reserve the marketing category for possible future retargeting or campaign-attribution cookies. None are active today — if we enable any, they will require explicit opt-in.
3. First-party cookies (set on shipnest.app)
| Cookie / key | Category | Purpose | Retention |
|---|---|---|---|
authjs.session-token | Strictly necessary | Holds your signed session JWT so you stay authenticated between requests. HttpOnly + Secure + SameSite=Lax. | 30 days |
authjs.csrf-token | Strictly necessary | CSRF protection for authentication endpoints. | Session |
shopify_oauth / ups_oauth / usps_oauth / amazon_oauth / etsy_oauth / ebay_oauth / woocommerce_oauth | Strictly necessary | Short-lived signed cookies that carry OAuth state and code-verifiers for channel and carrier install flows.HttpOnly + SameSite=Lax. | 10 minutes |
admin_impersonate_org | Strictly necessary | Used by platform administrators to scope requests to a specific tenant while providing support. Always shown via an in-app banner so the operator knows they’re acting on a tenant’s behalf. | Session |
shipnest.cookie-consent (cookie + localStorage) | Strictly necessary | Stores your cookie preferences so we don’t ask again on every page load. Persisted to BOTH the browser cookie (so SSR can read it) and localStorage (source of truth for client decisions). | 12 months |
shipnest.theme (localStorage) | Functional | Remembers your light / dark / system theme choice. | Until cleared |
shipnest.table.* (localStorage) | Functional | Persists table column order, filters, density and saved views per table. Keyed by the table ID. Also synced to the server via TablePreference rows for cross-device persistence. | Until cleared |
shipnest.views.* (localStorage) | Functional | Saved DataTable named views per table. | Until cleared |
shipnest.sidebar.collapsed (localStorage) | Functional | Remembers whether you collapsed the left sidebar. | Until cleared |
4. Third-party cookies and storage
We do not embed advertising-network or behavioural-tracking pixels. The third-party domains below only set cookies on their OWN origin during specific user actions you initiate, and only with the data they need to complete that action:
| Provider / domain | When loaded | Purpose |
|---|---|---|
| Stripe — js.stripe.com, checkout.stripe.com, q.stripe.com | On the billing surfaces (/settings/billing) and during Stripe Checkout / Customer Portal sessions. | Payment processing, fraud detection (Stripe Radar), session continuity inside Checkout. Set on Stripe domains; we do not read or write them. |
| Sentry — sentry.io / browser ingest | When the public Sentry DSN is configured by the operator — fires in-page when an unhandled error occurs to send the (PII-scrubbed) crash report. | Error monitoring. No persistent cookie set; uses a short-lived in-memory session id only. |
| Channel OAuth consent screens — Shopify, Amazon Seller Central, Etsy, eBay, WooCommerce, BigCommerce, Squarespace, Magento | During the install / connect flow only. | Each provider sets its own session cookies on its domain (not on shipnest.app) to authenticate the merchant before redirecting back with the OAuth code. We do not control or read these. |
| Carrier OAuth consent screens — UPS, USPS | During the carrier install flow only. | Carrier-side authentication for the OAuth handshake. Set on the carrier’s domain. |
5. Honouring browser privacy signals
5.1 Global Privacy Control (GPC)
When your browser sends the Sec-GPC: 1 header we treat it as a confirmed opt-out signal under the CCPA / CPRA. We do not sell or share personal information for cross-context behavioural advertising regardless, but the signal is respected and applied to your session automatically — no additional click required.
5.2 Do Not Track (DNT)
When your browser sends DNT: 1 we suppress any non-essential analytics signals from your session. Strictly-necessary cookies are still set because the service cannot function without them.
6. Managing your preferences
You can review or change your preferences at any time using the Cookie preferences link in the footer of every page. The banner will also reappear if we add a new category of cookies or a new third-party recipient, or if your stored preferences expire.
You can also manage or delete cookies directly from your browser settings. Blocking strictly-necessary cookies will prevent Shipnest from signing you in.
For California residents — see the “Your rights under CCPA / CPRA” section of our Privacy Policy for the full menu of rights, including the right to opt-out of sale or sharing and how the GPC signal interacts with our processing.
7. Changes
We may update this Cookie Policy as our product evolves. The “Last updated” date at the top reflects the latest version. Material changes (adding a new category, a new third-party processor, or enabling analytics) will trigger the cookie banner again so you can revisit your choice.
8. Contact
Write to us at info@shipnest.app for any cookie-related question.