zylo

Cookie Policy

This Cookie Policy explains what cookies and similar technologies Zylo uses, why we use them, and the choices you have.

Effective: 2026-05-01Last updated: 2026-04-24
On this page
  1. 1. What cookies are
  2. 2. Why we use cookies
  3. 3. Categories of cookies we set
  4. 4. Third-party cookies
  5. 5. Cookie inventory
  6. 6. How to manage or block cookies
  7. 7. Changes to this policy
  8. 8. Contact

1. What cookies are

Cookies are small text files that a website places on your device when you visit. They let the site remember your actions and preferences (such as that you're logged in, or what's in your cart) across pages and across visits. We also use other similar technologies such as localStorage and session storage where they suit the purpose better — this Policy covers all of them collectively.

2. Why we use cookies

Zylo uses cookies to keep you signed in, keep your cart intact as you browse, protect you against common web attacks (CSRF), remember your interface preferences, and — only where enabled — measure how merchants use the product so we can improve it.

We do not use cookies for cross-site behavioural advertising or retargeting.

3. Categories of cookies we set

  • Strictly necessary. Required for the Services to function: authentication session, CSRF protection, and cart identifier on storefronts. You cannot disable these and still use Zylo; no consent is required under the NDPA for strictly necessary cookies.
  • Functional. Remember your preferences — for example, your dashboard theme, last-used tab, or collapsed sidebar state. Disabling these will degrade the experience but not break it.
  • Analytics. Set by PostHog only when the Merchant has explicitly enabled product analytics in the dashboard. They help us understand which features are used and where users get stuck. IP addresses are truncated before storage.
  • Advertising. None. Zylo does not set, and does not allow third parties to set, advertising or retargeting cookies through the Platform.

4. Third-party cookies

A small number of third-party services may set their own cookies while handling specific features:

  • Paystack— during checkout, Paystack's payment pages (on their own domain) set cookies to carry the payment session, prevent fraud, and complete 3-D Secure challenges. These cookies are governed by Paystack's privacy policy.
  • Cloudflare — where we front traffic through a CDN, Cloudflare may set strictly necessary cookies to provide DDoS protection and determine whether a request is trusted.

We do not embed social-media widgets or third-party ad tags on merchant storefronts, so those third parties cannot set cookies through Zylo.

5. Cookie inventory

The table below lists the cookies and similar storage items that Zylo sets directly. Cookie names prefixed with sb- are Supabase authentication cookies; those prefixed with ph_ are PostHog analytics cookies set only when analytics is enabled.

NamePurposeLifetimeCategoryParty
sb-access-tokenSigned merchant session1 hour (rolling)Strictly necessaryFirst-party
sb-refresh-tokenRefreshes the session without re-login30 daysStrictly necessaryFirst-party
zylo_cart_idLinks an unauthenticated Shopper to their cart7 daysStrictly necessaryFirst-party
csrf-tokenMitigates Cross-Site Request ForgerySessionStrictly necessaryFirst-party
zylo_themeRemembers dashboard theme (light / dark / system)1 yearFunctionalFirst-party
zylo_last_tabRemembers the last-used tab in a settings page30 daysFunctionalFirst-party
ph_<key>_posthogAnonymous identifier for product analytics365 daysAnalytics (opt-in)First-party
__cf_bmCloudflare bot-management30 minutesStrictly necessaryThird-party
__paystack_*Paystack checkout session (set on Paystack's domain)VariesStrictly necessaryThird-party

This table is maintained manually and may lag the most recent release of the Platform. If you see a cookie on a Zylodomain that isn't listed here, please let us know at {{PRIVACY_EMAIL}} and we will update this page.

6. How to manage or block cookies

Most browsers let you view, delete and block cookies, and some let you choose different settings per site. Blocking strictly necessary cookies will prevent you from using core Zylofeatures (you won't stay logged in, checkout may fail).

Instructions for the most common browsers:

Do Not Track & Global Privacy Control. If your browser sends a DNT: 1 header or a Sec-GPC: 1 signal, we will treat it as a request not to load optional analytics cookies for your session.

7. Changes to this policy

We may update this Cookie Policy from time to time to reflect changes in the Platform or in law. The “Last updated” date at the top of this page will always reflect the most recent version. Material changes will be notified alongside changes to our Privacy Policy.

8. Contact

Questions about cookies? Write to us at {{PRIVACY_EMAIL}} or fagbelustephen@gmail.com.