Cookie Policy
Last updated 8 June 2026
UK ICO registration ZC117586
1. What this policy covers
This Cookie Policy explains how Pip (pip.app), operated by Chxrles LTD trading as Pip Decks (company number 11587388, registered in England and Wales, registered office Merchants House, Market Place, Stockport, England, SK1 1EU), uses cookies and similar technologies when you use the Service.
It should be read together with our Privacy Policy, and in particular the cookies section of that policy, which explains how we handle personal data more broadly. The Privacy Policy also sets out where the personal data that follows from these cookies is processed, including the safeguards we apply to any transfer of that data outside the UK and EEA. Where this policy and the Privacy Policy overlap on cookies, read them together.
The Service includes an AI chat assistant. For how we use artificial intelligence in the Service, and for the transparency information required under applicable AI law, including the requirement to tell you when you are interacting with an AI system, please see our Privacy Policy. This Cookie Policy deals only with cookies and similar technologies; it does not itself set out how the AI works. The AI assistant does not set additional cookies beyond those listed in section 4.
2. What cookies are
Cookies are small text files a website stores on your device. Similar technologies include local storage and session storage (browser storage that works like a cookie) and pixels (tiny images used to record that an email or page was opened). In this policy "cookies" covers all of these.
We group cookies into four categories:
- Strictly necessary cookies, which the Service cannot work without, or which deliver a function you have asked us to provide. These do not require your consent.
- Analytics cookies, which help us understand how the Service is used, including product analytics and session recording (session replay). These are set only with your consent.
- Functional and preference cookies, which remember choices you make. Where these are not essential to a function you have requested, we set them only with your consent.
- Marketing cookies and tracking, which measure and support our marketing, including the email open-and-click tracking described in section 7. We set these only with your consent. We do not currently set a marketing or advertising cookie on the website itself.
These four categories match the choices our consent banner offers you: strictly necessary (always on), analytics, functional, and marketing.
3. Your choices
When you first visit pip.app you are shown a cookie banner. It offers a Reject all option presented with the same prominence as Accept all, and it lets you choose analytics and marketing separately. Strictly necessary cookies are always on because the Service cannot function without them.
We store your choice in a cookie called consent_preferences so we do not ask you again on every visit. This record lasts for 365 days. After that period the record expires, the consent banner is shown again, and we ask for your choice afresh, so your consent does not continue indefinitely without being renewed.
You can withdraw or change your consent at any time. You can do this by clearing the consent_preferences cookie in your browser settings, which makes the banner appear again on your next visit so you can make a fresh choice, or by contacting us at support@pipdecks.com, and we will action your request. Strictly necessary cookies cannot be switched off because the Service cannot run without them.
Managing cookies in your browser
Separately from our banner, every major browser lets you view, block, and delete cookies directly. You can usually find these controls in your browser's privacy or settings menu, and the help pages for Chrome, Safari, Firefox and Edge each explain the steps. A neutral guide is also available at aboutcookies.org. Please note that blocking or deleting strictly necessary cookies may stop parts of the Service from working, for example by signing you out or preventing checkout.
4. Cookies we set
The tables below describe the cookies and similar technologies the Service uses. Cookie names and lifetimes are indicative of how the relevant service is configured and may change as the underlying tools are updated. Where we describe how a third party that we do not control (for example PostHog, Stripe or Clerk) processes data or configures its technology, that description reflects our understanding and our own configuration at the date shown above. It is not a continuing warranty, and it is not a representation about how that third party operates its own systems.
Strictly necessary (no consent required)
| Cookie / storage | Set by | Purpose | Roughly how long |
|---|---|---|---|
__session, __clerk_db_jwt (and related __clerk_*) |
Clerk | Keep you signed in and secure your session (sign-in is by email one-time code) | Session / short-lived |
consent_preferences |
Pip | Remember your cookie choices so we do not re-ask | 365 days |
geo_country |
Pip | Determine which region's cookie and consent rules apply to you, so the consent banner is shown and configured correctly | 30 days |
currency |
Pip | Show prices in the currency for your region so we can present and deliver the checkout you ask us to provide | 30 days |
The Clerk session cookies (__session, __clerk_db_jwt and related __clerk_*) are strictly necessary and exempt from consent under Regulation 6(4) of the UK PECR, because they are used solely to provide the sign-in service you have asked us to provide and to keep your session secure. We use Clerk only for email one-time-code sign-in; we do not offer social or single-sign-on logins, so no third-party social-login cookies are set.
We treat geo_country as strictly necessary because it is what tells the Service which consent rules to apply to you and whether to show the consent banner at all. We treat currency as strictly necessary because it lets us show you the correct price for your region and deliver the checkout you ask us to provide. We have assessed currency against the ICO necessity test: it is set to honour the region and price we present to you rather than to track you, and it carries no analytics or advertising function, so we do not consider that it requires consent. If our assessment of this cookie changes, we will move it behind the consent banner.
Analytics, including session recording (set only with your consent)
| Cookie / storage | Set by | Purpose | Roughly how long |
|---|---|---|---|
PostHog cookies / local storage (for example ph_*) |
PostHog (eu.i.posthog.com) | Product analytics and session recording (session replay), so we can understand and improve how the Service is used | Up to ~12 months |
Analytics consent also enables session recording (session replay), which records how pages are used during your session. We treat this as a distinct activity and set it only with your analytics consent.
PostHog runs without setting cookies until you give analytics consent, and sets these cookies only after you opt in. PostHog is currently configured on an EU (Frankfurt) instance and processes this data on our behalf as our service provider under a written data-processing contract. We describe our current configuration here and may change our analytics tooling as set out in section 8.
Where session recording is used, it is currently configured to mask text and form input and to block embedded video, with the aim that the content of your messages and what you type into the Service is not captured. This describes our current configuration. We may change our analytics tooling as set out in section 8, and our description of PostHog's processing is not a continuing warranty about how PostHog operates.
Functional and preference cookies
We do not currently set any non-essential functional or preference cookies. If we add any, we will list them here and, where consent is required, gate them behind the consent banner.
Third-party cookies during checkout
When you go through checkout, Stripe sets its own cookies. The cookies needed to run the payment session are necessary for the payment to work. Stripe also sets cookies for fraud prevention, which it sets and controls under its own responsibility as a separate controller, on the basis of its legitimate interest in preventing fraud. These fraud-prevention cookies are only set once you proceed to checkout, which is a function you have asked us to provide, and we rely on Stripe's separate-controller status for that processing. That fraud prevention may involve recognising your device across different sites, which is how fraud detection of this kind works. The description here reflects our understanding at the date above and is not a representation about Stripe's processing, which is governed by Stripe's own policies, not ours. The Stripe cookies are set under Stripe's cookie policy and privacy policy, and appear during the checkout flow.
5. Service providers behind these cookies and the Service
Some of the cookies and technologies above are set or read by service providers who process personal data on our behalf as our processors. We put an Article 28 data-processing agreement in place with each processor that handles personal data on our behalf before it begins processing, and we require each processor to apply appropriate technical and organisational safeguards. These providers act on our instructions and may not use your data for their own purposes. The Privacy Policy contains the full sub-processor list and the safeguards that apply to any transfer of personal data outside the UK and EEA. The providers most relevant to the cookies and storage described in this policy, and to the personal data they involve, are:
| Provider | Role | Where relevant to this policy |
|---|---|---|
| Clerk | Authentication (email one-time-code sign-in) | Sets the strictly necessary session cookies in section 4 |
| PostHog | Product analytics and session recording (EU / Frankfurt instance) | Sets the analytics cookies and storage in section 4, only after you give analytics consent |
| Stripe | Payment processing | Sets the checkout and fraud-prevention cookies in section 4; acts as a separate controller for fraud prevention |
| Klaviyo | Marketing email (consent-gated) | Operates the email open-and-click tracking in section 7, only where you have consented to marketing email |
| Neon | Primary database (account data and conversation history) | Stores the account and conversation data that follows from your use of the Service |
| Upstash | Rate limiting and short-lived request caching | Holds transient request-rate counters and in-flight request data; does not set cookies on your device |
| Vercel | Hosting and data-export storage | Hosts the Service and stores data-export archive files we generate at your request |
| OpenAI | AI model provider (fallback) | Processes chat messages only as a fallback when our primary AI provider is unavailable; does not set cookies on your device |
We put an Article 28 data-processing agreement in place with each service provider that processes personal data on our behalf before it begins processing, and we require each provider to apply appropriate technical and organisational safeguards, so that your data is handled under contractual safeguards from the outset. The AI providers above (and our other AI processing) are described in full in our Privacy Policy.
In addition, we retain a residual, read-only connection to Google LLC (Firebase) used solely to read legacy onboarding and customer-record data created before our current systems, for the limited purpose of migrating that data. This legacy path is not used for chat, sign-in, or account data, and is being retired. Any transfer of personal data to Google under this legacy path relies on Google's certification under the EU-US Data Privacy Framework (DPF) and the equivalent UK extension.
Memory note
If you use the AI assistant, it can remember certain facts you tell it so it can be more helpful in later conversations. Those remembered facts, derived from your conversations, are stored as "memories" in our own systems, in the same database (Neon) that holds your account and conversation history, described in section 5. The memory feature does not set cookies on your device; it stores memory server-side, linked to your account. You can view and delete individual memories in your account settings, and when you delete your account we delete your stored memories along with the rest of your personal data, as described in section 6.
6. How long cookie-related data is kept
The cookies and storage above last for the periods shown in section 4. Where the personal data that follows from your use of the Service is stored beyond the life of a cookie, the retention periods are set out in full in our Privacy Policy. When you delete your account, we delete your personal data, including any memory stored in our own database as described in section 5, within one month of deletion, except where we are required by law to retain certain records (for example billing records).
7. Marketing and email tracking
We do not set marketing or advertising cookies on pip.app, and Pip does not run its own third-party advertising or cross-site behavioural-advertising cookies. The only third-party cookies that may involve cross-site device recognition are Stripe's separately-controlled fraud-prevention cookies, described in section 4, which exist solely to prevent fraud.
Our consent banner includes a separate Marketing preference. That preference governs your consent to the email open-and-click tracking described below, and to any marketing or advertising cookie we may introduce in future. It does not switch on a marketing cookie that is live on the website today, because we do not currently set one. If that changes, we will list the cookie in section 4 and it will only be set where you have given this consent.
If you have consented to marketing email, the marketing emails we send (through Klaviyo) may contain a small pixel that records whether the email was opened and which links were clicked, so we can measure how our email marketing performs. This tracking happens within the email, not through a cookie on the website, and only where you have consented to marketing email. You can withdraw that consent at any time using the unsubscribe link in any marketing email or by contacting us.
8. Cookies we do NOT use
We do not use Microsoft Clarity, and Pip does not run its own third-party advertising or cross-site behavioural-advertising cookies. We do not "sell" or "share" your personal information for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). The only third-party cookies that may involve cross-site device recognition are Stripe's separately-controlled fraud-prevention cookies, described in section 4, which exist to prevent fraud and are not used for advertising.
9. Your US state privacy rights
If you are a resident of a US state with a comprehensive consumer privacy law (including California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others), the following applies to cookies and similar technologies.
We do not sell your personal information, and we do not share it for cross-context behavioural advertising, as the terms "sell" and "share" are defined under the CCPA/CPRA and the equivalent US state laws. Our analytics provider, PostHog, processes data on our behalf as a service provider or processor under a written contract, and is contractually prohibited from using that data for its own purposes or for cross-context behavioural advertising. That is why our analytics processing, including session recording, is not a sale or a share under the CCPA/CPRA or other US state privacy laws, and is not merely a consequence of our not running advertising cookies. Because there is no sale or sharing of this kind, there is nothing for you to opt out of in that respect, and we provide no "Do Not Sell or Share My Personal Information" mechanism because none is required for the processing we carry out.
Our cookie banner defaults all non-essential cookies, including analytics and marketing cookies, to off until you opt in.
For the full list of US-state privacy rights and how to exercise them, see our Privacy Policy.
Other countries
If you access the Service from another country, additional local privacy or cookie rules may apply to you. We aim to apply the consent standards described in this policy globally. If your local law gives you rights over cookies or the data they involve, you can contact us at support@pipdecks.com and we will consider any request to exercise rights that your local law requires us to honour. This policy, and the way we apply it, are governed by the laws of England and Wales. Nothing in this policy submits us to the jurisdiction of another country beyond what that country's mandatory law requires.
10. Changes to this policy
We may update this Cookie Policy to reflect changes in the cookies we use, our analytics or marketing tools, the law, or regulator guidance.
By a material change we mean, for example, introducing a new category of non-essential cookie, adding a new analytics or marketing vendor, or changing the legal basis on which we set a cookie. For a material change we will surface a notice in the app and, where the change affects the cookies you have already chosen, we will prompt you again through the consent banner so you can review your choice. For a minor change we will update the "Last updated" date above.
We may add, remove, or replace the tools listed in section 4. Where a change introduces a new cookie or technology that requires your consent, we will ask for your consent through the cookie banner before that new technology sets non-essential cookies on your device, and where a replacement requires consent we apply the same consent gate. Your previous choices do not carry over to a new technology of this kind.
11. How we contact you and how you contact us
The data-protection contact for cookie matters is support@pipdecks.com.
You can also write to us at our registered office: Chxrles LTD, Merchants House, Market Place, Stockport, England, SK1 1EU.
We give you notice of a change to this policy through the means described in section 10: an in-app banner or notice and, where the change affects cookies you have already chosen, a fresh prompt through the consent banner. Where you have an account with us and are not signed in at the time, we may also notify you by email at the email address registered to your account. You give us notice on any cookie matter by contacting us at support@pipdecks.com or by writing to our registered office above.
For users in the EU and EEA, we have appointed our representative under Article 27 of the EU GDPR. You can contact our representative about your personal data via privacy@pipdecks.com. Our Article 27 representative is also identified in our Privacy Policy.
If you are not satisfied with how we handle cookies or your consent, you have the right to complain to a regulator. In the UK, that is the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EU or EEA, you can complain to your local data-protection supervisory authority; you can find and contact yours through the European Data Protection Board's list of national authorities at edpb.europa.eu/about-edpb/about-edpb/members_en. If you are elsewhere, you can complain to your local privacy or data-protection regulator.
Legal basis note (PECR / ePrivacy / UK GDPR)
We set non-essential cookies, such as analytics and marketing cookies, only after specific, informed and granular consent, and we make withdrawing consent as straightforward as giving it. You can withdraw consent by clearing the consent_preferences cookie in your browser settings, which makes the banner appear again so you can make a fresh choice, or by contacting us at support@pipdecks.com. We record your consent for 365 days, after which it expires and we ask for it again, so consent is renewed rather than relied on indefinitely. This reflects our obligations under Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (UK PECR) and Article 5(3) of the EU ePrivacy Directive 2002/58 as implemented in member-state law.
Where the personal data that follows from those cookies is processed, that consent is obtained to the standard required by Article 4(11) and Article 7 of the UK GDPR: it is freely given, specific, informed and unambiguous, and you can withdraw it at any time. For more detail on the lawful bases we rely on, and on where cookie-derived personal data is processed and transferred, see our Privacy Policy.
Governing law
This Cookie Policy forms part of, and should be read together with, our Terms of Service and Privacy Policy, and is governed by the laws of England and Wales.
The limitation of liability and exclusion of warranties in our Terms of Service apply to this Cookie Policy and to any statement made in it, to the fullest extent permitted by law. Nothing in this policy or our Terms of Service excludes or limits any liability or right that cannot lawfully be excluded or limited, including liability for death or personal injury caused by negligence, liability for fraud or fraudulent misrepresentation, your statutory rights under the Consumer Rights Act 2015, and your statutory data-protection rights under the UK GDPR, the Data Protection Act 2018 and the UK PECR. If you use the Service as a business rather than as a consumer, any indemnity in our Terms of Service applies to you as set out in those Terms; we do not ask you, as a consumer, to indemnify us for any statement made in this policy.
This Cookie Policy, together with our Terms of Service and Privacy Policy, forms the entire agreement between you and us about cookies and similar technologies. If there is any conflict between this policy and the Terms of Service on a cookie matter, this policy governs to the extent of that conflict, except that the limitation of liability, exclusion of warranties, indemnity, governing-law and dispute-resolution provisions of the Terms of Service prevail over anything in this policy. If any part of this Cookie Policy is held to be unenforceable, the remaining parts continue in full force.
Assignment of this policy is governed by the assignment provisions of our Terms of Service; we may transfer our rights and obligations under this policy as part of a business sale or reorganisation, and your rights under this policy are preserved on any such transfer.
No one other than you and us has any right under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Cookie Policy.