Skip to main content
VoiceCraft
Get started

Cookie Policy

Last updated May 25, 2026

Table of Contents

  1. 1. Overview
  2. 2. Essential Cookies
  3. 3. Preference Cookies
  4. 4. Browser Storage
  5. 5. Third-Party Scripts
  6. 6. Why No Cookie Banner?
  7. 7. Changes to This Policy
  8. 8. Contact

1. Overview

VoiceCraft uses cookies and similar browser-side storage only when needed to operate the service. We do not use cookies for analytics, advertising, retargeting, or session replay. We do not set any third-party tracking cookies.

The complete list of cookies and storage items set by VoiceCraft is documented on this page. If you observe any cookie not listed here, please contact us at privacy@voicescraft.app.

For a broader description of how VoiceCraft handles personal data, see our Privacy Policy. For security properties of these cookies, see our Security Overview.

2. Essential Cookies

Essential cookies are required for the service to function. Without them, you cannot sign in or use the VoiceCraft platform. These cookies do not track you across sites and are not used for any purpose other than operating the service.

NamePurposeLifetimeScope
__Secure-authjs.session-token(production)authjs.session-token(development)NextAuth session token (JWT). Identifies the signed-in user and authorizes access to the dashboard.8 hourshttpOnly, secure (prod), sameSite=Lax
vc_sudoStaff elevation token granted after WebAuthn step-up. Required for VoiceCraft platform admin actions including sudo and impersonation.15 minuteshttpOnly, secure (prod), sameSite=Lax
google_oauth_statemicrosoft_oauth_statehubspot_oauth_stateclover_oauth_statesquare_oauth_stateTemporary CSRF state tokens used during OAuth integration flows for Google, Microsoft, HubSpot, Clover, and Square. Set at the start of an OAuth flow and consumed on callback.10 minuteshttpOnly, secure (prod), sameSite=Lax

3. Preference Cookies

Preference cookies remember your UI preferences. They are not strictly required, but the service is less convenient without them. They do not track behavior across sites and contain no personally identifiable information.

NamePurposeLifetimeScope
timezoneYour browser's IANA timezone identifier (for example, America/Los_Angeles). Used to render local dates in the dashboard and align analytics date boundaries to your local midnight.1 yearclient-readable, sameSite=Lax
voicecraft_right_panel_openRemembers whether the right sidebar panel in the dashboard was open or closed on your last visit.1 yearclient-readable, sameSite=Lax

4. Browser Storage

VoiceCraft uses localStorage in one specific context:

vc_visitor_id

An anonymous visitor identifier set only on the /widget/chat page when VoiceCraft is embedded as a chat widget on a third-party site. Used to maintain conversation context across page reloads within a single browser.

  • Format: vc_vis_ followed by a randomly generated ID.
  • Stored indefinitely until the visitor clears browser storage manually.
  • Contains no personally identifiable information. The ID is generated locally and is not linked to a user account.
  • Only set on /widget/chat. Not set on any other VoiceCraft page.

VoiceCraft does not use sessionStorage, IndexedDB, Cache API, or any other browser storage mechanism beyond the items listed on this page.

5. Third-Party Scripts

Only one external script is loaded by VoiceCraft, and only on authenticated dashboard pages:

Helpnest

A help-center and in-app documentation widget loaded when the NEXT_PUBLIC_HELPNEST_BASE_URL and NEXT_PUBLIC_HELPNEST_WORKSPACE environment variables are configured by the VoiceCraft operator.

  • Loaded using Next.js next/script with the lazyOnload strategy, so it does not block page rendering.
  • Only loaded on authenticated dashboard pages, not on public pages.
  • Helpnest may set its own cookies on the user's browser per the Helpnest privacy policy.

No other external scripts, fonts, or resources are loaded from third-party origins. Geist Sans and Geist Mono fonts are self-hosted. No CDN-hosted libraries are loaded at runtime.

6. Why No Cookie Banner?

Under the EU ePrivacy Directive, GDPR, and the California CCPA, consent banners are required for non-essential tracking cookies. VoiceCraft does not set tracking, analytics, or advertising cookies, so the consent requirement does not apply.

Essential cookies (session token, CSRF state) are exempt from consent requirements under the ePrivacy Directive because they are strictly necessary for a service explicitly requested by the user.

Preference cookies (timezone, panel state) are set in direct response to user actions within the platform and do not track behavior across sites or build a behavioral profile. They fall within the “legitimate interests” basis under most interpretations of the ePrivacy Directive.

If this changes, for example if VoiceCraft adds an analytics integration or a behavioral advertising feature in the future, we will add a consent flow and update this policy with at least 30 days notice before any new cookies are set.

7. Changes to This Policy

Material changes to this Cookie Policy will be communicated via email to the OWNER contact of each Organization at least 30 days before the change takes effect. The “Last updated” date at the top of this page will be updated accordingly.

Non-material changes (such as adding clarifying language or correcting typographical errors) may be made without prior notice.

8. Contact

For questions about this Cookie Policy or about how VoiceCraft handles your data, contact us at privacy@voicescraft.app.

For the full picture of how VoiceCraft handles personal data, see our Privacy Policy. For security details on how these cookies are protected, see our Security Overview.