Cookie Policy
Effective date: June 15, 2026 Last updated: June 25, 2026
This Cookie Policy explains how Vestry LLC ("Vestry," "we," "us," or "our") uses cookies and similar tracking technologies on the Vestry service at getvestry.com (the "Service").
This Cookie Policy is a supplement to and is incorporated into our Privacy Policy. For the broader description of how we collect, use, share, and protect your personal information, please read the Privacy Policy.
1. What Are Cookies?
A cookie is a small text file that a website places on your device (computer, phone, tablet) when you visit it. Cookies allow the website to recognize your device on future visits, remember preferences, and provide essential functionality.
Cookies can be:
- First-party cookies — set by the website you are visiting (in this case, Vestry).
- Third-party cookies — set by services we use (such as our authentication provider or our analytics provider).
- Session cookies — deleted when you close your browser.
- Persistent cookies — remain on your device until they expire or you delete them.
We also use similar technologies that work like cookies: web beacons (small invisible images that track when content loads), local storage (a browser-based storage mechanism), and session-replay scripts (which record interactions with the page).
For brevity, this Cookie Policy uses the word "cookies" to mean cookies and similar technologies together.
2. Why We Use Cookies
We use cookies for the following purposes:
2.1 Essential Cookies (Required)
These cookies are required for the Service to function. Without them, you cannot sign in, complete a purchase, or use core features.
- Authentication — set by Supabase, our authentication provider, to remember your sign-in state across pages.
- Session management — to maintain your interaction with the Service.
- Security and CSRF protection — to prevent unauthorized cross-origin requests.
You cannot opt out of essential cookies through cookie settings; doing so would prevent the Service from working. If you disable cookies entirely in your browser, the Service will not function.
2.2 Analytics Cookies
We use Microsoft Clarity to record interactions with the Service for the purpose of improving usability. Clarity captures information including:
- Pages you visit and time spent on each
- Click and scroll patterns ("heatmaps")
- Session-replay snapshots of your interactions with the page
- Approximate location (country/region only — not precise location)
- Browser type, device type, and language preference
Microsoft Clarity acts as our service provider under California law and is contractually prohibited from using session data for its own purposes.
You can opt out of Microsoft Clarity by:
- Disabling cookies in your browser settings;
- Enabling "Do Not Track" or "Global Privacy Control" signals in your browser;
- Using a browser extension that blocks analytics scripts; or
- Contacting us at privacy@getvestry.com to request that your data be excluded.
When we detect a Global Privacy Control signal, we will display a visible confirmation in your account settings that your opt-out has been processed. Microsoft Clarity is configured to honor opt-out signals such that no session-replay data is collected from users who have signaled an opt-out, consistent with California Privacy Protection Agency regulations effective January 1, 2026 and equivalent state requirements.
We also use PostHog (configured on the EU Cloud) for product analytics — to understand which pages and features are used so we can improve the Service. PostHog does not record session replays for Vestry and acts as our service provider under a Data Processing Addendum. You can opt out of PostHog the same ways: enabling a "Do Not Track" or "Global Privacy Control" signal disables it, or contact privacy@getvestry.com.
3. List of Cookies and Tracking Technologies We Use
The table below lists the cookies and similar technologies that may be set when you use the Service. The exact set depends on which features you use.
| Name / Purpose | Type | Provider | Duration | Category |
|---|---|---|---|---|
sb-*-auth-token (authentication) | First-party | Supabase | Session + persistent | Essential |
vestry-active-workspace (active workspace selection) | First-party | Vestry | Persistent | Essential |
| CSRF token | First-party | Vestry | Session | Essential |
__clck, __clsk (Clarity session recording) | Third-party | Microsoft Clarity | Up to 13 months | Analytics |
ph_*_posthog (PostHog product analytics — pages/features used) | Third-party | PostHog | Up to 12 months | Analytics |
| Local storage entries (UI preferences, theme, dismissed banners) | First-party | Vestry | Persistent (until cleared) | Essential / Functional |
| Stripe checkout session cookies | Third-party | Stripe | Session (during checkout only) | Essential (payment) |
This list is not exhaustive — minor cookies may be set by third-party providers we use. We update this list when our cookie practices change in a way that materially affects users.
4. Your Choices
4.1 Browser Controls
Most browsers allow you to manage cookies through their settings. You can:
- Block all cookies — note: this will prevent Vestry from working at all.
- Block third-party cookies only — this will prevent some analytics but keep core functionality.
- Delete existing cookies at any time.
- Set a "Do Not Track" or "Global Privacy Control" signal — Vestry honors GPC as a request to opt out of the "sale" or "sharing" of personal information under applicable US state privacy laws.
Specific browser instructions:
- Chrome: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Preferences → Privacy → Manage Website Data
- Edge: Settings → Cookies and site permissions
- Mobile browsers: Settings → Privacy or Privacy and Security
4.2 Mobile Device Identifiers
If you use the Service on a mobile device, you can reset your advertising identifier or limit ad tracking through your device's privacy settings:
- iOS: Settings → Privacy & Security → Tracking → Allow Apps to Request to Track (off)
- Android: Settings → Privacy → Ads → Reset advertising ID
4.3 Contact Us
If you have questions about cookies or want to exercise your rights regarding cookies on the Service, email privacy@getvestry.com.
5. Third-Party Cookies and Subprocessors
Some cookies are set by third parties whose services we use. Your interaction with these cookies is governed by the third party's own privacy policy in addition to ours. The current list of third-party cookie sources is:
- Microsoft Clarity — session-replay analytics. Microsoft Privacy Statement
- PostHog — product analytics (EU Cloud). PostHog Privacy Policy
- Stripe — payment processing (during checkout). Stripe's Privacy Policy
For the full list of sub-processors that may receive your data through Vestry, see the Sub-processor List section of our Privacy Policy.
6. International Considerations
6.1 European Economic Area, United Kingdom, and Switzerland
If you are located in the EEA, UK, or Switzerland, the ePrivacy Directive (2002/58/EC, as implemented by your member state) and the UK Privacy and Electronic Communications Regulations (PECR) govern non-essential cookies. ePrivacy Article 5(3) requires prior consent for storage or access on terminal equipment for non-essential cookies — independent of GDPR legal basis.
The Service is not currently configured to display a cookie consent banner. We mitigate the resulting risk by configuring Microsoft Clarity to use its privacy-preserving / no-cookie mode for visitors whose request headers indicate EEA, UK, or Swiss origin, OR by not loading Clarity for such visitors. We will deploy a full IAB Transparency and Consent Framework (TCF) banner or equivalent consent gate before actively marketing in those regions. You may object to any cookie-based processing at any time using the controls described in Section 4.
6.2 California, Virginia, Colorado, Connecticut, Texas, and other US States
Under the CCPA, CPRA, VCDPA, CPA, CTDPA, TDPSA, and similar US state privacy laws, you have the right to opt out of the "sale" or "sharing" of personal information. We do not sell your personal information. Our use of Microsoft Clarity is configured as a "service provider" relationship and does not constitute a "sale" or "sharing" under these laws. You can still submit a "Do Not Sell or Share" request at privacy@getvestry.com.
We honor the Global Privacy Control (GPC) browser signal as an opt-out request under US state privacy laws.
6.3 Australia, Canada, New Zealand
Our cookie practices comply with the Australian Privacy Act 1988, Canada's PIPEDA, and New Zealand's Privacy Act 2020. To exercise rights under these laws, contact privacy@getvestry.com.
7. Changes to This Cookie Policy
We may update this Cookie Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this policy and, where appropriate, notify you by email or through a prominent notice on the Service.
8. Contact Us
For questions about this Cookie Policy:
- Email: privacy@getvestry.com
- Mail: Vestry LLC, 8401 Mayland Dr Ste A, Richmond, VA 23294-4648, United States