Cookie Policy

Effective date: March 31, 2026

1. What Are Cookies

Cookies are small text files that are placed on your device (computer, tablet, or mobile phone) when you visit a website. They are widely used to make websites work, improve efficiency, and provide information to the operators of the site. Cookies can be "session" cookies (which are deleted when you close your browser) or "persistent" cookies (which remain on your device for a set period or until you delete them).

This Cookie Policy explains how SubcontractorAudit ("we," "us," or "our") uses cookies and similar technologies on subcontractoraudit.com (the "Service").

2. Our Approach to Cookies

We believe in a minimal, privacy-first approach to cookies and tracking. Our platform is designed for business-to-business use in the construction industry, and we have intentionally chosen technologies that respect user privacy:

  • We only use cookies that are strictly necessary for the Service to function (authentication and session management)
  • Our analytics solution (Umami) is cookie-free and does not track individual users
  • We do not use advertising cookies, social media tracking pixels, or cross-site tracking technologies
  • We do not participate in ad networks or share cookie data with advertisers

3. Essential Cookies

These cookies are required for the Service to operate correctly. They enable core functionality such as user authentication, session management, and security features. You cannot opt out of essential cookies while using the Service, as doing so would prevent the platform from functioning.

Cookie NamePurposeTypeDurationhttpOnly
__sessionStores the authenticated user session token. This cookie is essential for keeping you logged in as you navigate between pages. The token is SHA-256 hashed before server-side storage.First-partySession (expires when browser closes) or up to 30 days if "Remember me" is selectedYes
__client_uatTracks the authentication state timestamp to ensure the client-side session stays in sync with the server. Used to detect when a session has been invalidated.First-partySessionNo
__csrfCross-Site Request Forgery (CSRF) protection token. Prevents unauthorized actions by verifying that form submissions and API requests originate from our platform.First-partySessionYes

All essential cookies are first-party cookies (set by subcontractoraudit.com). Session cookies marked as httpOnly cannot be accessed by client-side JavaScript, providing additional protection against cross-site scripting (XSS) attacks.

4. Analytics (Cookie-Free)

We use Umami, a privacy-focused, open-source analytics platform, to understand how our Service is used. Umami was chosen specifically because of its privacy-respecting design:

  • No cookies -- Umami does not set any cookies on your device
  • No personal data -- Umami does not collect personally identifiable information such as IP addresses, email addresses, or device fingerprints
  • No cross-site tracking -- Umami only tracks pageviews and events on our domain and does not follow users across websites
  • Aggregated data only -- all analytics data is stored in aggregate form and cannot be used to identify individual visitors
  • GDPR/CCPA compliant by design -- because no personal data is collected, no cookie consent banner is required for analytics under GDPR or CCPA

The analytics data we collect includes: page URLs visited (without query parameters), referrer sources, browser type (generic, e.g. "Chrome"), device type (desktop/mobile/tablet), operating system (generic), and country-level geolocation.

5. Third-Party Cookies

Our Service uses Cloudflare for content delivery (CDN), DNS resolution, and DDoS protection. Cloudflare may set the following cookies:

Cookie NamePurposeDurationSet By
__cf_bmBot management cookie. Helps distinguish between human visitors and automated bots to protect the Service from malicious traffic and DDoS attacks.30 minutesCloudflare
cf_clearanceSet when a visitor completes a Cloudflare security challenge. Confirms the visitor has passed the challenge and prevents them from being re-challenged for the duration.Up to 24 hoursCloudflare

These Cloudflare cookies are classified as strictly necessary for security purposes. They do not track users for advertising or marketing purposes. For more information, see Cloudflare's cookie documentation.

6. Cookies and Technologies We Do Not Use

For clarity, SubcontractorAudit does not use any of the following:

  • Advertising/marketing cookies -- no Google Ads, Facebook Pixel, LinkedIn Insight Tag, or any other ad-tracking cookies
  • Social media cookies -- no Facebook, Twitter/X, LinkedIn, or other social media widgets, share buttons, or embedded content that set tracking cookies
  • Third-party analytics with tracking -- no Google Analytics, Hotjar, Mixpanel, or similar services that use cookies to track individual user behavior
  • Browser fingerprinting -- we do not use canvas fingerprinting, WebGL fingerprinting, or other browser fingerprinting techniques to identify users
  • Tracking pixels / web beacons -- we do not embed invisible tracking pixels in web pages (note: transactional emails sent via Resend may include standard open-tracking pixels; see Resend's privacy policy for details)
  • Cross-site tracking -- we do not participate in cross-site tracking or retargeting networks

7. Managing Cookies

You can control and manage cookies through your browser settings. Most modern browsers allow you to:

  • View all cookies currently stored on your device
  • Delete specific cookies or all cookies at once
  • Block cookies from specific websites or all websites
  • Configure different settings for first-party and third-party cookies
  • Receive notifications when a website attempts to set a cookie

Because our Service only uses essential cookies, we do not display a cookie consent banner. The limited cookies we set are strictly necessary for the Service to function and are exempt from consent requirements under most privacy regulations.

8. Browser-Specific Instructions

To manage cookies in your browser, follow the instructions for your specific browser:

9. Impact of Disabling Cookies

If you choose to block or delete cookies used by SubcontractorAudit, the following impacts may occur:

Cookie BlockedImpact
__sessionYou will be unable to log in or remain authenticated. Each page navigation will require re-authentication.
__client_uatSession state synchronization may fail, potentially causing unexpected logouts or stale UI states.
__csrfForm submissions and certain API requests will be rejected as a security precaution, preventing you from performing actions such as uploading documents or updating settings.
Cloudflare cookiesYou may be presented with repeated security challenges when accessing the Service, resulting in a degraded experience.

Since all cookies used by the Service are essential for security and functionality, blocking them will effectively prevent normal use of the platform.

10. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to interpret DNT signals, SubcontractorAudit does not currently respond to DNT signals in a different manner. However, because we do not use tracking cookies, advertising technologies, or cross-site tracking, our Service inherently respects the intent of DNT signals.

11. Changes to This Policy

We may update this Cookie Policy from time to time to reflect changes in our technology, legal requirements, or business practices. When we make changes:

  • We will update the "Effective date" at the top of this page
  • If we introduce new categories of cookies (such as optional analytics cookies), we will provide clear notice and obtain consent where required
  • Material changes will be communicated via email to account owners

We encourage you to review this policy periodically to stay informed about how we use cookies.

12. Contact Us

If you have questions about our use of cookies or this Cookie Policy, please contact us:

Related policies

Privacy PolicyTerms of Service