1. Introduction
This notice explains how Gumly Limited, company no. 16949574, 71-75 Shelton Street, London, England, WC2H 9JQ ("Gumly", "we", "us") uses cookies, similar technologies, and first-party tracking on www.gumly.ai and our web application (the "Service").
For how we use personal data more broadly, see our Privacy Policy (UK).
2. Phase 1: no third-party analytics
In Phase 1, Gumly does not deploy third-party analytics cookies or pixels (for example Google Analytics, Meta Pixel, or similar marketing trackers) on the public site or logged-in application.
Product usage is measured with first-party analytics sent to our own systems, as described in Section 5 below.
3. Login and session cookies
These cookies are essential to keep you signed in and to secure API requests. They cannot be switched off while using the Service.
| Name | Purpose | Duration |
|---|---|---|
| refresh_token | Maintains your authenticated session via secure token refresh | Up to 30 days (HttpOnly) |
| csrf_token | Helps protect state-changing requests from cross-site request forgery | About 1 hour |
Both are set on API paths with HttpOnly and SameSite=Strict where supported.
4. Security cookies and storage
We use cookies and server-side logging to:
- Detect abuse, rate limiting, and suspicious sign-in activity
- Record security-relevant events (e.g. OAuth connection attempts) in our audit systems
- Protect payment and account flows
Legacy auth values may still exist in localStorage on some browsers until cleared; new sessions prefer HttpOnly cookies for refresh tokens.
5. Preference and first-party identifiers (browser storage)
We use localStorage and sessionStorage (not cookies) for preferences and first-party analytics identifiers, including:
- gumly_attribution — first-touch UTM parameters (up to 30 days)
- gumly_anonymous_id — links pre-login activity to your account after signup
- gumly_app_session_id / landing session IDs — session-scoped product and marketing analytics
- UI and product preferences needed for the Service to function as you expect
6. Internal (first-party) tracking
We send allowlisted usage events from the app to our own API, which stores them in our database. This includes for example signup funnel steps, feature usage, errors (with reason categories), and activation milestones.
We do not use third-party analytics SDKs in Phase 1. Event payloads are limited and reviewed against an internal taxonomy. Country may be inferred from infrastructure headers; we do not store full IP addresses in analytics tables.
7. Payment cookies
When you complete checkout, Stripe may set cookies or similar technologies required to process payment and prevent fraud. Those are controlled by Stripe under its own policies. Gumly does not receive your full card number.
8. Third-party cookies from integrations
If you connect Google Ads or sign in with Google, Google may set cookies during the OAuth flow on Google's domains. Platform advertising cookies on your own websites are not controlled by Gumly.
9. Managing cookies and storage
You can block or delete cookies in your browser settings. Clearing storage may sign you out and reset anonymous analytics identifiers. Essential cookies are required to use the logged-in Service.
10. Changes
If we introduce non-essential cookies (e.g. third-party analytics) in a later phase, we will update this notice and, where required by UK law, obtain consent before doing so.
11. Contact
Privacy:privacy@gumly.ai
Support:support@gumly.ai