Cookie policy
Effective date: June 2, 2026.
This Cookie Policy explains how KupaLabs FZCO (incorporated under the Dubai Integrated Economic Zones Authority (DIEZA), Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates), operator of the DiffHook service ("DiffHook," "we," "us"), uses cookies and similar technologies (collectively "cookies") on our website and web application at diffhook.com (the "Service"). It supplements our Privacy Policy.
1. What are cookies
Cookies are small text files placed on your device by a website to store information. We also use browser localStorage and sessionStorage (collectively referred to as "local storage") for similar purposes. These technologies serve functions such as keeping you logged in, remembering your preferences, and understanding how the Service is used.
2. Cookie categories we use
We use two categories of cookies and local storage items on the Service:
Strictly necessary
These cookies and local storage entries are essential for the Service to function. Without them, core features such as authentication and security cannot operate. They are deployed without requiring your consent under the ePrivacy Directive and equivalent laws.
| Name / Key | Technology | Purpose | Duration |
|---|---|---|---|
dh-token-{teamId} |
localStorage | Stores your authentication token for the active workspace. Required to stay logged in. | Until sign-out or token expiry |
dh-last-team |
localStorage | Remembers your most recently accessed team so the app can redirect you after login. | Persistent |
dh-theme |
localStorage | Stores your light/dark mode preference. | Persistent |
dh-code-lang |
localStorage | Remembers your preferred language and HTTP client for API code samples (e.g. shell:curl, python:requests). |
Persistent |
dh-cookie-consent |
localStorage | Stores your cookie choices (including policy version) so we don’t show the banner on every visit. | Persistent |
| CSRF token (session) | sessionStorage | Protects form submissions against cross-site request forgery. | Session |
Strictly necessary cookies cannot be disabled through this banner. You can delete them via your browser settings or by signing out of your account, but doing so will end your session.
Analytics
These items help us understand how visitors interact with the Service — which pages are visited and how features are used. The data is used in aggregate to improve the product. We use three analytics providers, all configured to be cookieless by default: before you consent — and if you decline — they measure traffic without writing cookies or local storage to your device and without identifying you individually. Accepting Analytics lets the cookie-based providers store a first-party identifier for more accurate visitor and session counts.
Google Analytics 4 (“GA4”), provided by Google LLC (or, where applicable, Google Ireland Limited), via Google’s gtag.js tag. DiffHook implements GA4 Consent Mode v2:
- Before you decide, or if you decline Analytics (
analytics_storage: denied): GA4 sends anonymised, cookieless pings to Google. No_ga,_gid, or other GA4 cookies are written to your device. Google uses these signals for aggregate conversion modelling only; no personal profile is built and no cross-site tracking occurs. - If you accept Analytics (
analytics_storage: granted): full GA4 measurement is enabled. GA4 may then set cookies such as_ga(up to 24 months) and_gid(24 hours) to distinguish visitors and sessions.
GA4 is configured for measurement and product insight only — not for advertising personalisation through DiffHook. See Google’s Privacy Policy and Google’s information about GA4 and cookies.
PostHog, a product-analytics platform provided by PostHog, Inc., with data hosted in the European Union and requests routed through a DiffHook-operated first-party subdomain. PostHog runs in cookieless mode until you consent:
- Before you decide, or if you decline Analytics: PostHog counts visitors using a privacy-preserving identifier computed on its servers (a rotating hash). No PostHog cookies or local storage are written to your device and you are not identified individually.
- If you accept Analytics: PostHog stores a first-party identifier in your browser’s local storage and/or a cookie (keys beginning with
ph_) so returning visits and sessions can be recognised. If you are signed in, this identifier is linked to your account ID.
Ahrefs Web Analytics, provided by Ahrefs Pte. Ltd., is a fully cookieless, privacy-first analytics tool. It never sets cookies or local storage and does not use cross-site identifiers, so it produces only aggregate traffic statistics on every visit and does not require consent.
| Provider | Technology | Consent state | What is sent | Cookies / storage set |
|---|---|---|---|---|
| Google (Analytics) | GA4 / gtag.js |
Denied (default) | Anonymised, cookieless modelling pings | None |
| Google (Analytics) | GA4 / gtag.js |
Granted | Full analytics measurement | _ga (24 mo), _gid (24 h), _gat (1 min) |
| PostHog | posthog-js |
Denied (default) | Aggregate events counted via a server-side hash | None |
| PostHog | posthog-js |
Granted | Full product analytics with a first-party id | ph_* (localStorage / cookie, up to 12 months) |
| Ahrefs | analytics.js |
Always cookieless | Aggregate page views | None |
You can change your Analytics choice at any time using the Cookie preferences link in the site footer. If you withdraw consent, we immediately switch GA4 and PostHog back to cookieless mode and delete any analytics cookies or identifiers they placed on your device. They will not store new cookies or identifiers until you grant consent again.
3. Third-party cookies
Google (Analytics). The GA4 script loads on every visit (see Section 2). When Analytics consent is denied, Google receives only anonymised, cookieless modelling pings — no cookies are set and no personal data is sent. When Analytics consent is granted, Google may set _ga, _gid, and related cookies as described in Section 2.
PostHog. The PostHog script loads on every visit, with requests routed through a DiffHook-operated subdomain and data hosted in the EU. When Analytics consent is denied (the default), PostHog counts visitors with a privacy-preserving server-side hash and sets no cookies or local storage. When consent is granted, it stores a first-party identifier (ph_*) as described in Section 2.
Ahrefs. Ahrefs Web Analytics loads on every visit and is fully cookieless — it sets no cookies or local storage at any time and produces only aggregate traffic statistics.
Stripe. When you access the billing section of the Service, Stripe, Inc. may set cookies or use browser storage for fraud prevention and payment processing purposes. These are governed by Stripe's Cookie Policy. We do not control Stripe's cookie practices; however, Stripe cookies are only active on pages where payment functionality is loaded.
No third-party advertising, retargeting, or social media tracking cookies are set by DiffHook beyond the vendors above.
4. Managing your preferences
Via our banner. On your first visit, a cookie consent banner will appear offering you the choice to accept all cookies, reject non-essential cookies, or manage individual categories. Your choice is saved and respected on subsequent visits.
Via the footer link. At any time you can revisit your preferences by clicking Cookie preferences in the site footer. This reopens the preference panel, allowing you to change or withdraw consent.
Via your browser. All major browsers allow you to view, block, or delete cookies and clear local storage:
- Chrome: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Settings → Privacy → Manage Website Data
- Edge: Settings → Cookies and site permissions
Please note that blocking strictly necessary cookies will prevent you from using core features of the Service, including logging in.
Do Not Track. Some browsers send a "Do Not Track" (DNT) signal. DiffHook does not currently respond to DNT signals because there is no universally accepted standard for what DNT should mean for web applications. You can control analytics tracking directly through our consent banner regardless of your DNT setting.
5. Consent and lawful basis
Under the EU ePrivacy Directive (as implemented in national law, including the UK Privacy and Electronic Communications Regulations), strictly necessary cookies do not require consent. All other cookies require freely given, specific, informed, and unambiguous prior consent.
For analytics, our providers are configured to run cookieless by default (GA4 Consent Mode v2, PostHog cookieless mode, and the fully cookieless Ahrefs tool), as described in Section 2. The analytics scripts load on every visit as part of the page infrastructure, but no analytics cookies or browser-stored identifiers are set, and you are not identified individually, until you grant consent. The cookieless, aggregate measurement performed before consent does not constitute cookie-based tracking. We rely on your consent (Article 6(1)(a) GDPR / the ePrivacy Directive) for any cookie-based analytics; cookieless measurement that writes no device storage is carried out on the basis of our legitimate interest in understanding how the Service is used.
Consent is recorded with a timestamp and the version of this policy in force at the time. When we make material changes to our cookie practices, we will reset the consent flag and ask for your choice again.
6. Changes to this policy
We may update this Cookie Policy to reflect changes in our cookie practices, technology, or legal requirements. Material changes will prompt a new consent request. The effective date above reflects the most recent revision.
7. Contact
For questions about our use of cookies, contact us at support@diffhook.com or visit Support.