Cookie Policy
Last updated: 2026-07-09
Draft — pending legal review
This page is engineering-authored scaffolding written to satisfy Razorpay’s merchant policy requirements. It will be reviewed by an India-qualified lawyer for DPDP Act 2023, Consumer Protection Act 2019, and IT Act compliance before public launch. The launch gate blocks if any policy is unreviewed.
This page explains what cookies SwapMyTech sets, why, and how you can control them. We keep our cookie use minimal: everything below is either strictly necessary or, for analytics, loaded only after you agree.
1. What is a cookie?
A cookie is a small text file stored in your browser when you visit a website. It allows the site to remember information between page loads or visits — such as whether you are signed in, or whether you prefer dark mode.
2. Cookies we use
Strictly necessary — authentication & session
SwapMyTech uses NextAuth for authentication. When you sign in (Google OAuth or guest tracking), NextAuth sets a signed session cookie that keeps you logged in while you use the site. This cookie is:
- HttpOnly — not readable by JavaScript on the page.
- Secure — only sent over HTTPS.
- SameSite=Lax — not sent on cross-site requests initiated by third parties.
- Session or short-lived (expires within 7 days or on sign-out).
Without this cookie you cannot sign in or track a guest order. It is strictly necessary and cannot be opted out of while using authenticated features.
Strictly necessary — CSRF protection
NextAuth also sets a CSRF token cookie used to verify that form submissions originate from our own pages. This is a security requirement and does not store any personal data about you.
Preference — theme
If you switch between light and dark mode, we store your preference in a theme cookie (value: light or dark). This cookie:
- Contains no personal data.
- Is read server-side to render the correct colour scheme on first load (no flash).
- Persists until you change your preference or clear cookies.
You can delete this cookie at any time; the site defaults to your operating system’s colour scheme preference.
Analytics — Google Analytics 4 (only if you agree)
We use Google Analytics 4 to understand how visitors use SwapMyTech — which pages are viewed, how people move through the site — so we can improve it. Analytics is off by default: no Google script loads and no request reaches Google until you choose Accept analytics on the cookie banner. If you accept, Google sets:
_gaand_ga_<id>— distinguish visitors and sessions so visits aren’t double-counted. Expiry up to ~2 years.
We run Analytics in Google’s Consent Mode with every advertising signal (ad_storage, ad_user_data, ad_personalization) kept denied — so your data is never used for ads, remarketing, or sold. Google Analytics 4 does not store your IP address. If you decline, none of this runs.
3. Manage your choice
You can change your analytics decision at any time — turn it on if you declined, or off if you accepted:
Declining (or clearing the choice) stops analytics immediately on your next page load. We never use analytics cookies for advertising, cross-site tracking, retargeting, or commercial profiling.
4. Third-party services
When you proceed to payment, you interact with Razorpay’s payment interface. Razorpay may set its own cookies in that context; their cookie and privacy practices are governed by Razorpay’s Privacy Policy. We do not control those cookies.
If you sign in with Google, Google’s OAuth flow may set cookies on Google’s domains. Those are governed by Google’s Privacy Policy.
5. How to control cookies
You can manage or delete cookies at any time through your browser settings. Most browsers let you:
- View cookies currently stored for a site.
- Block cookies from specific sites or block all cookies.
- Delete all cookies or cookies from specific sites.
Note that blocking strictly necessary cookies will prevent sign-in and session features from working. Blocking only the theme cookie has no functional impact.
Links to cookie settings for common browsers: Chrome, Firefox, Safari, Edge.
6. DPDP Act alignment
Under the Digital Personal Data Protection Act, 2023, we process session and preference data on the basis of consent (sign-in flow) and legitimate use (security / CSRF). Strictly necessary cookies that are essential to the functioning of the service do not require separate opt-in consent under Indian law; the preference cookie is within the same scope.
Analytics is different: it is non-essential, so it runs only on your explicit opt-in and stays off until you accept. You can withdraw consent at any time using — withdrawal is as easy as giving consent. No personal data is sold or shared for advertising purposes.
7. Contact & privacy policy
For questions about cookies or your personal data, see our Privacy Policy or contact the Grievance Officer at support@swapmytech.com. Acknowledge within 48h; resolve within 30 days.