Cookie policy
The short version: we only use strictly-necessary cookies. No advertising, no third-party tracking, no fingerprinting. Read on for the full list.
We don't set any optional cookies today.
There's no advertising on VulnVerify, no third-party analytics (we'll add server-side product analytics later — never browser fingerprinting), and no embedded social widgets. The cookies below are required for sign-in and CSRF protection.
Cookies we set
| Cookie | Category | Purpose | Retention |
|---|---|---|---|
| authjs.session-token | Strictly necessary | Signed JWT that proves you're logged in. Removed when you sign out or after 14 days of inactivity. | 14 days |
| authjs.csrf-token | Strictly necessary | Cross-site-request-forgery protection token paired with auth flows. | Session |
| authjs.callback-url | Strictly necessary | Remembers where you were trying to go when redirected to sign in. | Session |
| vv-cookie-consent | Strictly necessary | Stores your cookie consent choice in localStorage (browser-only — never sent to our server). | Until you clear browser data |
Third-party cookies
If you use the “Continue with Google” sign-in option, Google sets cookies on its own domain (accounts.google.com) for the duration of the OAuth handshake. We do not control or read those cookies — see Google's policy.
Subscription payments are processed by Stripe; Stripe's hosted checkout may set its own cookies on *.stripe.com. See Stripe's privacy policy.
Changing your consent
Click in the footer to re-open the consent banner at any time. You can also clear your browser cookies for vulnverify.comto reset everything — you'll just need to sign in again.
Questions
Mail privacy@vulnverify.com. Full data-handling details are in the Privacy Policy.