Cookie Policy
Effective date: 2026-05-28 · DRAFT v2 — counsel review required before public reliance
> Notice to readers. This document is a working draft prepared by CRMish staff and AI assistance. It is not legal advice and has not been reviewed by counsel. Questions: privacy@crmish.io.
1. What this Policy covers
This Cookie Policy explains how CRMish uses cookies and similar technologies (browser local storage, push subscription endpoints) on the CRMish web application at https://crmish.io, our marketing pages, and the public profile pages at /r/[handle].
For broader information about how we handle personal information, see our Privacy Policy. For our agreement of use, see the Terms of Service.
2. What is a cookie?
A cookie is a small text file that a website stores on your browser when you visit. Cookies let the site remember information about you so you don't have to re-enter it on every page (for example, that you're signed in). Similar technologies — local storage, service workers, push subscriptions — serve overlapping purposes.
Cookies are classified by:
- Duration — session cookies expire when you close the browser; persistent cookies survive across sessions.
- Origin — first-party cookies are set by us; third-party cookies are set by external services.
- Purpose — strictly necessary, functional, analytics, or marketing. CRMish uses only strictly-necessary and (optionally) functional categories.
3. Cookies we use
3.1 Strictly necessary
These are required to operate the Service. You cannot opt out of these and still use the Service; if you block them, sign-in will not work.
| Name | Provider | Purpose | Duration | |---|---|---|---| | accountable-crm-session | CRMish (first-party) | Keeps you signed in across page loads. Server-issued, encrypted with iron-session. HTTPOnly + Secure + SameSite=Lax flags in production. | Rolling ~14 days, refreshed on each request |
3.2 Functional (set only when you opt in)
These are not set unless you explicitly enable the corresponding feature.
| Identifier | Provider | Purpose | Duration | |---|---|---|---| | Push subscription endpoint | Mozilla / Google / Apple push services (via your browser) | Stored server-side after you click "Enable push notifications." Used to deliver Daily Drop, Sprint, and reminder notifications. Not a cookie strictly speaking — it's a Web Push API subscription object. | Until you toggle off or the browser endpoint expires | | Service worker cache | CRMish (first-party) | Installed only if you install the app as a PWA. Caches static assets for offline use of installed pages. | Until you uninstall the PWA or clear site data |
3.3 Third-party (set only during checkout or bot-protection challenges)
| Provider | When set | Purpose | More info | |---|---|---|---| | Stripe | Visiting /pricing or going through checkout | Fraud detection, payment session continuity | Stripe Cookie Policy | | Cloudflare Turnstile | Sign-up and sign-in pages | Bot protection challenge | Cloudflare Privacy Policy |
We do not use analytics cookies, advertising cookies, social-media tracking pixels, or any cross-site tracking technologies.
4. Your choices
4.1 Browser controls
Most browsers let you view, manage, and block cookies under Settings → Privacy. Blocking the accountable-crm-session cookie will sign you out and prevent re-sign-in. Blocking third-party cookies will not affect strictly-necessary functionality.
| Browser | How to manage cookies | |---|---| | Chrome | Settings → Privacy and security → Cookies | | Safari | Preferences → Privacy → Manage Website Data | | Firefox | Settings → Privacy & Security → Cookies | | Edge | Settings → Cookies and site permissions |
4.2 Push notifications
You can disable push notifications at any time from Settings → Notifications inside CRMish, or in your browser/OS notification settings. Disabling there removes the subscription endpoint from our database on next sync.
4.3 Service worker cache (PWA)
To remove the service worker cache, uninstall the CRMish PWA from your device or browser, or use your browser's "Clear site data" tool.
4.4 Do Not Track
We do not respond to "Do Not Track" browser signals because there is no industry consensus on what they mean. We do not perform cross-site tracking regardless.
4.5 Global Privacy Control (GPC)
We do not sell or share personal information for cross-context behavioral advertising. We will respect GPC signals where required by law as an opt-out of any future sale or sharing.
5. When we add new cookies
If we add analytics, marketing, or other non-strictly-necessary cookies in the future, we will:
1. Update this Policy with the new entries before activation, and 2. Present a consent banner that gives you a clear choice before any non-strictly-necessary cookie is set.
Until that change, there is no consent banner because there is nothing to consent to beyond the single strictly-necessary session cookie.
6. Changes to this Policy
We will post material changes to this Policy at this URL. The "Effective date" at the top reflects the latest revision.
7. Contact
Questions about this Policy: privacy@crmish.io.
Document version: cookies-v2 · Last updated 2026-05-28. Counsel review pending.