Effective date: March 23, 2026 · Last updated: March 23, 2026
Effective date: March 23, 2026 · Version 1.0
Scope of This Policy This Cookie Policy applies to zerodocs.xyz, our web application, and associated subdomains (collectively, our “Website”). It explains what cookies and similar tracking technologies we use, why we use them, and how you can control them. This Policy should be read alongside our Privacy Notice (zerodocs.xyz/privacy) and Terms of Service (zerodocs.xyz/terms), which together govern your use of ZeroDocs. Authenticated product environment: The cookie controls described in this Policy primarily apply to our marketing website and unauthenticated pages. Within the authenticated platform (your signed-in dashboard), we use only strictly necessary and functional cookies. We do not deploy advertising or analytics cookies inside the authenticated product. |
1. What Are Cookies and Similar Technologies?
2. Why We Use Cookies
3. Categories of Cookies We Use
4. Cookie Inventory — Full List
5. Third-Party Cookies and Sub-Processors
6. Your Consent and Legal Basis
7. Cookie Preference Centre — How to Manage Your Choices
8. Global Privacy Control (GPC) and Do Not Track (DNT)
9. Cookies and Children
10. Retention Periods
11. Jurisdiction-Specific Rights
12. Changes to This Policy
13. Contact Us
Cookies
A cookie is a small text file placed on your device (computer, tablet, or mobile phone) by a website you visit. Cookies are widely used to make websites function, improve user experience, and provide analytics to site operators. Cookies can be:
Type | Description | Example |
|---|---|---|
Session cookies | Deleted automatically when you close your browser. Hold no persistent data. | Login session token |
Persistent cookies | Remain on your device for a defined period or until manually deleted. | Language preference |
First-party cookies | Set directly by zerodocs.xyz. | Authentication cookie |
Third-party cookies | Set by a domain other than zerodocs.xyz, typically via embedded scripts. | Stripe fraud detection |
Similar Technologies
In addition to cookies, we may use the following technologies, which this Policy governs equally:
We use cookies for the following purposes, always limited to what is necessary for each stated objective:
We classify cookies into five categories. The category determines the legal basis for use and whether you can opt out.
STRICTLY NECESSARY | Strictly Necessary Essential for the platform to function. These cookies enable core features: login sessions, CSRF protection, document workflow state, API authentication tokens, and security monitoring. The platform cannot operate without them. Legal basis: Legitimate interests / Contract performance Opt-out: No — essential to service |
FUNCTIONAL | Functional Allow the platform to remember choices you make and provide enhanced personalised features. Examples: preferred language, light/dark mode, dismissed onboarding tips, remembered email at login. Disabling these does not break the platform but reduces convenience. Legal basis: Consent (where required) / Legitimate interests Opt-out: Yes — Cookie Preference Centre |
ANALYTICS | Analytics and Performance Help us understand how users interact with our website and platform. Data collected is pseudonymised and aggregated. We use PostHog for product analytics and may use additional tools. Applied on both marketing site and authenticated product (pseudonymised user IDs only). Legal basis: Consent (EU/UK/Brazil) / Legitimate interests (other jurisdictions) Opt-out: Yes — Cookie Preference Centre |
PAYMENTS | Payment Processing Set by our payment processors Stripe and Paddle to detect anomalous behaviour, prevent fraudulent transactions, and verify payment session integrity. These are technically third-party cookies but are essential to the transaction and treated equivalently to strictly necessary cookies for billing flows. Legal basis: Contract performance / Legitimate interests Opt-out: No — required for payment processing |
MARKETING | Marketing and Advertising Used on our marketing website (zerodocs.xyz public pages) only — never inside the authenticated product. Enable us to measure campaign effectiveness, run retargeting, and deliver relevant ads on third-party platforms. May involve sharing pseudonymised identifiers with advertising partners. Legal basis: Consent (required in all jurisdictions where we deploy these) Opt-out: Yes — Cookie Preference Centre; GPC signal honoured |
The table below lists all cookies currently deployed by ZeroDocs. We review and update this inventory at least every six months or whenever we add new cookies. Last reviewed: March 23, 2026.
4.1 Strictly Necessary Cookies
Cookie Name | Set By | Purpose | Expiry |
|---|---|---|---|
__session | ZeroDocs | Encrypted session token — authenticates the logged-in user and maintains dashboard state. | Session (deleted on browser close) |
__csrf_token | ZeroDocs | Cross-Site Request Forgery protection token — validates that form submissions originate from our platform. | Session |
__auth_state | ZeroDocs | Stores OAuth state parameter for secure third-party login flows (Google, Microsoft). | 15 minutes |
__envelope_draft | ZeroDocs | Preserves multi-step document envelope draft progress to prevent data loss on navigation. | 24 hours |
__sec_flags | ZeroDocs | Internal security flag used to detect anomalous session behaviour and enforce re-authentication. | Session |
4.2 Functional Cookies
Cookie Name | Set By | Purpose | Expiry |
|---|---|---|---|
__zd_prefs | ZeroDocs | Stores user interface preferences: theme (light/dark), language locale, notification settings, and dismissed UI hints. | 12 months |
__zd_onboard | ZeroDocs | Records which onboarding steps have been completed to avoid repeating them on subsequent sessions. | 6 months |
__zd_region | ZeroDocs | Stores selected region/timezone for date and time display in documents and audit trails. | 12 months |
4.3 Analytics Cookies
Cookie Name | Set By | Purpose | Expiry |
|---|---|---|---|
ph_* | PostHog | Product analytics: tracks feature usage, navigation paths, and error events. Data is pseudonymised using a PostHog-assigned device ID. No personally identifiable information is included in analytics events. | 12 months |
__zd_perf | ZeroDocs | Internal performance monitoring: records page load times and API latency for debugging. Pseudonymised session ID only. | Session |
4.4 Payment Processing Cookies
Cookie Name | Set By | Purpose | Expiry |
|---|---|---|---|
__stripe_mid | Stripe | Machine identifier used by Stripe to detect fraud across sessions and link payment attempts to a device. | 12 months |
__stripe_sid | Stripe | Session identifier used by Stripe to associate a payment session with a browser session for fraud detection. | Session |
paddle_js | Paddle | Paddle’s session tracking cookie used for merchant-of-record compliance, tax determination, and fraud prevention. | Session |
4.5 Marketing Cookies (Marketing Website Only)
Cookie Name | Set By | Purpose | Expiry |
|---|---|---|---|
_fbp | Meta (Facebook) | Used by Meta to deliver, measure, and improve the relevance of ads shown on Meta platforms to visitors of zerodocs.xyz. Only deployed on public marketing pages. | 3 months |
_gcl_au | Google Ads conversion tracking cookie. Records whether a user who clicked a Google Ad subsequently performed a conversion action on zerodocs.xyz. | 3 months | |
_ga | Google Analytics | Distinguishes unique visitors to zerodocs.xyz marketing pages. Pseudonymised device ID. Not deployed in authenticated product. | 13 months |
_ga_* | Google Analytics | Session and campaign data associated with the Google Analytics 4 measurement ID. | 13 months |
We minimise the use of third-party cookies. The third parties whose cookies appear on our platform are listed below, together with links to their own cookie and privacy policies. We are not responsible for the content of third-party policies.
Third Party | Category | Scope | Their Privacy Policy |
|---|---|---|---|
Stripe | Payment Processing | Authenticated product (billing flows) | stripe.com/privacy |
Paddle | Payment Processing | Authenticated product (billing flows) | paddle.com/privacy |
PostHog | Analytics | Marketing site + authenticated product (pseudonymised) | posthog.com/privacy |
Google Analytics | Analytics / Marketing | Marketing site only | policies.google.com/privacy |
Google Ads | Marketing | Marketing site only | policies.google.com/privacy |
Meta (Facebook) | Marketing | Marketing site only | facebook.com/privacy/policy |
What we do NOT do • We do not sell your cookie profile or browsing data to data brokers or advertising exchanges. • We do not deploy advertising cookies or tracking pixels inside the authenticated ZeroDocs product. • We do not use fingerprinting, supercookies, or any technique designed to re-identify you after you have opted out. • We do not use cross-context behavioural advertising within the authenticated product. |
The legal basis on which we use cookies varies by category and jurisdiction. The table below summarises our approach.
Cookie Category | EU / EEA / UK | India | USA (California) | Brazil | Other |
|---|---|---|---|---|---|
Strictly Necessary | No consent required (legitimate interests / contract) | No consent required | No consent required | No consent required | No consent required |
Functional | Consent required (ePrivacy Directive) | Consent recommended | No consent required (opt-out sufficient) | Consent required | Consent recommended |
Analytics | Consent required (ePrivacy Directive) | Consent recommended | No consent required (opt-out sufficient) | Consent required | Consent recommended |
Payment Processing | No consent required (contract performance) | No consent required | No consent required | No consent required | No consent required |
Marketing | Consent required (ePrivacy Directive) | Consent recommended | Opt-out sufficient (CCPA sale/share) | Consent required (LGPD) | Consent recommended |
Where consent is required, we obtain it via our Cookie Preference Centre before placing non-essential cookies. You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
7.1 Cookie Preference Centre
When you first visit zerodocs.xyz, our Cookie Preference Centre will appear if you are accessing from a jurisdiction where consent is required. You can also access it at any time by clicking “Cookie Preferences” in the footer of zerodocs.xyz. The Preference Centre allows you to:
Your preferences are saved as a first-party cookie (__zd_consent) for 12 months, after which you will be asked to confirm your preferences again.
7.2 Browser-Level Controls
You can also control cookies through your browser settings. The links below provide instructions for the most common browsers:
Browser | Cookie Settings URL |
|---|---|
Google Chrome | chrome://settings/cookies |
Mozilla Firefox | about:preferences#privacy |
Apple Safari | Settings > Privacy > Manage Website Data |
Microsoft Edge | edge://settings/privacy |
Opera | opera://settings/cookies |
Important — Impact of blocking Strictly Necessary cookies If you configure your browser to block all cookies, including strictly necessary ones, you will be unable to log in to the ZeroDocs platform, save document drafts, or complete payment flows. We recommend blocking only non-essential cookies using the Cookie Preference Centre rather than blocking all cookies at browser level. |
7.3 Opt-Out Links for Specific Third Parties
You can opt out of specific third-party data collection using the links below:
Third Party | Opt-Out Mechanism |
|---|---|
Google Analytics | tools.google.com/dlpage/gaoptout (browser add-on) |
Google Ads | adssettings.google.com |
Meta / Facebook | facebook.com/settings/?tab=ads |
PostHog | posthog.com/privacy (opt-out available via Cookie Preference Centre) |
Stripe | Not applicable — strictly necessary for payment processing |
Paddle | Not applicable — strictly necessary for payment processing |
8.1 Global Privacy Control (GPC)
The Global Privacy Control (GPC) is a browser-level signal that communicates a user’s opt-out preference for the sale or sharing of personal data. We recognise and honour GPC signals as follows:
Jurisdiction | GPC Recognition | Effect |
|---|---|---|
California (CCPA/CPRA) | Legally required | Treated as opt-out of sale/sharing of personal information. Marketing cookies disabled on marketing site. |
Colorado (CPA) | Legally required | Treated as universal opt-out of targeted advertising. |
Connecticut (CTDPA) | Legally required | Treated as opt-out of targeted advertising and sale. |
EU / EEA | Honoured voluntarily | Treated as withdrawal of marketing and analytics consent. |
UK | Honoured voluntarily | Treated as withdrawal of marketing and analytics consent. |
Other jurisdictions | Honoured voluntarily | Non-essential cookies disabled. |
8.2 Do Not Track (DNT)
Do Not Track (DNT) is an older browser signal that lacks a consistent legal standard or cross-industry technical definition. Unlike GPC, DNT has not been adopted as a legally recognised opt-out mechanism in any major jurisdiction. We do not currently respond to DNT signals. We recommend using our Cookie Preference Centre or enabling GPC in your browser for effective opt-out control.
ZeroDocs is not directed at children under the age of 18. We do not knowingly use cookies to collect personal information from children. We do not deploy behavioural advertising or tracking cookies that would target minors. If you believe a child has interacted with our platform and their data has been collected via cookies, please contact privacy@zerodocs.xyz and we will take appropriate action including deletion.
Cookie retention periods vary by category and purpose. The table below sets out our retention standards. Session cookies are deleted automatically when you close your browser regardless of the below.
Category | Maximum Retention | Notes |
|---|---|---|
Strictly Necessary | Session or up to 24 hours | Auth tokens and CSRF tokens expire on session close or short timeout for security. |
Functional | 12 months | Preference cookies are refreshed on each visit. Re-consent requested after 12 months. |
Analytics | 13 months | Aligned with CNIL and ICO guidance on analytics cookie retention. |
Payment Processing | Session to 12 months | Stripe and Paddle retention is governed by their own policies; we have no control over third-party cookie expiry. |
Marketing | Up to 13 months | Advertising cookies are governed primarily by the third party setting them; our consent record expires at 12 months requiring re-consent. |
Consent Record (__zd_consent) | 12 months | After 12 months your cookie preferences are reset and you will be asked to confirm preferences again. |
11.1 European Union and EEA — ePrivacy Directive and GDPR
We comply with the EU ePrivacy Directive (Directive 2002/58/EC, as amended) and GDPR in relation to cookies. Non-essential cookies (functional, analytics, marketing) are only placed with your prior, informed, freely given, specific, and unambiguous consent via our Cookie Preference Centre. You have the right to withdraw consent at any time without detriment. Consent is not bundled with our Terms of Service.
Our Cookie Preference Centre is designed to give equal prominence to “Accept All” and “Reject Non-Essential” options, with no dark patterns. Scroll-based or continued-browsing consent is not used.
11.2 United Kingdom — PECR and UK GDPR
We comply with the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR. The same consent standard as the EU applies. The ICO’s guidance on cookies and similar technologies has been applied in designing our consent mechanism.
11.3 United States — California (CCPA/CPRA)
Marketing cookies that involve sharing pseudonymised identifiers with advertising partners may constitute a “sale” or “sharing” of personal information under CCPA/CPRA. California residents have the right to opt out of such sale/sharing by: (a) clicking “Do Not Sell or Share My Personal Information” in the footer of zerodocs.xyz; (b) using our Cookie Preference Centre; or (c) enabling GPC in their browser. We will honour opt-out requests within 15 business days.
11.4 India — DPDP Act 2023 and IT Rules
We obtain consent for non-essential cookies from Indian users through our Cookie Preference Centre. Under the DPDP Act 2023, consent must be free, specific, informed, and unambiguous. Our consent mechanism is designed to meet this standard. You may withdraw consent at any time through the Cookie Preference Centre or by contacting privacy@zerodocs.xyz.
11.5 Brazil — LGPD
Non-essential cookies require consent under the LGPD. We obtain consent via our Cookie Preference Centre before placing functional, analytics, or marketing cookies for Brazilian users. You may withdraw consent at any time without detriment. Contact privacy@zerodocs.xyz to exercise your rights.
11.6 Canada — PIPEDA and Quebec Law 25
We obtain express consent for non-essential cookies from Canadian users in accordance with PIPEDA and Quebec Law 25. Quebec users may request information about our cookie practices in French by contacting privacy@zerodocs.xyz.
11.7 Singapore — PDPA
We obtain consent for non-essential cookies in accordance with the PDPA and PDPC Advisory Guidelines on the Use of Cookies and Similar Technologies (issued 2021). Our Cookie Preference Centre provides clear notice and control consistent with PDPC guidance.
We review this Cookie Policy at least every six months and whenever we add, remove, or materially change our cookie practices. When we make changes we will update the “Last Updated” date at the top of this Policy. For material changes — such as introducing new categories of cookies or new third-party partners — we will provide notice via a banner on zerodocs.xyz and, where required by applicable law, re-request your consent. Prior versions of this Policy are archived at zerodocs.xyz/legal/cookies/archive.
For any questions, concerns, or requests relating to our use of cookies and tracking technologies:
Privacy Team — Cookie Enquiries Email: privacy@zerodocs.xyz Cookie Preference Centre: zerodocs.xyz/legal/cookies#preferences Postal: Attention: Privacy Team, BoringDollars Private Limited, B8A, Bhawani Singh Road, C-Scheme Jaipur 302001, Rajasthan India For DPDP Act grievances (India): Devendra Tanwar (legal@zerodocs.xyz) For GDPR / UK GDPR enquiries: dpo@zerodocs.xyz For CCPA opt-out requests: privacy@zerodocs.xyz (subject: CCPA Cookie Opt-Out) |
© 2026 BoringDollars Private Limited. All rights reserved.
ZeroDocs is a product of BoringDollars Private Limited, incorporated in India under the Companies Act 2013.