Two cookies. Both essential.
No advertising pixels. No third-party trackers. No analytics cookies. What we set, why we set it, and how long it lives — in plain language.
At a glance
- We set two first-party cookies — both required for the service to function.
- We do not set any analytics, advertising, or tracking cookies.
- Analytics, when enabled, runs server-side in our own database — not via cookies.
- No third party sets cookies on the AllowanceGuard domain.
- Both cookies are Secure in production. The session cookie is also HttpOnly; the CSRF cookie has to be JS-readable so the page can echo the token in a header.
What we set.
Two first-party cookies. One server-only for sign-in. One readable by your browser for CSRF protection.
ag_sessSession authenticationIdentifies you to the server after sign-in so you don’t have to re-authenticate on every request. Issued when you sign in with your wallet (SIWE) and cleared when you sign out.
- Type
- First-party, essential
- Lifetime
- Up to 30 days
- Flags
- HttpOnly · Secure · SameSite=Lax
ag_csrfCSRF protectionA double-submit token that prevents cross-site request forgery on authenticated mutations. Browser JavaScript reads this cookie to echo the value in an x-csrf-token header, which the server then matches against the cookie value. This is why it is not HttpOnly.
- Type
- First-party, essential
- Lifetime
- Up to 30 days
- Flags
- Secure · SameSite=Lax · readable by JS
Why there are no analytics cookies.
Most products track you with cookies. We don’t.
The “Analytics” toggle in our cookie banner does not control any cookie. It controls whether anonymous usage events (e.g. scan started, wallet connected) are written to our own PostgreSQL database.
- Consent-gated. Choose “Essential only” and zero analytics events are recorded — anywhere.
- Server-side only. Events are stored in our database. Nothing is written to your browser.
- No third parties. No Google Analytics, Mixpanel, Segment, PostHog, or any external analytics tool.
- Error tracking. Rollbar may receive anonymised exception data for debugging. No personal identifiers, no cookies on this domain.
What we keep in your browser (not a cookie).
Strictly speaking these aren’t cookies, but you should know they exist.
| Key | Purpose | Lifetime |
|---|---|---|
allowance-guard-cookie-consent | Remembers your cookie-banner choice (Essential only, or All). | Until you clear browser storage |
ag.userEmail / ag.preferences | Saved preferences entered on the /preferences page (notification email, alert toggles). | Until you clear browser storage |
wagmi.* / wc@2:* | Wallet connection state managed by Wagmi and WalletConnect. Lets the page remember which wallet you connected. | Until you disconnect or clear storage |
How to manage cookies.
Withdraw analytics consent
Clear your browser’s site data for allowanceguard.com to reset the consent banner. On your next visit, choose “Essential only.”
Block all cookies
Use your browser’s site-data settings to block cookies for our domain. Sign-in and CSRF protection will stop working, so you won’t be able to use authenticated features.
Sign out
Signing out clears ag_sess immediately. ag_csrf persists for up to 30 days and is harmless on its own — clear browser data to remove it.
Heads up
Disabling essential cookies will break sign-in, account access, and any feature that requires authentication. Read-only public pages still work.
When this changes.
If we ever introduce a new cookie, change a cookie’s purpose, or add a third-party tracker, this page is updated before the change ships. Material changes are also reflected in our Privacy Policy.
Questions: legal.support@allowanceguard.com
Last updated: April 14, 2026.