Cookie Policy
Version 2026-07-08 · Effective July 8, 2026
Draft pending legal review — this is a working draft and has not been finalized by counsel.
This Cookie Policy explains the cookies and similar technologies ManageCanvas uses. We keep this
to a minimum: we use only strictly necessary cookies, we set no advertising or cross-site
tracking cookies, and our public storefronts set no cookies of our own at all.
Cookies we set
All of the following are strictly necessary, first-party, and HttpOnly (not readable by
client-side scripts). They are used only in the ManageCanvas app (app.managecanvas.com), not on
artist storefronts.
| Cookie | Purpose | Type |
|---|---|---|
| Session cookie(s) | Keep you signed in to your account | Strictly necessary |
sq_oauth_state |
Security (anti-CSRF) during Square account connection | Strictly necessary |
mc_imp |
Lets a platform administrator temporarily view the app as an Artist for support | Strictly necessary |
Strictly necessary cookies do not require consent under EU/UK rules; without them the app cannot
sign you in or protect the connection.
Analytics without cookies
We measure storefront traffic in an aggregate, cookieless way. We set no analytics cookie and
build no persistent visitor profile. For each page view we record only the page type, the
artwork/page slug, the visitor's country (derived at the network edge), and the referring site's
hostname.
To count unique visitors — not just raw page views — without cookies, we also derive a
short-lived, pseudonymous identifier: a one-way hash of the day, the store, and the visitor's IP
address and browser user-agent. We do not store the IP address or user-agent themselves, only
the hash; and because the day is part of the input, the identifier rotates every 24 hours and
cannot recognize a visitor across days or across different Artists' stores. It exists solely to
estimate daily visitor counts.
Third-party content on storefronts
An Artist may embed third-party content on their store — most commonly a video. We configure
these embeds to be privacy-first by default: YouTube videos use the "no-cookie" domain and Vimeo
videos are requested with "Do Not Track," so they do not set advertising cookies on page load. If
you play a video, the provider may then set its own cookies under its policy.
When a buyer pays with Square on a store, Square's secure card component loads and may set its
own cookies to process the payment; this is strictly necessary to complete a purchase you have
chosen to make. Stripe checkout happens on Stripe's own hosted page, off our site.
Managing cookies
Because we use only strictly necessary cookies, there is nothing non-essential to turn off in
ManageCanvas. You can still block or delete cookies in your browser settings, but doing so may
prevent you from signing in.
Changes
We will update this policy if our cookie use changes, and revise the version and date above.
Contact
Draft pending legal review. Not legal advice; review by qualified counsel before relying on it.