Cookie Policy
This policy lists every cookie and similar technology that Seerai sets or receives when you use seerai.amayx.com, who sets it, what it does, and how long it lasts. It is short because we believe short is honest in this case.
§1What are cookies?
Cookies are small text files set by a website and stored on your device. Local storage, session storage, IndexedDB, and HTTP headers set through Set-Cookie are related technologies that perform similar functions. Together, we refer to all of these as “cookies” in this policy.
Seerai distinguishes two purposes a cookie may serve:
- Strictly necessary: required for the Service to work — for example, keeping you signed in or preventing request forgery. Under the ePrivacy Directive and most national transpositions (including the UK PECR) these do not require your consent.
- Non-essential: anything else, including analytics, marketing, and third-party tracking. Under the same laws these do require consent (opt-in).
§2What we use
Seerai itself sets essentially no first-party cookies. All cookies and similar storage on this site are set by our authentication sub-processor (InstantDB) and, in some cases, the underlying hosting layer (Cloudflare). Both are strictly-necessary.
2.1 Cookies and storage set by InstantDB (authentication)
The Zotero plugin, our hosted dashboard, and your account profile are all backed by InstantDB. To keep you signed in without sending your long-lived refresh credential on every request, InstantDB sets the following on InstantDB-owned domains and on seerai.amayx.com when used for authentication callbacks:
| Name | Type | Purpose | Expires | Provider |
|---|---|---|---|---|
__session_refresh_token__(or equivalent name from your InstantDB configuration) | First-party HttpOnly cookie | Holds a long-lived refresh credential used to obtain new short-lived access tokens. Cannot be read by JavaScript. | ~30 days (rotated on use) | InstantDB |
__session_access_token__(name varies) | First-party HttpOnly cookie | Holds the short-lived bearer token sent to API requests. Replaced on each refresh. | ~1 hour | InstantDB |
IndexedDB store instantdb:cache (or equivalent) | Browser-local storage | Holds cached user profile and query results so the dashboard does not refetch on every render. Cleared on sign-out. | Until sign-out or manual clear | InstantDB |
__csrf_token__ or X-CSRF-Token header | First-party session value | Mitigates cross-site request forgery on form submissions. | Session | InstantDB |
We do not set our own Seerai cookies for authentication. Our API gateway issues bearer tokens over HTTPS that are stored by the client (typically in IndexedDB by the plugin). You can revoke any of these at any time from the dashboard.
2.2 Cookies set by Cloudflare
Cloudflare may set the following cookies when it needs to verify that an incoming request comes from a real browser and not from an automated attacker. We do not configure these and they are set only in response to specific edge signals:
| Name | Type | Purpose | Expires | Provider |
|---|---|---|---|---|
__cf_bm | First-party HttpOnly cookie | Cloudflare Bot Management: distinguishes humans from bots. Set only when traffic patterns warrant. | 30 minutes from set | Cloudflare |
cf_clearance | First-party cookie | Cloudflare clearance cookie: lets a verified visitor through a security challenge. | Up to 30 days | Cloudflare |
Refer to Cloudflare’s privacy policy for the legal basis and storage locations of those cookies.
§3What we do not use
Seerai does not load any of the following on seerai.amayx.com or in the hosted dashboard. We make this a hard engineering rule, not just a policy rule:
- Analytics cookies or SDKs: no Google Analytics, Google Tag Manager, Meta Pixel, Plausible, PostHog, Mixpanel, Amplitude, Fathom, Hotjar, FullStory, LogRocket, or Segment.
- Error monitoring that captures session replay: no Sentry, no Datadog Browser RUM, no Bugsnag session replay.
- Advertising cookies: no Google Ads, no Meta Ads Pixel, no TikTok Pixel, no LinkedIn Insight Tag, no X (Twitter) pixel, no Microsoft Clarity.
- Social widgets: no embedded YouTube, Twitter, or Facebook widgets that drop tracking cookies.
- Chat / support cookies: no Intercom, Zendesk Chat, Drift, Crisp, or HubSpot chat cookies. Support is email-only.
- Fingerprinting or device-graph identifiers: we do not write browser fingerprint data to local storage or send it to a tracker.
As a result, this site does not display a cookie-consent banner. There is nothing for the banner to ask you to opt in or out of. We document the absence so you can verify it (open the browser’s developer tools > Storage > Cookies and load any page on this domain — you will see only the entries listed in section 2).
§4How to control cookies
Because every cookie we and our sub-processors set is strictly-necessary, disabling them will likely break part of the Service. With that caveat, your options are:
- Browser controls. Every modern browser lets you block or delete cookies. Use the “Site settings” or “Privacy” section of your browser to inspect or remove Seerai cookies. Note that blocking all cookies will prevent sign-in.
- Sign out. Signing out of the Seerai dashboard invalidates the InstantDB refresh token and clears the in-memory access token. You can do this from the dashboard or by clearing site data for
seerai.amayx.comin your browser. - Revoke plugin API tokens at any time from the dashboard. The plugin will need to re-authenticate with a new magic code.
- Cloudflare cookies. Cloudflare’s cookies can only be controlled via your browser’s cookie settings; Cloudflare does not honour the “Do Not Track” header, though we have not configured any additional personalised features on top of them.
§5Updates to this policy
If we add or remove a non-essential cookie, we will update this page, change the version number, and — if the change is material — show an in-app notice and obtain consent where required. The current version is always at seerai.amayx.com/cookies.
§6Contact us
Questions about this Cookie Policy: privacy@amayx.com
Other privacy questions: privacy@amayx.com
See also our full Privacy Policy and Terms of Service.