Cookie Policy
What are cookies
Cookies are small text files stored on your device when you visit a website. They are widely used to make websites function correctly, improve user experience, and provide analytics. Similar technologies include localStorage and sessionStorage, which serve analogous purposes.
How we use cookies
Leakeo uses a minimal set of cookies and browser storage. We do not use advertising cookies, tracking pixels, or third-party marketing technologies. We do not use cookies to build profiles for advertising purposes.
Types of cookies we use
| Name / Key | Type | Purpose | Duration | Provider |
|---|---|---|---|---|
__session / Firebase auth tokens | Strictly necessary | Maintains your authenticated session in the Leakeo dashboard. Required for the service to function. | Session / until sign-out | Google Firebase |
_lk_app_sid (sessionStorage) | Performance | Internal session identifier used for product analytics within the Leakeo dashboard. Not a tracking cookie — used only for Leakeo's own usage monitoring. Consented to at signup. | Session (cleared on tab close) | Leakeo |
| reCAPTCHA cookies | Strictly necessary (security) | Google reCAPTCHA v3 is used via Firebase App Check to verify that requests to our servers come from legitimate clients and not automated bots. Required for platform security. | Session / persistent |
What we do not use
We do not use:
- Google Analytics or similar analytics platforms
- Facebook Pixel or other advertising network tracking
- Hotjar, FullStory, or session recording tools
- Any third-party marketing or retargeting cookies
- Cross-site tracking of any kind
- Browser fingerprinting
Cookies on your store (Leakeo tracker script)
When you install the Leakeo tracking snippet on your store, it uses the following cookies and browser storage on your store visitors' browsers:
Cookies
| Name | Category | Purpose | Duration | Attributes |
|---|---|---|---|---|
_lk_vid | Analytics | A randomly generated visitor identifier (UUID) used to recognise returning visitors across sessions. It is not derived from any personal information and cannot be used to identify a specific individual. Only set when the visitor has given consent. | 730 days (2 years) | First-party, SameSite=Lax, Secure |
localStorage
| Key | Category | Purpose | Duration |
|---|---|---|---|
_lk_uid | Analytics / Functional | User identifier set via the window.leakeo.identify() API. Used for cross-device user linking when the visitor is logged in to your store. Only populated when you explicitly call the identify method. | Persistent (until cleared by the visitor or your application) |
sessionStorage (all cleared when the tab closes)
| Key | Category | Purpose | Duration |
|---|---|---|---|
_lk_sid | Functional | Session identifier (random string) used to group events that occur during the same browsing session. | Session (tab close) |
_lk_sent | Functional | JSON array of sent event scopes. Prevents duplicate events from being transmitted within a single session. | Session (tab close) |
_lk_pc | Functional | Page count — tracks the number of pages viewed within the current session. | Session (tab close) |
_lk_ss | Functional | Session start timestamp (milliseconds). Used to calculate session duration. | Session (tab close) |
_lk_utm | Functional | Caches traffic attribution and device context for the duration of the session: UTM parameters (source, medium, campaign), referrer hostname, screen and viewport dimensions, browser language, and connection type. Captured once on first page load. | Session (tab close) |
_lk_type | Functional | Detected site type (e.g. "ecom", "saas", or "unknown"). Used to enable platform-specific tracking features. Cached once per session. | Session (tab close) |
_lk_vid_nc | Functional | Session-only visitor identifier (UUID). Only present when the tracker is configured with data-consent="false" and the visitor has not yet given consent. Replaces the persistent _lk_vid cookie to provide session-scoped identification without requiring consent. | Session (tab close) |
The _lk_vid cookie is classified as an analytics cookie, not a strictly necessary cookie. Under GDPR and the ePrivacy Directive, this means your store visitors must give consent before this cookie is set.
Consent behaviour
The Leakeo tracker supports a built-in consent mode. When you add data-consent="false" to the tracker script tag:
- No
_lk_vidcookie is created until the visitor gives consent. - A session-only identifier (
_lk_vid_nc) is stored in sessionStorage instead, providing limited session-scoped analytics without persistent tracking. - Events are queued in memory (up to 50) until your application calls
window.leakeo.consent(). - Once consent is given, the persistent
_lk_vidcookie is set and all queued events are flushed to the server.
This allows you to load the tracker script immediately and defer consent collection to your own cookie banner or consent management platform.
Your responsibilities as a Leakeo customer
Because you control your store and your relationship with your visitors, you are responsible for:
- Including the Leakeo tracker cookie (
_lk_vid) in your store's cookie consent banner. - Either loading the Leakeo tracker script after the visitor has given consent for analytics cookies, or using the built-in
data-consent="false"mode and callingwindow.leakeo.consent()once consent is obtained. - Mentioning Leakeo (or "third-party analytics services") in your store's privacy policy.
The sessionStorage keys (_lk_sid, _lk_sent, _lk_pc, _lk_ss, _lk_utm, _lk_type, _lk_vid_nc) and the localStorage key (_lk_uid) are functionally required for the Leakeo tracker to operate correctly. The sessionStorage keys do not persist beyond the browser tab session. The _lk_uid localStorage key is only set when you explicitly call the identify API. These are covered by the consent given for the Leakeo analytics tracker and do not require separate consent.
Your choices
The cookies we use are either strictly necessary for authentication and security, or for internal product analytics only. Disabling strictly necessary cookies will prevent you from signing in to Leakeo.
You can manage cookies through your browser settings. Most browsers allow you to view, block, or delete cookies. Blocking all cookies will affect your ability to use the Leakeo platform.
Changes
We will update this page if we change our cookie practices. The "Last updated" date at the top reflects the most recent revision.
Contact
Questions about cookies? Use the in-app support form or the contact form.