Cookie Policy
This page explains what cookies and similar storage technologies this site uses, what they are for, how long they last, and how you can change or withdraw your choice at any time.
For the broader explanation of who we are, what personal data we process more generally, and the full list of your rights, see the Privacy Policy. That page is the source of truth for the data controller’s identity, contact details, and the supervisory authority you can complain to.
What is a cookie, in plain language
A “cookie” is a small piece of data that a website stores in your browser so that it can remember something between page loads or visits. For example, that you have already accepted a cookie banner, or which device is yours so traffic from the same browser is not counted twice. Modern browsers also let sites store data in similar ways, such as localStorage, sessionStorage, and IndexedDB. Where it matters, this page treats those the same as cookies.
We use the smallest set of cookies we can. There are no advertising cookies, no third-party trackers, and nothing that follows you across other websites.
The two categories we use
1. Strictly necessary
These are set so the site can work at all. They do not require your consent under EU rules because they are necessary to provide the service you asked for (in this case, remembering your cookie choice, or completing a support-form submission you initiated).
| Name | Set by | Purpose | Storage type | Duration |
|---|---|---|---|---|
cc_cookie | poopjob.app | Remembers your cookie-banner choice so it does not reappear every visit | Cookie | ~6 months |
_cfuvid | Cloudflare (challenges.cloudflare.com) | Set when the Cloudflare Turnstile bot-check loads on the support form. Identifies a session for the purpose of detecting automated traffic, so we can answer real humans and reject bots. | Cookie on challenges.cloudflare.com (third-party context) | Session (~30 min) |
The _cfuvid cookie is set by Cloudflare on its own domain, not on poopjob.app, and only when you visit /support and start interacting with the form. We never read or write to it ourselves and it doesn’t follow you to other sites. If you never visit the support page, the cookie is never set. The exemption from cookie consent under PECR / ePrivacy applies because the bot-check is necessary to provide a service (sending us a support message) that you explicitly requested.
2. Analytics (set only after you accept)
These are loaded only after you click Accept in the cookie banner, or toggle Analytics on in the preferences. We use them to understand how people find and use the site (which pages are popular, which buttons get clicked, where people drop off). They never load if you reject.
These cookies are set on the parent domain .poopjob.app so we can link visits on the marketing site (poopjob.app) with use of the app (my.poopjob.app) as a single journey. This helps us tell whether the things we say about the product on the landing page actually translate into people finding it useful in the app.
| Name pattern | Set by | Purpose | Storage type | Duration |
|---|---|---|---|---|
AMP_<hash> | Amplitude (amplitude.com) | Anonymous device identifier and session state used to count unique visitors and page sequences | Cookie on .poopjob.app | Up to 1 year |
AMP_MKTG_<hash> | Amplitude (amplitude.com) | Records UTM parameters and the referring page so we can tell which channels people arrive from | Cookie on .poopjob.app | Up to 1 year |
| Session Replay store | Amplitude (amplitude.com) | A sampled (~10%) recording of page interactions so we can debug confusing UI; input fields are masked | IndexedDB | Cleared by the browser |
Amplitude processes this data on our behalf as a data processor. Their privacy notice is available at amplitude.com/privacy.
If you reject or later opt out, the AMP_* cookies are deleted automatically and no further events are sent.
What we do and do not send to Amplitude
We try to keep analytics narrow and honest. Specifically:
- We do not attach your name, email address, or any account identifier to analytics events. Amplitude only ever sees an anonymous device identifier it generates itself.
- We do not run advertising, sell data, or share it with third parties beyond Amplitude as our processor.
- We do not track you across other websites.
- However, the device identifier
AMP_<hash>is itself considered personal data under GDPR Recital 30, and Amplitude receives your IP address (used for approximate geolocation and dropped from stored events shortly after). - Autocapture records the text of buttons and links you click. If the app ever displays your name or email in a heading or label, that text reaches Amplitude as part of the click event. We aim to keep such surfaces minimal.
- Session Replay records page interactions on a small (~10%) sample of sessions. Form inputs are masked by default; rendered text is not. We treat the same caveat as above: avoid rendering identifiers in plain text where it is not strictly necessary.
How to change or withdraw your consent
You can change your mind at any time. It is exactly as easy as giving consent in the first place:
You can also clear cookies for this site in your browser settings, which will reset all choices. If you have a Global Privacy Control (GPC) signal or legacy Do-Not-Track signal enabled in your browser, we honour it silently. No banner appears and no analytics load.
Your rights
In short: you can withdraw consent at any time (the button above), and you have the full set of GDPR data-subject rights: access, rectification, erasure, restriction, objection, portability, and the right to lodge a complaint with a supervisory authority. These are described in detail, along with how to exercise them and who to contact, in the Privacy Policy.
To raise a cookie-specific question, email [email protected].
International data transfers
Both Amplitude and Cloudflare are US-based companies. Personal data collected through them is therefore transferred to the United States.
- Amplitude — analytics, transferred only after you consent. We act on the basis of your consent (Art. 6(1)(a) GDPR) for that transfer.
- Cloudflare — sets the
_cfuvidcookie on its own domain when the Turnstile bot-check on the support form loads. The transfer happens under the “necessary for the requested service” basis (Art. 6(1)(b) / 6(1)(f) GDPR), not on consent.
Both providers rely on the EU Commission’s Standard Contractual Clauses and the EU–US Data Privacy Framework as the legal basis for those transfers. See the Privacy Policy for the full list of US-based processors and the wider transfer disclosure.
Changes to this policy
We will update this page when we add or remove cookies, change retention periods, or switch providers. The “Last updated” date below reflects the most recent material change. For minor wording fixes we may not update the date.