YoBack to Yo

Cookies

A short list of small files.

Last updated 2026-05-17

The short version

Yo uses a handful of cookies — enough to keep you signed in and remember your theme. Out of the box, no advertising trackers, no cross-site tracking, no third-party analytics. If that changes, this page changes too.

What cookies do

A cookie is a small piece of data your browser stores on our behalf, so the site can remember things between page loads — that you're signed in, what theme you picked, whether you've dismissed a banner. We use as few as we can get away with.

Strictly necessary

These cookies make the service work. We don't ask for consent to set them because without them the site is broken.

  • Session cookie— proves you're signed in. http-only, secure in production, short-lived.
  • CSRF token— pins form submissions to your session so attackers can't make your browser act for you.
  • Auth callback state — short-lived storage during a Google or magic-link sign-in.
  • Pending handle— when you claim a username before signing up, we stash it for 30 minutes so you don't lose it during the sign-in flow.

Functional

These cookies remember your preferences. They're not strictly necessary but they make the experience nicer.

  • Theme preference— light or dark, so the next page-load doesn't flash the wrong colour.
  • Dismissed banners— when you close the “Powered by Yo” pill on someone else's public profile, that decision is stored in sessionStorage and clears when you close the tab.

Analytics

We run first-party analytics on the public profiles you create. Each event records the page, the event type (view, click, social click, email signup, purchase), an approximate country and device class, and a timestamp.

  • No third-party analytics SDK runs on your profile by default. Google Analytics, Meta Pixel, TikTok Pixel and so on are opt-in integrations you can connect from your dashboard.
  • No cross-site tracking. The analytics rows we store are keyed to your page, not to a visitor identity.
  • IP addresses are SHA-256 hashed with a server-side pepper before storage; the raw IP is never persisted.

Third-party scripts

If you're on a Business plan and you connect a third-party integration (Stripe, Mailchimp, your own analytics) or inject custom JavaScript, that code can set cookies of its own. Those cookies are governed by the third party's policy, not ours.

Out of the box, on a free or Pro page, no third-party script is loaded.

Your controls

Every modern browser lets you clear cookies, block third-party cookies entirely, or refuse cookies for a specific site. Blocking the strictly-necessary cookies will sign you out and stop you signing back in.

For everything beyond strictly-necessary, you can manage preferences (when applicable) from your settings page.