Legal

Cookie Policy

Last updated: May 20, 2026

1. What This Policy Covers

This policy describes the cookies, browser local storage, and similar technologies that Quoining (operated by Bolt Systems, LLC) uses on quoining.com and within the authenticated app. It applies to anyone who visits our marketing pages or uses the Service in the United States. The Service is currently offered only in the United States.

2. First-Party Cookies and Storage

2.1 Strictly Necessary

These are required for the Service to work and cannot be turned off. Disabling them prevents you from signing in or using authenticated features.

  • Session cookie: Maintains your signed-in session (Auth.js session token).
  • CSRF token cookie: Protects state-changing requests against cross-site request forgery.
  • Cookie-consent record: Stored in browser local storage (key cookie_consent) so we don't prompt you again. It must live in local storage because it has to be available before you sign in.

2.2 User Preferences (server-backed)

The vast majority of your in-app preferences (theme, sidebar state, dashboard layout, report filters, quick actions, tour progress) are stored server-side in our database, keyed to your authenticated account. The browser holds only the session cookie that identifies you to the server.

2.3 Marketing Attribution (pre-consent, local-only)

When you arrive on a Quoining marketing page with UTM parameters in the URL (utm_source, utm_medium, utm_campaign, utm_term, utm_content), we capture the first set we see and store them in browser local storage under the key q_utm_params. This capture happens regardless of your analytics-cookie choice because it is operational, not analytics: the values are used during signup so we know which marketing channel referred you.

The UTM values stay on your device until you clear local storage or until they are read once during signup. They are not transmitted to third-party analytics providers before you consent.

3. Analytics (opt-in)

We load product and site analytics only after you select “Accept All” on the consent banner. If you select “Essential Only,” the analytics scripts are not loaded and the providers below set no cookies.

  • Google Analytics 4 (Google LLC, United States): aggregate pageview and event analytics for our marketing site. IP truncation is enabled. Google Privacy Policy.
  • PostHog(PostHog, Inc., United States – us.i.posthog.com): product analytics inside the app (feature usage, funnels, feature-flag decisions). PostHog Privacy Policy.

We do not use advertising cookies, retargeting pixels, or third-party ad networks. We do not sell or share your personal information for cross-context behavioral advertising.

4. Error Monitoring (Sentry)

We use Sentry (Functional Software, Inc., United States) to capture application errors. The browser-side Sentry SDK is consent-gated for browser analytics and monitoring where applicable; the client SDK is not in the first-load bundle and only initializes after you accept analytics cookies. Replay may be captured around error events and during authorized administrator impersonation sessions, with text input and media masking enabled by default. Server-side and edge error monitoring may run separately from browser cookie controls.

5. Embedded Third-Party Flows

When you use certain features inside the app, third parties load their own widgets and may set their own cookies, governed by their own policies. These only run when you trigger the relevant flow.

  • Stripe — embedded subscription checkout and billing portal. Stripe Privacy Policy.
  • Plaid — Plaid Link widget for connecting a bank account. Plaid Privacy Policy.
  • Google and Microsoft— if you choose to sign in or sign up with Google or Microsoft, those providers run their own sign-in pages and set their own cookies during that flow. Google · Microsoft.
  • Optional integrations(Ramp, Gusto, Bill.com, Avalara, Shopify, Square) use OAuth redirects to the provider's own domain when you connect them. Those flows are subject to the provider's cookies and policies.

6. How Long Things Last

  • Session cookies: cleared when your browser session ends or your session expires.
  • Persistent cookies: kept for a defined period (typically up to 1 year) or until you clear them.
  • Local storage (cookie_consent, q_utm_params): stays on your device until you clear site data.

7. Your Choices

Consent banner.On your first visit, the banner lets you choose “Accept All” or “Essential Only.” Choosing “Essential Only” prevents analytics scripts (GA4, PostHog) from loading.

Change your choice. Clear the cookie_consent entry from local storage for quoining.com (or clear all site data) and the banner will reappear on your next visit.

Global Privacy Control. We do not currently parse the Global Privacy Control (GPC) browser signal as a separate opt-out, because we do not sell or share personal information for cross-context behavioral advertising (the activities for which GPC is an opt-out under California law). If we later add any activity for which GPC would apply, we will implement GPC handling at the same time.

Browser controls.Most browsers let you block or delete cookies. Blocking strictly necessary cookies will prevent the Service from functioning. Refer to your browser's help for instructions.

8. Changes to This Policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent material change. Continued use of the Service after a change takes effect indicates acceptance of the updated policy.

9. Contact

Questions about this Cookie Policy:

Bolt Systems, LLC

Email: privacy@quoining.com