Rollout
Legal · Cookies

Cookie Policy

Last updated · May 5, 2026

This Cookie Policy explains how Rollout uses cookies and similar technologies on getrollout.app and the related web app. It supplements our Privacy Policy. The desktop application does not use browser cookies — only the website does.

1. What cookies are

Cookies are small text files a website stores in your browser. They let the site remember things between page loads — for example, whether you're signed in. “Similar technologies” covers things like local storage, which works the same way for our purposes. We use the word “cookie” in this policy to cover both.

A first-party cookie is set by Rollout. A third-party cookie is set by another service we embed (e.g. Clerk for authentication, Stripe for payments). Both types are listed below where relevant.

2. Categories of cookies we use

Rollout sets only strictly necessary cookieson the public website. We do not use advertising cookies or cross-site tracking. Inside the signed-in web app, we additionally use a privacy-respecting product-analytics tool (PostHog) on an opt-in basis — described in section 4 below. PostHog stores its data in your browser's local storage rather than in cookies.

3. Strictly necessary cookies

These cookies are required for core functionality — keeping you signed in, securing payment flows, and protecting against bots and fraud. The website cannot operate without them, so they are exempt from consent under EU ePrivacy rules (Directive 2002/58/EC, Art. 5(3)).

Authentication (Clerk)

Clerk handles sign-in and session management on .getrollout.app and .clerk.getrollout.app.

  • __client — your active session. Set by Clerk on .clerk.getrollout.app. Persistent.
  • __client_uat, __client_uat_QP3npOhj — session timestamps used by Clerk middleware. Persistent.
  • __clerk_environment — environment metadata used by the Clerk SDK. Stored in browser local storage; not transmitted to any server.

More about Clerk: clerk.com/legal/privacy.

Bot protection & performance (Cloudflare)

Clerk sits behind Cloudflare, which sets the following cookies on .clerk.getrollout.app to filter abusive traffic and keep authentication endpoints fast.

  • __cf_bm — Cloudflare Bot Management. Expires after about 30 minutes.
  • _cfuvid — Cloudflare rate-limiting. Expires when the browser session ends.

More about Cloudflare cookies: cloudflare cookies reference.

Payments (Stripe)

Stripe Checkout is loaded only when you start a subscription or upgrade. Stripe sets its own cookies on the checkout page for fraud prevention and session integrity. These are essential to the payment flow and are described in Stripe's own privacy documentation: stripe.com/privacy.

Font delivery (Fontshare)

Fontshare delivers display fonts used across the site and may set a short-lived s7 cookie on its own domain (api.fontshare.com) to balance font requests across their CDN. This is not analytics or tracking — it is part of font loading.

4. Product analytics inside the signed-in app (PostHog)

Once you sign in, the web app shows a consent banner asking whether you're happy for us to capture basic product-usage analytics via PostHog. Capture is off by default and only turns on if you choose “Accept.” You can change your mind at any time from Settings.

When enabled, we capture a small set of product events — for example: a project upload was queued, an upload was published to YouTube, an upload failed, a YouTube channel was connected, or a subscription checkout was started. We do not capture the contents of your projects, your audio or video files, or anything you type into the app.

PostHog uses your browser's local storage (not cookies) to remember an anonymous device identifier and your consent state. PostHog's EU region (eu.i.posthog.com) is used so data stays in the EU. Declining keeps PostHog opted out and no events are sent.

4a. What we don't use

To be explicit, Rollout does not set or load:

  • Advertising or remarketing cookies.
  • Third-party analytics other than PostHog — no Google Analytics, Plausible, Mixpanel, Amplitude, etc.
  • Session-replay tools (no Hotjar, FullStory, Microsoft Clarity).
  • Social-media tracking pixels (no Meta Pixel, TikTok Pixel).
  • Cross-site tracking technologies of any kind.

If we add any of the above, we will update this page and ask for your consent before turning anything on.

5. How to control cookies

You can clear or block cookies at any time through your browser settings. Helpful guides for the major browsers:

Blocking the strictly necessary cookies above will break sign-in, checkout, or both. The site will not work without them.

6. Web beacons & pixels

We do not use web beacons, tracking pixels, or clear GIFs in emails or on the site.

7. Changes to this policy

We will update this page when our cookie use changes — for example, if we add analytics — and bump the “Last updated” date at the top.

8. Contact

Questions about this policy? support@getrollout.app.

← Back to home