what cookies actually are
a cookie is a small text file (typically under one kilobyte) that a website stores in your browser so it can recognise you on the next request without making you log in again. cookies have a name, a value, an expiration, and a domain they belong to. browsers send them back to the domain that set them on every subsequent request. cookies fall into two broad categories: functional cookies, which are required to make a site work (you cannot stay logged in without one), and tracking cookies, which try to follow you across other sites for analytics or advertising. we use only the first category. if a cookie on a vøiddo property is not strictly necessary to make a feature work, it is not set.
cookies we set ourselves (first-party)
our first-party cookies are limited to authentication and ui preferences and there are not many of them. a session token (signed, http-only, secure-flag, samesite=lax) keeps you logged into the scrb web app and the rankd dashboard between visits; it expires after thirty days of inactivity. a csrf token protects against cross-site request forgery on form submissions and rotates per session. a theme cookie remembers whether you prefer the dark layout or the light layout so we do not flash the wrong colour scheme on first paint. a locale cookie remembers which of the twenty-five interface languages you picked. that is the entire first-party set. we do not set an advertising id, we do not set a fingerprint cookie, we do not set anything whose only purpose is to identify you for analytics.
third-party cookies (paddle, cloudflare)
paddle (dublin, ireland) is our merchant of record and handles every checkout. when you land on a paddle checkout page or open the paddle billing portal from your account, paddle sets its own functional cookies to keep your cart state, your billing region for tax calculation, and your session with their dashboard. paddle’s cookie policy at paddle.com governs those cookies; we do not control them and we cannot read them from our own domains. cloudflare sits in front of voiddo.com as a content delivery network and ddos shield, and may set a short-lived __cf_bm or cf_clearance cookie if it needs to verify that a request is from a real browser rather than an abusive bot. we do not use google analytics, plausible (yet), facebook pixel, linkedin insight, microsoft clarity, hotjar, fullstory, or any advertising network cookies anywhere on this site.
how to disable them
every modern browser lets you block or delete cookies from settings, usually under a heading like “privacy and security” or “site settings”. chrome, firefox, edge, safari, and brave all have the same basic controls: block all cookies, block third-party cookies only, allow cookies but clear on close, or whitelist specific sites. if you block our first-party functional cookies you can still read the marketing pages and the documentation, but you will not be able to log into the scrb dashboard, the rankd dashboard, or the admin portal, you will not be able to maintain a session, and you will not be able to complete a paddle checkout. that is not a dark-pattern punishment; cookies are literally how the login mechanism works. if you block third-party cookies only, paddle checkout still works because it is served from a first-party-style checkout pop-up that does not need cross-site cookies.
consent and the absence of a cookie banner
we do not display the intrusive cookie consent banner that has become the default ornament of every european website since 2018. the gdpr and the eprivacy directive are clear that strictly necessary functional cookies do not require explicit opt-in consent; only analytics, tracking, and marketing cookies do. because we set only the strictly necessary category, no consent banner is legally required and we choose not to add one as theatre. if we ever introduce analytics cookies (we are considering self-hosted plausible, which is cookieless by design, before we consider anything that uses cookies), we will add an explicit opt-in flow before any non-essential cookie is written, and we will say so on this page first.
retention windows
session cookies are deleted the moment you close the browser tab; they live in memory only. persistent cookies (theme flag, locale flag, the long-lived session token if you ticked “remember me”) have a maximum lifetime of thirty days and are renewed on each visit. if you stop using our products entirely, the next time your browser does its automatic cookie cleanup the cookies are removed without your intervention. you can also manually clear them under your browser’s site-data controls. paddle and cloudflare cookies follow their own retention policies on their own domains.
localstorage, sessionstorage, indexeddb
we also rely on browser localstorage and sessionstorage to cache non-sensitive ui state — draft generations in scrb that you have not yet saved, recently viewed tools, theme animations preferences, a cached copy of the catalogue index for fast offline navigation. these are not cookies and they are not transmitted to any server on every request; they live entirely in your browser and we read them only when the relevant page loads. they follow the same thirty-day retention guidance as our functional cookies and can be cleared from your browser’s site-data settings alongside cookies. we do not currently use indexeddb on any vøiddo property; if we add it for offline caching of larger drafts, this paragraph will be updated before that ships.
changes to this policy
this document is versioned alongside the rest of the site and the “last updated” date at the top moves whenever the substance changes. if we ever introduce a new cookie, add a new sub-processor that uses cookies (we list the current sub-processors in the dpa at /legal/dpa/), or change the retention rules above, we update the date and post a one-line note in the public changelog at /changelog/ explaining what moved and why. material changes to tracking behaviour — the kind a regulator would want disclosed — are also communicated by email to every active account holder before the change goes live.
contact
questions about cookies, browser storage, or anything else covered above can go to support@voiddo.com. a human on the team reads the inbox during european or israeli working hours and replies within one working day. if you have actively discovered a cookie on one of our properties that is not listed in this document, please tell us — we will investigate, name it here within seven days, and either justify its presence under the functional category or remove it. the legal entity behind voiddo and its data-handling commitments is voiddo oÜ, an estonian private limited company registered via the e-residency programme, address at järveküla tee 64-9, kohtla-järve 30322, estonia.