// Version 1.2.0 · Updated May 4, 2026

Cookie Notice.

This Cookie Notice explains every cookie and browser-storage key Showcify sets on your device — what it does, how long it lasts, where it’s scoped, and whether your consent is required.

We follow a GDPR-strict default: anything that isn’t strictly necessary stays off until you explicitly opt in via the cookie banner. You can change your mind any time using the Cookie preferences link in the footer (and on your dashboard sidebar, if you’re signed in).

For the broader picture of how we handle your data, see our Privacy Policy. For data-subject requests (access, correction, deletion, export), use our privacy request form.

Strictly necessary

These keep core features working — signing you in, protecting your account from cross-site forgery, remembering your cookie preferences, preventing unstyled flashes on portfolio pages. They’re always on; you can’t opt out without breaking the product.

access_tokenCookie

Keeps you signed in to your Showcify account. Sent automatically on every request to our API.

Retention: 1 hour (refreshed automatically while you stay active)
Scope: app.showcify.com only

refresh_tokenCookie

Lets us issue a new access token without making you log in again. Scoped to the refresh endpoint only — not sent on any other request.

Retention: 7 days from your last activity (sliding window)
Scope: app.showcify.com, /api/v1/auth/refresh path only

csrf_tokenCookie

Defends your account against cross-site request forgery. Echoed back as an HTTP header on every state-changing request you make.

Retention: 1 hour (rotates with the access token)
Scope: app.showcify.com only

showcify_consentCookie

Remembers your cookie preferences so the banner doesn’t reappear on every visit.

Retention: 1 year
Scope: All Showcify subdomains (.showcify.com)

mkt_sidCookie

Anonymous, short-lived ID that ties together page views in a single marketing-site visit (e.g. /, /pricing, /features). Lets us count unique sessions and report basic traffic-source breakdowns. No personal data; the IP we receive on each request is hashed before storage and the raw IP is never persisted.

Retention: 30 minutes from your last activity
Scope: www.showcify.com (the marketing site only)

mkt_ref_capturedSession storage

Per-tab flag that records whether we’ve already captured your entry referrer on this visit, so SPA navigations between marketing pages don’t re-attribute the original referrer to every page view.

Retention: Per tab; cleared when you close the tab
Scope: www.showcify.com only, per browser tab

Analytics (consent-required)

Anonymous identifiers used by portfolio owners to see how visitors engage with their work — page views, section views, contact-link clicks. Off by default; turned on only if you explicitly opt in via the cookie banner.

rv_vidCookie

An anonymous ID that ties together page views, section views, and contact-link clicks for the same visitor on a public portfolio. Helps the portfolio owner understand how visitors interact with their work. Set only after you opt in to analytics.

Retention: 1 year
Scope: The specific portfolio subdomain you visit (e.g. alex.showcify.com)

Preferences (UX)

Remember small UI choices like the active theme. Kept on the device, never sent to our servers as identifying data.

showcify-portfolio-themeLocal storage

Caches the active theme key for portfolio pages so the theme renders instantly on reload (no flash of unthemed content). Portfolio pages still render correctly without it — you just get a brief unstyled flash on first paint.

Retention: Until you clear browser storage
Scope: Per browser, per origin

showcify_pricing_cycleLocal storage

Remembers whether you last viewed the pricing page on the monthly or yearly toggle, so a return visit lands you back on the cycle you were comparing.

Retention: Until you clear browser storage
Scope: www.showcify.com only (the pricing page lives on the marketing host)

showcify_sidebar_collapsedLocal storage

Remembers whether you collapsed the dashboard sidebar to free up content width, so navigating between pages preserves the layout you chose.

Retention: Until you clear browser storage
Scope: app.showcify.com only (the dashboard host)

showcify_wizard_<userId>Session storage

In-flight portfolio wizard state — current step, completed steps, and the form fields you have typed so far. Lets you reload the page mid-wizard without losing 10 minutes of typing. Cleared automatically when you publish or cancel the wizard, and discarded when you close the tab.

Retention: Per tab; cleared on publish, cancel, or tab close
Scope: app.showcify.com only, scoped per-account so two users on the same browser don't see each other's drafts

Third-party services

A small number of vendors set their own cookies inside their embedded widgets (payments, bot challenges). We don’t mirror their cookie list here — instead, each entry links to the vendor’s own up-to-date cookie policy.

RazorpayThird-party

During checkout, Razorpay (our payment processor) sets cookies inside the embedded payment iframe to handle fraud checks and complete the transaction. Razorpay receives only the data needed to process your payment.

Retention: Set by Razorpay — see their cookie policy
Scope: Razorpay’s own domain (inside the payment iframe)

Read Razorpay’s cookie policy ↗

Cloudflare TurnstileThird-party

Cloudflare Turnstile shows an invisible challenge on the privacy request, login, sign-up, and AI-generation forms to protect against bots. It does not use behavioural tracking or fingerprinting for advertising.

Retention: Set by Cloudflare — see their cookie policy
Scope: challenges.cloudflare.com (inside the widget iframe)

Read Cloudflare Turnstile’s cookie policy ↗

How to manage your choices

Cookie banner. Shown on your first visit. Lets you accept all, reject non-essential, or pick categories.
Footer link. The Cookie preferences link in the footer (and on the dashboard sidebar) reopens the customize dialog. Your choice updates immediately — analytics tracking stops/starts as soon as you save.
Browser settings.You can also clear cookies and local storage from your browser's settings. Doing so will sign you out, drop your portfolio-theme cache (causing a brief unstyled flash on portfolio pages until it's rebuilt), and re-show the cookie banner on your next visit.

Legal basis

Strictly necessary cookies don't require consent under the GDPR (Article 5(3) of the ePrivacy Directive) or India's DPDP Act — they're essential for delivering a service you explicitly asked for. Everything else (analytics) is set only with your prior, freely given, specific, informed, and unambiguous consent — withdrawable with the same effort it took to give.

Questions or concerns? Email legal@showcify.com.