Which cookies the marketing site and the dashboard set, what they store, and how to control them. Last updated April 2026.
The marketing site uses no third-party analytics, no ad-tech, and no behavioural tracking. It sets only the strictly necessary cookies needed to render the page (Google Fonts hosting may set a session cookie on its CDN; we have no access to its contents). No ePrivacy / GDPR consent banner is required because no consent-gated cookie is set.
The dashboard sets the following cookies, all HttpOnly and Secure:
incito_session — session identifier issued at login. Lifetime 7 days; refreshed on activity.incito_csrf — anti-forgery token. Lifetime matches session.incito.origin-banner.dismissed-until — local-storage flag (not a cookie strictly) that hides the origin-rejection banner for 24 h after dismissal.No third-party cookie is set on the dashboard. Stripe Checkout opens in a hosted Stripe domain when you upgrade — Stripe's cookies live there, governed by Stripe's privacy policy.
The widget Incito loads on a tenant's sandbox sets one short-lived sessionStorage entry to track the in-progress demo session. This is not technically a cookie under the strict ePrivacy definition, but we treat it as one for transparency. It is cleared when the visitor closes the tab and is never sent cross-site.
Tenants who embed the widget remain responsible for their own cookie consent posture on their domain. Incito does not add ad-network or analytics cookies on tenant sites — but tenants should still surface a cookie consent banner appropriate to their jurisdiction.
You can clear or block cookies in your browser at any time. Doing so for the dashboard will log you out and may prevent CSRF-protected actions from completing. You can clear the marketing-site cookies without consequence.
We will update this page if we add, remove, or change cookies materially. The "last updated" date at the top reflects the most recent change.
Questions: support@useincito.com.