Cookie Policy
Last updated: May 13, 2026
This Cookie Policy explains how MeraFlow LLC uses cookies and similar storage technologies on the MeraFix public website (merafix.com) and the customer admin panel. We keep our use of these technologies minimal by design — we do not run third-party advertising networks or social-media tracking pixels on our public site.
This Policy should be read together with our Privacy Policy, Terms of Service, Acceptable Use Policy, and AI Disclosure.
1. What Are Cookies?
A cookie is a small text file that a website places on your device (computer, phone, or tablet) when you visit. Cookies allow the site to remember information about your visit — for example, that you are logged in, or that you have already seen a consent notice — so you do not have to repeat certain steps every time you return.
Cookies can be either session cookies (deleted automatically when you close your browser) or persistent cookies(stored on your device until they expire or you delete them). They can be set by the website you are visiting ("first-party cookies") or by a third-party service embedded in the page ("third-party cookies").
We also make limited use of localStorage, a browser feature similar to cookies but stored locally without an expiry date, to persist non-sensitive user preferences (such as a dismissed notification state) without sending the data to our servers on every request.
2. What We Use
| Category | Name / Identifier | Purpose | Duration | Where Set |
|---|---|---|---|---|
| Essential — Session & Auth | sb-access-token, sb-refresh-token | Authenticates your session with Supabase Auth. Required to access the customer admin panel. Without these cookies, login is not possible. | Session / up to 1 hour (access); up to 7 days (refresh) | Admin panel only (*.merafix.com subdomains) |
| Essential — CSRF | csrf-token (or equivalent header-based token) | Protects mutating requests (form submissions, API writes) against cross-site request forgery attacks. Required for platform security. | Session | Admin panel only |
| Essential — Public Site | None beyond basic HTTP session | The public marketing site (merafix.com) does not require login and sets no persistent cookies of its own beyond what third-party services described below may set. | — | Public site (merafix.com) |
| Analytics — Umami (self-hosted) | umami.uuid (anonymous visitor ID) | Privacy-first, self-hosted web analytics. Counts page views, referrers, and general device type. Does not fingerprint devices, does not share data with any third party, and does not set advertising identifiers. Data stays on our own servers. | 365 days | Public site; admin panel |
| Analytics — GA4 (may be enabled in future) | _ga, _ga_* | Google Analytics 4 for traffic measurement. Not currently active on the public site. If we enable GA4, we will update this policy 30 days in advance and add a cookie consent notice where required by law. | Up to 2 years (if enabled) | Would apply to public site only (if enabled) |
| Third-party — Cloudflare | __cf_bm, cf_clearance | Set by Cloudflare, our CDN and DDoS-protection provider. Used to distinguish legitimate browser traffic from automated bots and to remember that a browser has passed a challenge. Cloudflare's privacy policy applies: cloudflare.com/privacypolicy. | 30 minutes (__cf_bm); up to 1 year (cf_clearance) | All MeraFix domains (set by Cloudflare infrastructure) |
| Third-party — Stripe | __stripe_mid, __stripe_sid | Set by Stripe during checkout and subscription management flows to detect fraud and enable Stripe's payment UI. Only active on pages that load Stripe.js (the subscription checkout page). Stripe's privacy policy applies: stripe.com/privacy. | Up to 1 year | Checkout / billing pages only |
3. What We Do Not Use
We want to be explicit about what we deliberately do not do:
- No advertising network cookies: We do not run Google Display, Facebook Audience Network, or any other third-party advertising network on this website. There are no cookies or pixels that track your behavior across other websites to build an advertising profile.
- No social-media tracking pixels (currently): We do not have Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, or similar social-network tracking codes active on this site. If this changes, we will update this policy and implement appropriate consent mechanisms.
- No third-party behavioral retargeting: We do not share your browsing activity on our site with any advertising platform for the purpose of retargeting you with ads elsewhere.
- No fingerprinting: We do not use device fingerprinting techniques (canvas fingerprinting, font enumeration, etc.) to identify or track you across sessions or sites.
4. Your Choices
Browser settings
Most web browsers allow you to control cookies through their settings menus — typically under "Privacy" or "Security." You can instruct your browser to:
- Block all cookies (note: this will prevent you from logging into the admin panel);
- Block third-party cookies only (this will not affect the essential session cookies but will block Cloudflare and Stripe cookies before those pages load);
- Delete all cookies when you close the browser; or
- Alert you before a cookie is stored so you can decide case by case.
Links to cookie settings for common browsers: Chrome, Firefox, Safari, Edge.
Do Not Track
Some browsers send a "Do Not Track" (DNT) signal to websites. We do not currently respond to DNT signals in a technically differentiated way, because there is no industrywide standard for interpreting them. Given that we do not run advertising trackers, your browsing on this site is not used for cross-site behavioral advertising regardless of your DNT setting.
Analytics opt-out
Umami analytics, which we use for aggregate site statistics, sets an anonymous visitor identifier that does not contain personally identifiable information and is not shared with any third party. If you prefer not to be counted even anonymously, you can delete the umami.uuid cookie in your browser settings at any time; a new anonymous ID will be created on your next visit if the cookie is allowed.
5. Updates to This Policy
We may update this Cookie Policy when we add or remove technologies, or when our practices otherwise change. We will update the "Last updated" date at the top of this page. For material changes — particularly if we add advertising or social-media tracking technologies — we will notify active customers by email at least 30 days before the change takes effect and, where required by law, seek fresh consent.
6. Contact
If you have questions about our use of cookies or want to exercise any data-related right, please contact:
- Privacy: [email protected]
- General support: [email protected]
- Operator: MeraFlow LLC, organized under the laws of South Carolina, United States