Skip to content

Cookie Policy

ShelfStamp sets two cookies. Both are strictly necessary to run the screening tool, neither is shared with anyone, and neither is used to advertise to you. This page lists them, and then lists — at greater length, because it matters more — everything we do not do.

1. What cookies are

A cookie is a small piece of text that a website asks your browser to keep and to hand back on your next request. It is the only way a stateless protocol can remember that the screening you just ran and the result page you are now looking at belong to the same person.

Cookies are not inherently a tracking technology. They became one because the advertising industry used them to follow people between unrelated websites. That is a thing you can do with a cookie. It is not the only thing, and it is not what we do with ours.

2. The cookies we set

There are 2. This is all of them, generated from the same list the application itself reads.

NamePurposeTypeDuration
cs_sidTies the screenings you run in one visit together, so a result page can be shown back to you, and so we can count how many people used the tool without knowing who any of them are. It is a random number. It is not linked to your name or your email.Strictly necessary
First-party
1 year
cs_refIf you arrived here by clicking a ShelfStamp badge on someone else’s listing, this records WHICH certificate sent you — first touch only, never overwritten. It is how we know whether the badge works at all. It holds a certificate number, not a person.Strictly necessary
First-party
30 days

Both are first-party cookies, set by ShelfStamp and read only by ShelfStamp. Neither is transmitted to any of the companies listed on our Sub-processors page. Neither contains your name, your email address, or anything you typed.

3. What we do not use

This is the part of a cookie policy that is normally missing, and it is the part that tells you what kind of business you are dealing with. None of the following exists on this site, on any page, at any time:

  • No advertising or retargeting cookies. We do not sell advertising, we do not buy it against your visit, and there is no mechanism by which a product you screened here could follow you into an ad somewhere else.
  • No third-party analytics that follow you across other sites. We do not load Google Analytics, and we do not load any other product whose business model is observing you on sites that are not ours.
  • No social pixels. No Meta pixel, no TikTok pixel, no LinkedIn Insight tag, no X pixel. A social network does not learn that you visited ShelfStamp, because we never tell it.
  • No fingerprinting. We do not enumerate your fonts, canvas, audio stack, or hardware in order to identify you without a cookie. Declining cookies and then being identified anyway is a betrayal of the declining, and we do not do it.
  • No session recording. Nobody is watching a replay of your mouse moving across the page. There is no heatmap, no scroll-tracking, no keystroke capture.
  • No data brokers. We do not send your visit to an enrichment service, a data-onboarding partner, or an identity graph, and we do not receive anything about you from one.

We are not claiming virtue for this. It is a consequence of the business model: a person pays us for a certificate, or they pay us nothing and screen for free. Nobody pays us for the reader, so there is nothing to gain by surveilling one.

4. Why there is no banner

You did not have to dismiss a dialog to read this page. That is not an oversight and it is not a loophole. It is that there is genuinely nothing here to ask you about.

The rule is Article 5(3) of the ePrivacy Directive, which requires consent before storing information on a user’s device — except where the storage is strictly necessary to provide a service that the user has explicitly requested. Both of our cookies sit inside that exemption. Without cs_sid the site cannot show you the result of the screening you just asked it to run, which is the entire service.

So a dialog here would be theatre. It would ask your permission for something we are permitted to do without asking, offer you a choice we have already made on your behalf by not building the tracking infrastructure in the first place, and train you to click Accept without reading — which is the actual harm those dialogs have done to the web.

If we ever set a cookie that is not strictly necessary, we will ask you first, properly, and you will be able to say no and keep using the service. Today there is nothing to ask.

5. Managing cookies

Every major browser lets you see, block, and delete cookies. The controls are in Settings, usually under Privacy. You can block ours specifically, block all cookies from all sites, or delete everything we have set at any moment, without telling us and without our permission.

Blocking cs_sid degrades the site: the screening itself still runs, but the result page will not reliably associate itself with the screening you ran, and you may be sent back to the start. Blocking cs_ref costs you nothing at all. It costs us a data point about whether the certificate badge works, which is our problem and not yours.

There is no dark pattern here and no nag. Block them and the site keeps working as well as it can without them.

6. Changes to this policy

If we add a cookie, it appears in the table above on the day it is added, because the table is generated from the list the application reads. If we ever add one that is not strictly necessary, we will say so prominently and we will ask for your consent before setting it.

7. Contact

Questions about cookies, or about anything else we store, go to privacy@shelfstamp.com. For everything else, write to support@shelfstamp.com.