Cookie Policy

Every cookie we use. In plain English.

This Cookie Policy explains what cookies (and similar browser storage) Debutap uses on debutap.com, on our admin and customer dashboards, and on any vCard or store hosted on Debutap. We've done our best to keep this list complete and accurate. If you spot a cookie we haven't disclosed, tell us at [email protected].

Last updated: 12 May 2026·Version 1.0.2

1. What are cookies?

A "cookie" is a small text file a website stores in your browser. It lets the site remember things between page loads — that you're logged in, what plan you're viewing, what language you prefer. This policy uses "cookies" as shorthand for cookies, localStorage, sessionStorage, and similar browser-side storage.

Cookies are classified into four broad groups:

Strictly necessary — without them the site cannot function.
Preferences — remember your settings.
Analytics — help us understand how the site is used.
Marketing / embedded — used by third-party services we embed.

3. Strictly necessary cookies

These cookies are required for the site to function. They cannot be switched off and don't require consent under the ePrivacy Directive or DPDP.

Name	Purpose	Duration	First / Third party
`theme`	Remembers your light / dark / system theme preference.	1 year	First (localStorage)
`cookie-consent`	Stores your cookie preferences.	1 year	First
`session`	Maintains your sign-in session for the dashboard.	Session / 30 days if "Remember me" ticked	First (HttpOnly, Secure)
`csrf-token`	Protects you from cross-site request forgery on form submissions.	Session	First
`__cf_bm` / `cf_clearance`	Cloudflare bot management — distinguishes humans from automated traffic.	30 minutes / 30 days	Third (Cloudflare)

4. Preference cookies

Set after consent (or on equivalent legitimate-interest basis where allowed).

Name	Purpose	Duration	First / Third party
`locale`	Remembers your preferred display language.	1 year	First
`currency`	Remembers your preferred display currency (when multi-currency rolls out).	1 year	First
`dashboard-view-state`	Remembers collapsed/expanded states of dashboard panels.	6 months	First

5. Analytics cookies

We use a privacy-friendly analytics setup. We do not use Google Analytics on our marketing site by default. The cookies below are only set after you accept analytics in the consent banner.

Name	Purpose	Duration	First / Third party
`_pa_uid`	Privacy-friendly anonymous visitor ID for product analytics.	6 months	First
`_pa_session`	Groups events into a session for funnel analysis.	30 minutes	First
`sentry-replay-id`	Error-replay identifier for Sentry, only set when a JS error is captured.	Session	Third (Sentry)

6. Marketing & embedded service cookies

Set only with consent, or when you explicitly use an embedded feature.

Name	Purpose	Duration	First / Third party
Razorpay cookies (`__rzp_*`)	Set during the Razorpay checkout flow on the marketing site or dashboard.	Up to 1 year	Third (Razorpay)
Stripe cookies (`__stripe_*`)	Set during Stripe checkout, for fraud detection and to maintain the payment session.	1 year	Third (Stripe)
Google sign-in	Set if you choose Google as your sign-in method.	Varies	Third (Google)
Embedded YouTube / Vimeo (if used in blog posts)	Set when you start a video.	Varies	Third

7. Cookies on your published cards

The vCards, stores, and booking pages you publish on Debutap set only the strictly necessary cookies needed to render them and a small set of visitor analytics cookies (described in "Analytics" above). If you embed any third-party widget (Google Maps, YouTube videos, third-party chat) on your card, those services will set their own cookies on the visitor's browser, and you should disclose them in your own privacy notice.

As a Debutap customer, you are responsible for any additional cookies set by third-party widgets you embed on your card or store. If you operate in the EU, UK, India, Brazil, or California, you may need your own privacy notice or cookie banner on your card.

8. How to manage cookies

From our footer. Click "Cookie preferences" to update your choice anytime.
In your browser. Every modern browser lets you block or delete cookies; check the "Help" or "Settings" menu of your browser for instructions.
Mobile devices. iOS and Android both expose cookie controls in Safari and Chrome respectively, and offer system-level tracking-protection settings.
Browser add-ons. Tools like Privacy Badger, uBlock Origin, and your browser's built-in tracking protection can block third-party tracking cookies.

Blocking strictly necessary cookies may break parts of Debutap (you won't be able to sign in or stay signed in). Blocking analytics or preference cookies is fine — the Service will still work.

9. Do Not Track and Global Privacy Control

We honour the Global Privacy Control (GPC)signal: when your browser sends GPC, we treat that as an opt-out of any "sale" or "sharing" under CCPA/CPRA, and as a withdrawal of consent for non-essential cookies under GDPR/DPDP for that session.
The legacy "Do Not Track" (DNT) header is not consistently implemented across browsers and is not formally recognised in most jurisdictions — we don't treat it as a withdrawal of consent on its own.

10. Changes to this policy

We update this Cookie Policy when we add or remove cookies. The "Last updated" date and version at the top of the page show the most recent revision. Material changes (new categories, new sub-processors) get a 30-day notice in your dashboard.

11. Contact

Questions or corrections: [email protected].

Questions about this document? Get in touch at [email protected].

See all legal documents