Privacy & Data
Cookie Policy
How Veyda uses cookies and similar technologies on our marketing website and member app, and how to manage them.
Effective date: May 6, 2026
What cookies we use
Strictly necessary. Authentication tokens, session state, security tokens, and CSRF protection. These cannot be turned off without breaking the site.
Functional. Theme preference, last-visited section, and similar conveniences.
Analytics. Aggregated, anonymized usage data so we can fix what's broken and improve the product. Provider: Vercel Analytics + PostHog.
Marketing. Conversion tracking on paid-traffic landing pages only (Meta Pixel). Not used inside the member app or on policy pages.
We do not use third-party advertising cookies inside the member experience.
Managing cookies
You can clear or block cookies via your browser settings. Note that blocking strictly-necessary cookies will prevent you from signing in. Blocking analytics cookies has no effect on functionality and is honored automatically when you set navigator.doNotTrack or use a privacy-respecting browser.
Do Not Track
Veyda honors browser-level Do Not Track / Global Privacy Control signals for analytics and marketing cookies. We don't apply them to strictly-necessary cookies because those are required for authentication and security.
Counsel review queue — California considerations
Not final policy text. The items below capture the California-specific regulatory considerations our counsel needs to address before we publish the production version of this Cookie Policy. Source: internal product/engineering review, May 2026.
CCPA / CPRA cookie + tracker rules
- "Sale" or "sharing" definition under CPRA is broad — advertising pixels (Meta Pixel on
/trysageand other paid landing pages) likely count as "sharing." If yes:- "Do Not Sell or Share My Personal Information" link required in the marketing-site footer.
- Opt-out mechanism via in-page banner OR honoring Global Privacy Control (already stated above).
- Cookie consent banner required on first visit — confirm the current site behavior matches the policy.
- The Meta Pixel statement here (
Marketing. Conversion tracking on paid-traffic landing pages only) is good — counsel should confirm the actual deployment matches.
Global Privacy Control (GPC) handling
- The "We honor GPC" statement above is correct posture. Counsel should confirm:
- GPC is honored for both cookies AND server-side tracking (e.g., suppressing analytics events even when the cookie is technically set).
- Honor is documented to the user (a confirmation banner or footer indicator helps).
Children's data (COPPA + CCPA tiers)
- If any user is under 13, behavioral cookies fall under COPPA's strict consent rules. Confirm we don't set ANY behavioral cookie before age verification.
- Practical mitigation: hard age-gate at 18 across all surfaces.
Other state cookie rules
- Washington My Health My Data Act: requires opt-in for "consumer health data" tracking — applies broadly; could pull analytics events into scope.
- Connecticut (CTDPA) + Colorado (CPA): require honoring universal opt-out signals (GPC counts).
Cookie disclosure specifics
- The current categories breakdown is good. Counsel should confirm:
- Each cookie's name, purpose, retention period, and provider is disclosed (table format is standard practice — some jurisdictions require this).
- Third-party cookies disclosed by name (Vercel Analytics, PostHog, Meta Pixel, Stripe).
Specific items to revise in this draft
- Add: cookie table with name + purpose + retention + provider per cookie.
- Add: confirm "Do Not Sell or Share" opt-out signal handling.
- Add: explicit reference to Washington MHMDA if any analytics events touch consumer health data.