Legal

Cookie Policy

Last updated: May 3, 2026

Short version. CourtFlow AI uses a small number of first-party cookies to keep you signed in, distinguish sessions for our own analytics, and remember which marketing campaign sent you. We do not load Google Analytics, Mixpanel, Segment, or any other third-party analytics tag. We do not use cookies for cross-site advertising or behavioral retargeting.

1. What is a Cookie?

A cookie is a small text file that a website stores in your browser. It can later be read back by the same site (a "first-party" cookie) or, less commonly, by another site that has been embedded into the page (a "third-party" cookie). This page also covers localStorage and sessionStorage entries we create, since they serve the same purpose as cookies for some of our analytics.

2. Cookies We Set

The table below lists every cookie or storage entry that CourtFlow AI itself writes, plus any third-party cookies set by SDKs we embed.

Name	Category	Party	Duration	Purpose
cf_vid	Analytics	First-party	90 days	Random visitor identifier (16 hex bytes) used to group page views and events into a coherent session for our first-party analytics. Mirrored to localStorage with the same key. No personal data; opaque random value only.
cf_utm	Analytics	First-party	90 days	First-touch attribution: when you arrive at courtflow.ai with utm_* URL parameters, we record the campaign tags so a later signup can be attributed to the originating campaign. Written only on the visit when UTMs are present; never overwritten on later visits.
cf_sid	Analytics	First-party	Session (cleared on tab close)	Per-tab session identifier held in sessionStorage. Used to distinguish discrete browsing sessions from the same visitor.
cf_preview	Functional	First-party	90 days	Legacy redesign-preview toggle. Still settable via /preview-design?on\|off, but now a no-op since the redesign has been promoted to all visitors.
next-auth.session-token / __Secure-next-auth.session-token	Strictly necessary	First-party	7 days	Signed JSON Web Token that authenticates your browser session after sign-in via Google or Microsoft OAuth. Required to access the dashboard, admin, and any tenant-scoped APIs. The "__Secure-" variant is used in production over HTTPS.
next-auth.csrf-token / __Host-next-auth.csrf-token	Strictly necessary	First-party	Session	CSRF token used by NextAuth to protect sign-in and sign-out flows from cross-site request forgery.
next-auth.callback-url / __Secure-next-auth.callback-url	Strictly necessary	First-party	Session	Holds the post-sign-in destination URL while the OAuth round-trip is in progress.
Stripe cookies (e.g., __stripe_mid, __stripe_sid)	Strictly necessary	Third-party	Up to 1 year	Set by Stripe.js only on pages that load the Stripe checkout SDK (currently /pricing during a paid-plan upgrade). Used by Stripe for fraud prevention; CourtFlow does not read or write these cookies. See Stripe's cookie disclosure for details.

3. Cookie Categories Explained

Strictly necessary — Required for the Service to function. Without these, you cannot sign in, stay signed in, or complete a paid checkout. They cannot be disabled within the application.
Functional — Remember preferences and feature toggles. Disabling these does not break core functionality but may reset preferences each visit.
Analytics — Help us understand how the marketing site and product are used in aggregate so we can improve them. CourtFlow uses only first-party analytics cookies; we do not load third-party analytics or advertising tags.

4. Cookie Attributes

All cookies CourtFlow sets carry the following attributes in production:

Secure — Sent only over HTTPS connections.
SameSite=Lax — Sent on top-level navigations from other sites but not on cross-site sub-resource requests, mitigating CSRF.
HttpOnly — Applied to authentication cookies (NextAuth session token, CSRF token) so they cannot be read by JavaScript. Analytics cookies are not HttpOnly because the browser-side beacon needs to read them.
Path=/ — Available across the entire site.

5. How to Control Cookies

Block or delete cookies in your browser

Every modern browser lets you block all cookies, block third-party cookies, delete existing cookies, or set per-site overrides. Consult your browser's help docs (Chrome, Firefox, Safari, Edge) for exact steps. Blocking strictly-necessary cookies will sign you out and prevent further sign-ins until you unblock them; blocking only the analytics cookies will leave the Service fully functional.

Clear our analytics cookies specifically

From a browser console on courtflow.ai:

document.cookie = 'cf_vid=; Max-Age=0; Path=/'
document.cookie = 'cf_utm=; Max-Age=0; Path=/'
localStorage.removeItem('cf_vid')
localStorage.removeItem('cf_utm')
sessionStorage.removeItem('cf_sid')

This deletes the analytics identifier and attribution cookies. They will be re-created on your next visit unless you also block them at the browser level.

Sign out

Signing out from the dashboard clears the NextAuth session and CSRF cookies and revokes your stored OAuth tokens at the server.

6. "Do Not Track"

Browsers can send a DNT: 1 header. Industry consensus has settled on not honoring this header, since it is no longer a meaningful user-consent signal in most browsers. CourtFlow does not load any third-party advertising or cross-site tracking, so the practical impact is minimal regardless of your DNT setting.

7. Changes to this Policy

If we add, remove, or materially change a cookie's purpose or duration, we will update the table above and bump the "Last updated" date at the top of the page. Substantive changes are also noted in the changelog.

Questions?

For questions about cookies or browser storage, contact privacy@courtflow.ai.