Cookie policy.
What we set, what each cookie does, how long it stays, and how to turn off the ones you can. We use Plausible Analytics instead of Google. No ad pixels. No retargeting. No fingerprinting.
01What cookies are
Cookies are small text files that a website asks your browser to store. They let the site remember you between page loads (so you stay signed in, your cart survives a refresh, your preferences stick). They can also be used to track you across sites. Message.com uses them only for the first job, never the second.
This policy applies to message.com, app.message.com, status.message.com, and any subdomain operated by Message.com LLC. It does not apply to customer-operated subdomains that embed the Message widget; those are governed by the customer's own privacy notice.
The Message widget itself, embedded on customer sites, uses localStorage and sessionStorage (not cookies) to keep conversation state inside the Shadow DOM. That behavior is documented in the widget developer docs.
02Strictly necessary cookies
These cookies are required to operate the site. We do not ask for consent to set them because the site does not work without them. Disabling these will break authentication and form submissions.
- Session cookies keep you signed in to app.message.com while you move between pages. They are signed, HttpOnly, Secure, and SameSite=Lax. They expire when you close the browser, or after the inactivity timeout configured for your workspace.
- CSRF tokens protect form submissions and API requests against cross-site request forgery. These are short-lived and refresh on every authenticated request.
- Load-balancer affinity tokens (set by Cloudflare in front of our infrastructure) keep your traffic pinned to the same backend node during a single request lifecycle. They expire at the end of the request.
03Functional cookies
These cookies remember your preferences so the site behaves the way you set it. They are not strictly required, but disabling them means the site forgets you between visits.
- Color theme (light or dark) and accent color preference.
- Language preference, where you have overridden the browser default.
- Sidebar collapsed/expanded state in the dashboard.
- Cookie banner dismissal state (so we do not show the banner again after you have answered).
04Analytics cookies
We use Plausible Analytics, a privacy-friendly analytics product hosted in the EU. Plausible does not set any cookies and does not collect personal data. It counts page views and referrers in aggregate, hashed against a daily rotating key so individuals cannot be tracked across days.
We do not use Google Analytics, Adobe Analytics, Mixpanel, Heap, Amplitude, or any product that builds a behavioral profile on individual visitors. That was a deliberate choice. Analytics products that fingerprint visitors are incompatible with the privacy posture we sell.
If you still want to opt out of Plausible, the "Do Not Track" header in your browser is honored automatically. There is nothing to click.
05Advertising cookies
We do not use advertising cookies. We do not place pixels from Facebook, Google Ads, LinkedIn, TikTok, Reddit, X, or any other ad network on message.com or app.message.com. We do not retarget visitors. We do not sell visitor lists.
When we run paid campaigns externally, attribution is handled with UTM parameters on the inbound URL, not cookies on the visitor's browser. The attribution is stored against the conversion event in our database, not against an identifier on your device.
06Full cookie list
The table below lists every cookie set by Message.com properties. If you find a cookie on a Message domain that is not on this list, email [email protected] and we will investigate.
| Name | Category | Purpose | Expires |
|---|---|---|---|
| msg_session | Strictly necessary | Authenticated session token for app.message.com | Session or 30 days (remember me) |
| msg_csrf | Strictly necessary | CSRF protection for form posts and API calls | Per request |
| __cf_bm | Strictly necessary | Cloudflare bot management challenge token | 30 minutes |
| cf_clearance | Strictly necessary | Cloudflare verified-human clearance after a challenge | 30 days |
| msg_theme | Functional | Light/dark theme preference | 1 year |
| msg_locale | Functional | UI language preference override | 1 year |
| msg_sidebar | Functional | Dashboard sidebar collapsed/expanded state | 1 year |
| msg_banner_ack | Functional | Records that you have answered the cookie banner | 1 year |
Plausible Analytics does not appear in this table because it does not set a cookie. It is included in the analytics section above for completeness.
07Your choices
Every modern browser lets you view, block, or delete cookies. The exact menu depends on the browser, but the controls are usually under Settings > Privacy. Useful links:
- Chrome: chrome://settings/cookies
- Firefox: about:preferences#privacy
- Safari: Preferences > Privacy > Manage Website Data
- Edge: edge://settings/content/cookies
Blocking strictly necessary cookies will sign you out of app.message.com and break form submissions. Blocking functional cookies will reset your preferences on every visit. Blocking analytics has no effect because we do not use cookie-based analytics in the first place.
You can also opt out of the Message marketing emails any time using the unsubscribe link in the footer. That choice is honored across all marketing categories on the same email address.
08Do Not Track and Global Privacy Control
Message.com honors the Do Not Track (DNT) header and the Global Privacy Control (GPC) signal. When either is present:
- Plausible Analytics receives a do-not-count signal for the entire session.
- Functional cookies still set (we cannot remember your preference not to be remembered without a flag of some kind), but they carry no identifier that could be joined to other visits.
- Marketing email opt-out flags are respected and persisted.
The CCPA "Do Not Sell or Share My Personal Information" signal is mapped to GPC behavior. We do not sell or share personal information for cross-context behavioral advertising under any condition, so there is nothing additional to disable.
09Third-party cookies in customer dashboards
When you sign into app.message.com, the dashboard may load embedded views from authorized integrations (Stripe Customer Portal, GitHub OAuth for sign-in, calendar pickers). Those integrations may set their own cookies under their own domains, governed by their own cookie policies.
Where an integration is optional, you can turn it off in Settings > Integrations. Where it is required (e.g. Stripe for billing), the relevant third party's cookie policy is linked at the integration touch point.
10Updates
We update this page whenever we add, remove, or change the purpose of a cookie. The "Last updated" date in the page header is the canonical reference. Material changes (a new analytics provider, a new third-party tag) are also announced in the product changelog and to security contacts on file for enterprise customers.
If you have questions or want to challenge a cookie set on a Message property, email [email protected]. We answer from a named human within two business days.
Spotted a cookie that is not in this list?
Email [email protected] with the cookie name and the page where you saw it. We will investigate and reply within two business days.
Start free trial →