Cookie Policy

Last updated: 14 May 2026

This page explains what cookies and similar storage technologies Gundur uses, why, and how to control them.

What we use

Gundur uses only strictly necessary storage in your browser — the minimum needed to keep you signed in and protect the service from abuse. We do not use analytics cookies, advertising trackers, or third-party marketing pixels. We do use one cookieless, server-side aggregator (Vercel Web Analytics) to count page views in aggregate — described in the dedicated section below.

Under the Dutch Telecommunications Act (Telecommunicatiewet, art. 11.7a) and the EU ePrivacy framework, strictly necessary cookies do not require a consent banner. We list them here for transparency.

What is stored

1. Authentication (Firebase Auth)

• Where: your browser's IndexedDB (firebaseLocalStorageDb) and localStorage.
• What: a session ID token and a refresh token issued by Firebase Authentication (a Google service).
• Why: to keep you signed in across page reloads and to call the server on your behalf.
• Retention: until you sign out or clear browser data; refresh tokens expire after extended inactivity.

2. Abuse protection (Firebase App Check)

• Where: your browser's IndexedDB.
• What: a short-lived App Check attestation token (via reCAPTCHA Enterprise) proving the request comes from a real browser, not an automated bot.
• Why: to prevent abuse of our API endpoints and AI generation features.
• Retention: tokens are refreshed automatically and typically live under an hour.
• Note: Google's reCAPTCHA may set additional first-party cookies on Google domains as part of bot scoring. See Google's privacy policy.

3. Session preferences

• Where: your browser's localStorage / sessionStorage.
• What: small UI state markers — for example, whether you have an active tree open, draft input that has not yet been saved, and similar transient values.
• Why: to remember context as you navigate between pages within a session.
• Retention: until you close the tab (session) or clear browser data (local).

Aggregate page-view counting (Vercel Web Analytics)

We use Vercel Web Analytics, our hosting provider's built-in cookieless analytics, to count aggregate visits to gundur.ai. It tells us things like "how many people visited this week" and "which pages are most viewed" — nothing about individual visitors.

• Where: Vercel's edge servers (United States; DPF-certified). Nothing is stored in your browser — no cookies, no localStorage, no fingerprint script.
• What is collected: the URL you visited, your country (from IP — no city or precise location), device type (desktop / mobile / tablet), browser, and a session-scoped one-way hash derived from request properties so Vercel can count unique visits per visit without identifying you.
• What is not collected: no persistent user ID, no cross-session linkage, no cross-site tracking. Vercel cannot tell that the same person came back tomorrow, and we cannot either.
• Why: to see whether the site is being found and used at all, and which pages are working. Aggregate-only; used to make product decisions, not for advertising.
• Retention: aggregated counts are kept by Vercel for our access. Individual session hashes are not retained.
• Legal basis (GDPR): legitimate interest (Art. 6(1)(f)). Because no cookies are set and no persistent identifier is created, EU ePrivacy consent requirements do not apply (per current EDPB and Vercel guidance). You can object to legitimate-interest-based processing — see the Privacy Policy.

What we do not use

• No cookie-based analytics or persistent user identifiers. No Google Analytics, no Mixpanel, no Heap, no Plausible script-based tracking — our only analytics is the cookieless Vercel Web Analytics described above.
• No advertising or remarketing tags (no Meta Pixel, no Google Ads tags).
• No social-network "share" widgets that load tracking code.
• No cross-site fingerprinting.

If this changes (for example, if we add an additional analytics tool or any cookie-based tracker), we will update this page and, where the law requires it, ask for your consent first.

How to control or remove cookies

Because all of the above are essential to the service, blocking them will prevent you from signing in. You can still:

• Sign out of your account — this clears your session tokens.
• Clear site data via your browser's settings (Chrome / Safari / Firefox all expose this under "Site settings" or "Privacy").
• Use private / incognito mode — storage is cleared when the window closes.
• Delete your account, which removes server-side data as described in our Privacy Policy.

Questions

For anything related to cookies or storage on Gundur, email privacy@gundur.ai.