Cookie Policy

Last Updated: December 29, 2025

1. Introduction

This Cookie Policy explains how Coloriboo ("we," "us," or "our") uses cookies and similar technologies when you visit our website at https://www.coloriboo.com/ (the "Site").

This policy should be read in conjunction with our Privacy Policy, which provides additional information about how we collect and use personal data.

2. What Are Cookies?

Cookies are small text files that are placed on your device (computer, smartphone, tablet) when you visit a website. They are widely used to make websites work efficiently and provide information to website owners.

Types of Cookies:

Session Cookies: Temporary cookies that expire when you close your browser.

Persistent Cookies: Cookies that remain on your device for a specified period or until you delete them.

First-Party Cookies: Set by the website you're visiting.

Third-Party Cookies: Set by a domain other than the one you're visiting, typically for advertising or analytics.

Summary of cookies :

✅ What we use:

  • Essential: Google Login, Facebook Login, Stripe
  • Analytics: PostHog (EU, cookie-based), Plausible (cookie-less)
  • Marketing: Meta Pixel (browser) + Meta CAPI (server)

✅ Your controls:

  • Cookie banner with granular choices
  • Withdraw consent anytime
  • Browser settings and privacy controls
  • Third-party opt-out tools

✅ Your data:

  • Hashed before sending to Meta CAPI
  • PostHog hosted in EU
  • Plausible collects no personal data
  • You own your account data

✅ Your rights:

  • Access, delete, port your data
  • Opt out of marketing/advertising
  • Lodge complaints with authorities
  • Full transparency and control

3. Why We Use Cookies

We use cookies and similar technologies for the following purposes:

3.1 Essential Cookies (Strictly Necessary)

These cookies are necessary for the website to function properly and cannot be disabled.

Purpose:

  • Enable basic website functionality
  • Enable social login (Google, Facebook)
  • Remember your login status
  • Maintain security and authentication
  • Process payments securely
  • Load balancing and performance optimization
  • Prevent cross-site request forgery attacks

Services included:

  • Google Sign-In
  • Facebook Login
  • Stripe payment processing

Duration: Session or up to 1 year

Legal Basis: These cookies are necessary for contract performance and legitimate interests.

Note: When you use Google or Facebook Login, these providers set their own cookies which are necessary for the authentication process to work. We do not control these cookies, but they are required for the login functionality you've chosen to use.

3.2 Functional Cookies (Preference Cookies)

These cookies enable enhanced functionality and personalization.

Purpose:

  • Remember your preferences (language, region)
  • Save your settings and choices
  • Customize user interface elements
  • Remember items in your cart or generation history
  • Store your preferred login method

Duration: Up to 1 year

Legal Basis: Your consent (you can withdraw consent at any time).

3.3 Analytics and Performance Cookies

These cookies help us understand how visitors interact with our website.

Purpose:

  • Analyze traffic and usage patterns
  • Measure website performance
  • Identify technical issues
  • Understand which features are most popular
  • Improve user experience
  • Track user journeys and conversion funnels

Services we use:

  • PostHog (EU-hosted, cookie-based)
  • Plausible Analytics (cookie-less, privacy-friendly)

Duration: Up to 1 year (PostHog only; Plausible uses no cookies)

Legal Basis: Your consent (you can withdraw consent at any time).

3.4 Marketing and Advertising Cookies

These cookies track your browsing activity to deliver relevant advertisements and measure campaign effectiveness.

Purpose:

  • Display personalized advertisements on Facebook and Instagram
  • Measure ad campaign effectiveness and ROI
  • Track conversions and user actions (browser + server-side via CAPI)
  • Retarget visitors who showed interest
  • Build custom audiences for advertising
  • Optimize ad delivery and performance

Services we use:

  • Meta Pixel (browser tracking)
  • Meta Conversions API (server-side tracking)

Duration: Up to 2 years

Legal Basis: Your consent (you can withdraw consent at any time).

4. Specific Cookies We Use

Below is a detailed list of the main cookies used on our Site:

Essential Cookies

Google Sign-In Essential Cookies

When you use Google Sign-In, Google sets cookies necessary for authentication:

Google Privacy Policy: https://policies.google.com/privacy

Facebook Login Essential Cookies

When you use Facebook Login, Facebook sets cookies necessary for authentication:

Facebook Privacy Policy: https://www.facebook.com/privacy/policy/

Functional Cookies

Analytics Cookies

PostHog (Cookie-based)

What PostHog tracks:

  • Page views and navigation patterns
  • Feature usage and interactions
  • Session duration and frequency
  • Device and browser information
  • Referral sources
  • Custom events (e.g., image generations, button clicks)
  • User funnels and conversion paths
  • Server-side conversion events sent to Meta CAPI

PostHog Configuration:

  • Hosted in: EU (PostHog Cloud EU)
  • IP anonymization: Enabled
  • Data location: European Union
  • GDPR-compliant

Plausible Analytics (Cookie-less)

No cookies set - Plausible is a privacy-friendly analytics tool that does not use cookies or collect personal data.

What Plausible tracks:

  • Anonymous page views
  • Referral sources
  • Country-level location (no IP storage)
  • Device type (desktop/mobile/tablet)
  • Browser and OS (aggregated)

Plausible Configuration:

  • No personal data collected
  • No cookies used
  • No cross-site tracking
  • GDPR, CCPA, and PECR compliant by default
  • Data hosted in EU

Plausible Privacy Policy: https://plausible.io/privacy

Marketing Cookies (Meta Pixel)

What Meta Pixel tracks:

  • Page views and site visits
  • Product views and interactions
  • Add to cart events
  • Purchase completions and conversions
  • Lead generation form submissions
  • Custom events (image generation, subscription start)
  • User demographics and interests (inferred)
  • Cross-device behavior

Note: In addition to browser-based tracking via Meta Pixel, we also use Meta Conversions API (CAPI) to send server-side conversion events. This provides:

  • More reliable conversion tracking (not affected by ad blockers)
  • Better attribution and measurement
  • Reduced data loss from browser restrictions
  • Enhanced matching with Facebook users

5. Third-Party Services and Data Sharing

5.1 Google Sign-In

Service Provider: Google LLC
Privacy Policy: https://policies.google.com/privacy
Data Location: United States and global infrastructure

What happens when you use Google Sign-In:

  • You're redirected to Google's authentication page
  • Google authenticates your identity
  • We receive basic profile information (name, email, profile picture)
  • Google sets cookies necessary for authentication
  • You remain logged into your Google account across Google services

Data we receive from Google:

  • Email address
  • Full name
  • Profile picture URL
  • Google User ID

Data Google may collect:

  • When you accessed our site
  • Your interaction with Google Sign-In
  • Device and browser information
  • IP address

Your Google Privacy Controls:

5.2 Facebook Login

Service Provider: Meta Platforms, Inc.
Privacy Policy: https://www.facebook.com/privacy/policy/
Data Location: United States and global infrastructure

What happens when you use Facebook Login:

  • You're redirected to Facebook's authentication page
  • Facebook authenticates your identity
  • We receive basic profile information (name, email, profile picture)
  • Facebook sets cookies necessary for authentication
  • You remain logged into Facebook across Meta services

Data we receive from Facebook:

  • Email address
  • Full name
  • Profile picture URL
  • Facebook User ID

Data Facebook may collect:

  • When you accessed our site
  • Your interaction with Facebook Login
  • Device and browser information
  • IP address
  • Connection with our site (stored in Off-Facebook Activity)

Your Facebook Privacy Controls:

Important: Even if you only use Facebook/Google Login (without accepting marketing cookies), these providers may still track that you used their login on our site. This is beyond our control and governed by their privacy policies.

5.3 PostHog Analytics

Service Provider: PostHog Inc.
Privacy Policy: https://posthog.com/privacy
Data Location: European Union (PostHog Cloud EU)

Purpose:

  • Product analytics and insights
  • User behavior tracking to improve UX
  • Bug identification and performance monitoring
  • Feature adoption measurement
  • User cohort analysis
  • Server-side event tracking for Meta CAPI

Data NOT shared (except Meta CAPI):

  • PostHog data is not shared with advertisers (except conversions to Meta via CAPI)
  • No selling of personal information
  • No cross-site tracking
  • Used only for product improvement and conversion tracking

PostHog to Meta CAPI Integration:We use PostHog to capture conversion events (purchases, signups, etc.) and send them to Meta's Conversions API. This means:

  • Conversion data flows: User Action → PostHog → Meta CAPI → Meta Ads Manager
  • Better conversion tracking than browser-only tracking
  • Works even with ad blockers
  • Improves ad targeting and measurement

5.4 Plausible Analytics

Service Provider: Plausible Insights
Privacy Policy: https://plausible.io/privacy
Data Location: European Union (Hetzner, Germany)

Purpose:

  • Basic, privacy-friendly website analytics
  • Anonymous traffic measurement
  • No personal data collection

Why Plausible:

  • Cookie-less tracking
  • GDPR compliant by default
  • No personal data collected
  • Open-source and transparent
  • Used as a backup/complement to PostHog

5.5 Meta Pixel & Conversions API

Service Provider: Meta Platforms, Inc.
Privacy Policy: https://www.facebook.com/privacy/policy/
Data Location: United States and global infrastructure

Two tracking methods:

A) Browser-based (Meta Pixel):

  • JavaScript tracking code on website
  • Requires user consent
  • Can be blocked by ad blockers
  • Sets cookies in user's browser

B) Server-side (Conversions API / CAPI):

  • Server-to-server communication
  • More reliable than browser tracking
  • Not affected by ad blockers or cookie restrictions
  • Sends hashed user data and conversion events
  • Improves event matching and attribution

Data sent to Meta via CAPI:We send the following data to Meta's servers when a conversion occurs:

  • Event name (Purchase, CompleteRegistration, etc.)
  • Timestamp
  • User information (hashed):
    • Email address (SHA-256 hashed)
    • Phone number (SHA-256 hashed, if provided)
    • First name (hashed)
    • Last name (hashed)
  • Event data:
    • Purchase amount and currency
    • Product IDs
    • Transaction ID
  • Technical data:
    • IP address
    • User agent
    • Click ID (fbc, fbp)
    • Event source URL

Why we use both Pixel + CAPI:

  • Redundancy: If browser tracking fails, server tracking still works
  • Better matching: Combined data improves Facebook's ability to match events to users
  • iOS 14.5+ compatibility: Works around Apple's App Tracking Transparency restrictions
  • Ad blocker resilience: Server events can't be blocked by browser extensions

Your data flow:

You perform action (e.g., purchase)
   ↓
PostHog captures event
   ↓
Event sent to Meta CAPI (server-side, hashed)
   ↓
Meta Pixel also fires (browser-side, if not blocked)
   ↓
Meta deduplicates events using event_id
   ↓
Conversion attributed to your ad campaign

5.6 Payment Processing

Service Provider: Stripe Inc.
Privacy Policy: https://stripe.com/privacy
Purpose: Secure payment processing
Cookies: Stripe may set cookies for fraud prevention and payment processing

6. How to Control Cookies

You have several options to manage or disable cookies:

6.1 Cookie Consent Banner

When you first visit our Site, we display a cookie consent banner allowing you to:

  • Accept all cookies (essential + analytics + marketing)
  • Reject non-essential cookies (only essential)
  • Customize preferences by category:
    • Essential: Always active (includes Google/Facebook Login)
    • Functional: Optional preference cookies
    • Analytics: PostHog tracking (Plausible doesn't require consent)
    • Marketing: Meta Pixel and CAPI

You can change your preferences at any time by clicking the "Cookie Settings" link in our footer.

Important Notes:

  • Essential cookies cannot be disabled as they're necessary for core functionality
  • Google/Facebook Login cookies are considered essential when you choose to use these login methods
  • Plausible Analytics doesn't require consent as it's cookie-less and privacy-friendly
  • Meta CAPI respects your consent choices - we only send conversion events if you've accepted marketing cookies

6.2 Social Login Implications

If you want to avoid Google/Facebook cookies entirely:

  • Use email/password registration instead of social login
  • Clear your browser cookies after using social login
  • Use private/incognito browsing mode

Note: We cannot control cookies set by Google or Facebook during the login process. These are necessary for authentication and governed by their respective privacy policies.

6.3 Browser Settings

Most browsers allow you to:

  • View cookies stored on your device
  • Delete cookies
  • Block all cookies
  • Block third-party cookies
  • Receive notifications before cookies are set

How to manage cookies in popular browsers:

Google Chrome:Settings > Privacy and security > Cookies and other site data

Mozilla Firefox:Settings > Privacy & Security > Cookies and Site Data

Safari:Preferences > Privacy > Cookies and website data

Microsoft Edge:Settings > Cookies and site permissions > Cookies and site data

Note: Blocking essential cookies will break social login functionality and other core features.

6.4 Third-Party Opt-Out Tools

Google:

Facebook/Meta:

PostHog:

  • Use our Cookie Settings to disable analytics cookies
  • Enable "Do Not Track" in your browser (we honor this setting)

Meta Pixel/CAPI:

Industry-Wide Opt-Out:

6.5 Do Not Track (DNT)

We respect the "Do Not Track" browser setting:

  • PostHog: DNT is honored - analytics disabled
  • Plausible: Already privacy-friendly, DNT honored
  • Meta Pixel/CAPI: Meta's DNT policy varies; use their privacy controls
  • Social Login: Cannot be disabled as it's essential functionality

6.6 Mobile Devices

iOS:

  • Settings > Privacy & Security > Tracking
  • Settings > Safari > Prevent Cross-Site Tracking
  • Settings > Safari > Block All Cookies

Android:

  • Settings > Privacy > Ads
  • Settings > Google > Ads
  • Chrome > Settings > Site settings > Cookies

7. Consequences of Disabling Cookies

Essential Cookies Disabled:

  • ❌ Cannot log in with Google or Facebook
  • ❌ Unable to maintain sessions
  • ❌ Payment processing failures
  • ❌ Loss of security features
  • ❌ Core functionality broken

Functional Cookies Disabled:

  • ⚠️ Loss of personalization
  • ⚠️ Need to re-enter preferences
  • ⚠️ Reduced UX quality

Analytics Cookies Disabled:

  • ✅ No impact on functionality
  • ℹ️ We receive less data to improve the site
  • ℹ️ Plausible still works (cookie-less)

Marketing Cookies Disabled:

  • ✅ No impact on functionality
  • ℹ️ Ads less relevant to you
  • ℹ️ We can't measure ad effectiveness well
  • ℹ️ May see same ads repeatedly

8. Meta Conversions API (CAPI) - Detailed Explanation

8.1 What is CAPI?

Meta Conversions API allows us to send conversion events directly from our server to Meta, bypassing the browser entirely. This provides:

  • More reliable tracking
  • Better privacy controls
  • Improved ad performance
  • Resilience against ad blockers and browser restrictions

8.2 How CAPI Works

User Action (e.g., purchase)
   ↓
Captured by PostHog (our analytics)
   ↓
PostHog triggers webhook/integration
   ↓
Our server sends hashed data to Meta CAPI
   ↓
Meta receives and processes event
   ↓
Event attributed to ad campaign

8.3 Data Sent via CAPI

Event Data:

  • Event name (Purchase, Lead, CompleteRegistration, etc.)
  • Event time
  • Event ID (for deduplication with browser Pixel)
  • Action source (website)
  • Event source URL

User Data (all hashed with SHA-256):

  • Email address
  • Phone number (if provided)
  • First name
  • Last name
  • City
  • State/Region
  • Postal code
  • Country

Technical Data:

  • Client IP address
  • Client user agent
  • Click ID (fbc/fbp from cookies, if available)

8.4 Privacy & Hashing

All personal data is hashed before transmission:

  • We use SHA-256 cryptographic hashing
  • Original data never leaves our servers unencrypted
  • Meta receives only hashed values for matching
  • Hashing is one-way (cannot be reversed)

Example:

Original email: john@example.com
Hashed email: 5d41402abc4b2a76b9719d911017c592...

Meta uses these hashed values to match events with Facebook users while protecting privacy.

8.5 CAPI and Consent

We respect your consent choices:

  • If you reject marketing cookies, we do NOT send CAPI events
  • If you accept marketing cookies, both Pixel and CAPI are active
  • You can withdraw consent anytime via Cookie Settings
  • Upon withdrawal, CAPI events stop immediately

8.6 Event Deduplication

To avoid double-counting:

  • Each event has a unique event_id
  • Both browser Pixel and server CAPI send same event_id
  • Meta automatically deduplicates events
  • You're only counted once per conversion

8.7 Benefits of CAPI

For you (user):

  • More privacy (server-side processing)
  • Better ad relevance (improved targeting)
  • Reduced browser fingerprinting

For us (business):

  • More accurate conversion tracking
  • Better return on ad spend
  • Resilient to iOS 14.5+ privacy changes
  • Works with ad blockers active

9. Data Retention

Our first-party cookies:

  • Session cookies: Deleted when you close browser
  • Persistent cookies: Up to 1-2 years (varies by type)
  • You can delete anytime via browser settings

Third-party cookies:

  • Google: Up to 2 years (varies by cookie)
  • Facebook: Up to 2 years (varies by cookie)
  • Governed by their respective policies

PostHog data:

  • Event data: 12 months
  • User profiles: Until account deletion
  • Can be deleted upon request

Meta CAPI data:

  • Events retained per Meta's data retention policy
  • Typically 90 days for ad measurement
  • Longer for business records and compliance

Plausible data:

  • Aggregated stats: 2 years
  • No personal data stored (N/A)

10. International Data Transfers

PostHog:

  • Hosted in EU (PostHog Cloud EU)
  • Data remains in European Economic Area
  • GDPR compliant

Plausible:

  • Hosted in EU (Germany)
  • Data remains in European Union
  • GDPR compliant by design

Google (Sign-In):

  • Global infrastructure including US
  • EU-US Data Privacy Framework participant
  • Standard Contractual Clauses

Meta (Login, Pixel, CAPI):

  • Global infrastructure including US
  • Standard Contractual Clauses
  • Supplementary measures for EU transfers
  • Post-Schrems II compliant

Stripe:

  • Global payment processing
  • EU-US Data Privacy Framework participant
  • GDPR compliant processing

11. Your Rights

11.1 Under GDPR (EU/EEA/UK)

You have the right to:

  • Access your data held by us and third parties
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Data portability
  • Object to processing (including marketing)
  • Withdraw consent at any time
  • Lodge a complaint with supervisory authority

To exercise rights with us: [your email]

To exercise rights with third parties:

11.2 Under CCPA/CPRA (California)

You have the right to:

  • Know what data is collected and shared
  • Access your personal information
  • Delete your personal information
  • Opt out of "sale" of personal information
  • Non-discrimination for exercising rights

"Do Not Sell My Personal Information":While we don't directly sell data, Meta Pixel/CAPI may constitute a "sale" under CCPA. You can opt out via:

11.3 Other Rights

Depending on your location, you may have additional rights under:

  • Brazil's LGPD
  • Canada's PIPEDA
  • Other local data protection laws

Contact us at [your email] to learn more.

12. Children's Privacy

Our Site is not intended for children under 13. We do not knowingly collect data from children.

Age requirements:

  • Our service: 13+ (18+ for some features)
  • Google Account: 13+ (varies by country)
  • Facebook Account: 13+ (varies by country)

If you believe we've collected data from a child, contact us immediately at [your email].

13. Changes to This Policy

We may update this Cookie Policy to reflect:

  • New technologies or services
  • Changes in legal requirements
  • User feedback
  • Business changes

When we make changes:

  • "Last Updated" date will change
  • You may receive email notification
  • You may need to re-consent
  • Continued use implies acceptance

14. Contact Us

Coloriboo
Email: hello@coloriboo.com
Website: https://www.coloriboo.com/

For specific services:

For EU residents:EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en

Stay inspired

Get ideas