Cookies & Tracking
Last updated: April 9, 2026
Loading…
We’re checking your browser for a stored preference.
What even is a cookie?
A cookie is a tiny text file your browser keeps on your device when you visit a website. Most of the time it’s boring plumbing — a string of characters that lets a site remember whether you’re logged in, what theme you picked, or that you’ve already seen a particular banner. Sometimes it’s used for analytics, which is how product teams (us included) figure out which pages are working and which are quietly broken.
We use exactly four pieces of client-side storage. Two are cookies that power Google Analytics. Two live in localStorage and exist purely to make the site work the way you’d expect. That’s the full list. No retargeting, no ad networks, no hidden pixels.
The full inventory
| Name | Purpose | Lifetime | Required? |
|---|---|---|---|
| _ga Google Analytics | Assigns a pseudonymous client ID so GA can tell one visitor from another. | 2 years | Only if you consent |
| _ga_J60X49K0FD Google Analytics | Holds session state for our specific GA4 property. | 2 years | Only if you consent |
| std_consent localStorage | Remembers whether you granted or declined analytics, so we don’t keep asking. | Until you clear it | Essential |
| theme localStorage | Remembers whether you picked light or dark mode. | Until you clear it | Essential |
“Essential” means the site literally couldn’t remember your choices without it. Essential storage never sends data off your device.
What Google Analytics actually sees
We’d rather you know exactly what leaves your browser when you opt in, because “anonymous analytics” is a phrase that hides a lot. Here’s the honest list:
- A pseudonymous client ID. Not your name. Not your email. A random string stored in the _ga cookie that lets GA stitch your page views into a session.
- Pages you visited on this domain. URL, title, and the time you landed on each one.
- Where you came from. The referring URL, or the search term if the search engine passes one (most don’t any more).
- Approximate location. Your IP address is sent to Google transiently so it can derive a rough city or country, then it’s discarded. GA doesn’t store the raw IP alongside your events.
- Device & browser shape. User-agent data like “Chrome on macOS, 1440×900 viewport.” Useful for catching layout bugs on weird screen sizes.
- Engagement signals. Scroll depth, outbound clicks, and how long you stuck around on a page.
How we use this, concretely
We’re a tiny team building a security tool. Every decision about what to build next comes from either a customer conversation or a pattern in the numbers. Here’s how the numbers actually shape what we ship:
Which incident stories are worth writing more of
If a story about a leaked Supabase key gets read five times more than one about an unindexed staging env, that tells us what the community actually wants to learn about — and we write more of those.
Where the landing page quietly loses people
Scroll depth is the single most honest signal we get. If everyone bails at the pricing section, the pricing section is broken. If no one reaches the FAQ, the FAQ is in the wrong place.
Which marketing channels are actually working
Referrer data tells us whether HN, Reddit, or a newsletter mention brought real engagement or just a spike of bounces. It’s the difference between “that post was a hit” and “that post was a hit with the right people.”
Catching layout bugs on devices we don’t own
We can’t test on every browser and screen in the wild. If a specific device-plus-browser combination has a much higher bounce rate, it’s almost always a layout bug we need to fix.
What we deliberately don’t do
- We don’t sell, rent, or swap your data with anyone. Not partners, not ad networks, not data brokers.
- We don’t run any advertising cookies. There’s no _gcl_au, no Meta Pixel, no LinkedIn Insight Tag, no TikTok, no nothing.
- We don’t enable Google Signals, which means no cross-device tracking and no demographics reports.
- We don’t build or buy visitor profiles from third-party data vendors.
- We don’t fingerprint your device in any way beyond what Google Analytics does by default. No canvas tricks, no font-enumeration, no WebGL IDs.
Other ways to opt out
Revoking above flips the switch for this site specifically. If you’d like to opt out of Google Analytics across every site on the web, Google publishes a browser add-on that blocks the tracker entirely:
Google Analytics opt-out browser add-on →
You can also read Google’s own explanation of what GA collects and how they use it in their privacy policy. Clearing your browser’s cookies will also drop the GA cookies and our std_consent record, which means the banner will ask you again on your next visit.
Still have questions?
If something on this page is unclear, or you’d like us to dig into exactly what we’ve stored about your visits, write to us at hello@safetodeploy.dev. A human will read it. We’d also love to hear if you think we can be more transparent — that’s the whole point of this page.
See also: our Privacy Policy and Sub-processors list.