Cookie Policy

1. What this covers

This Cookie Policy describes the cookies and similar technologies (local storage, session storage, pixel tags) used by Scrivly, Inc. d/b/a Aewita on:

• The marketing website at aewita.com.
• The application at app.aewita.com.

It supplements the Privacy Policy. If a conflict arises between the two documents about cookies specifically, this Cookie Policy controls.

2. Plain-English summary

We take a minimalist approach. The marketing site runs with no advertising cookies and no cross-site trackers. Inside the app we use session cookies so you can stay logged in and CSRF tokens so we can verify that requests actually came from you. We do not participate in ad networks and we do not embed social-media "share" buttons that phone home when the page loads.

3. What is a cookie

A cookie is a small text file that a website stores in your browser. When you return to that website, the browser sends the cookie back, which is how the site recognizes you. Cookies serve different purposes and come in several flavors:

• First-party cookies are set by the site you are on (e.g., aewita.com). They can only be read by that site.
• Third-party cookies are set by a different domain loaded inside the page (for example, an advertising network that has embedded a script). They can be read across every site that embeds the same third party. We avoid these almost entirely.
• Session cookies are deleted when you close your browser. They cannot follow you past a single visit.
• Persistent cookies stay for a defined period (e.g., 30 days, 1 year) and are usually used to remember preferences or keep you signed in.

Related technologies include browser local storage, session storage, and pixel tags. We treat all of these the same way: we use them only where there is a clear functional need, and we list them below alongside cookies.

4. Cookies we use

The list below is exhaustive. If we add a cookie, we update this page.

Strictly necessary

Required for the Service to function. You cannot opt out of these without losing the ability to log in.

• aw_session (app only) — authenticated session identifier. Lifetime: up to 30 days or until logout, whichever comes first. HttpOnly, Secure, SameSite=Lax.
• aw_csrf (app only) — CSRF protection token. Lifetime: session. Secure, SameSite=Strict.
• aw_auth_state (app only, transient) — OAuth round-trip state during DMS connection flows. Lifetime: 10 minutes.

Preferences

Remember settings so you don't have to repeat yourself.

• aw_theme — light or dark mode. Lifetime: 1 year.
• aw_last_workspace — which workspace you opened last, so we can return you there on next login. Lifetime: 1 year.

Analytics

We use privacy-respecting, aggregate-only analytics to understand which pages are useful. No cross-site tracking.

• Vercel Web Analytics on the marketing site. Uses a first-party, short-lived session identifier (not a persistent cookie). No IP address is stored in raw form; Vercel truncates before logging. No user identifier is shared across sites.

We currently use no analytics inside app.aewita.com beyond the server-side operational telemetry described in the Privacy Policy.

Similar technologies in the app

Inside app.aewita.com we use a few non-cookie storage mechanisms that are functionally similar:

• Browser local storage for lightweight UI state (which panels you have expanded, draft text in an unsent editor). Cleared when you log out.
• Session storage for multi-step flows (e.g., an in-progress DMS connection) that should not persist past a tab close.

We do not use web beacons, tracking pixels, or browser fingerprinting. The Service does not try to re-identify you across devices using canvas fingerprinting, audio fingerprinting, font enumeration, or other probabilistic signals.

NOT used

For clarity, Aewita does not set or permit any of the following on aewita.com or app.aewita.com:

• Third-party advertising cookies (Google Ads, Meta, LinkedIn, TikTok, X, etc.).
• Retargeting pixels of any kind.
• Cross-site trackers, cross-device trackers, or identity graphs.
• Social-media share-button pixels that transmit visitor data back to the network before a click.
• Session replay or behavioral recording tools (e.g., FullStory, Hotjar, LogRocket, Mouseflow).
• Heat-mapping, rage-click recording, or form-field analytics.
• Ad-network conversion tags, affiliate pixels, or link-click rebroadcasters.

We commit to this list actively: adding any of these categories would require a material update to this Cookie Policy and, where required, consent from visitors before the cookie is set.

5. How to control cookies

You have several ways to control cookies:

• Browser controls. Every modern browser lets you block, delete, or restrict cookies per-site. We support private browsing modes without breaking the marketing site.
• Do Not Track. We honor the DNT header for all non-essential cookies. If your browser sends DNT, we treat you as having opted out of optional analytics on the marketing site.
• Global Privacy Control (GPC). We honor the GPC signal as an opt-out of "sale" and "sharing" under CPRA, though again, we do not sell or share.
• In-app. Blocking strictly necessary cookies will prevent you from logging in to app.aewita.com. There is no workaround for that, because session identity requires a session cookie.

Because we do not set optional tracking cookies by default, we do not interrupt your visit with a consent banner on aewita.com. If you are in a jurisdiction that requires explicit consent for a specific cookie we later add, we will ask for consent before setting it.

6. Third parties

A small number of third-party services may set their own cookies when you interact with their specific feature:

• Stripe Checkout sets its own cookies when you are on the Stripe-hosted checkout page during signup or billing updates. These are governed by Stripe's own cookie policy.
• Vercel may set operational cookies tied to CDN routing on aewita.com. These do not identify you personally and are not used for advertising.
• status.aewita.com is a separately operated status page; its cookies (if any) are governed by the status page vendor's policy, linked from the status page itself.

We do not control the cookies third parties set on their own domains. When we link to those services, we link to their policies as well.

6a. A note on consent banners

You may notice that aewita.com does not show a consent banner. That is intentional. Consent banners exist to gate optional cookies behind your agreement. We do not set optional cookies on the marketing site by default, so there is nothing to ask permission for. If we ever add a cookie that requires consent under applicable law, we will show a banner at that point, and we will design it so the least-intrusive option (reject all optional cookies) is as easy as the most-intrusive option. If you are in a jurisdiction that grants you specific cookie-consent rights and you believe we have missed one, tell us at legal@aewita.com and we will fix it.

6b. What happens if you block our cookies

If you block the strictly necessary cookies on app.aewita.com, login will not work; the server cannot recognize that a request belongs to your session. That is a property of cookie-based authentication on the web generally, not a limitation we have imposed. If you block the preference cookies, the Service still works; you will simply see the default theme and default workspace on each visit. If you block our analytics on aewita.com (either by sending DNT/GPC or by blocking first-party analytics scripts at the browser level), the marketing site still works; we just lose aggregate visibility into which pages are useful to readers.

7. Changes to this Policy

We may update this Cookie Policy. Material changes will be announced at the top of this page, and the "Last updated" date will be revised. For customers logged into the app, material changes that affect your experience are also announced by email. We keep prior versions of this page on request so you can see what was in force at the time of your visit.

8. Contact

Questions about cookies or anything on this page:

Scrivly, Inc. d/b/a Aewita
Attn: Privacy
Wilmington, DE
legal@aewita.com