EditMyPDF Cookies and Similar Technologies Policy
Last updated: March 24, 2026
1. Summary
This page explains how EditMyPDF uses cookies and similar technologies when you browse the website or use the application.
By “similar technologies”, we mean in particular:
- your browser’s localStorage and sessionStorage;
- pixels, beacons, and tags (including via Google Tag Manager);
- certain third-party SDKs or scripts running in the browser;
- advertising identifiers or conversion measurement identifiers;
- security, fraud-prevention, or anti-abuse mechanisms, including certain technical device or session signals.
On EditMyPDF, preferences are organized into three categories:
- Necessary: always active because they are required for operation, security, session management, abuse prevention, or remembering essential choices;
- Analytics: off by default until you have given your consent;
- Advertising: off by default until you have given your consent.
You can manage your preferences or withdraw your consent at any time from the cookie preference center available through the service.
Important: for certain third-party providers, the exact names of cookies, storage keys, or technical identifiers may vary depending on the browser, country, session, SDK version, integration method, domain used, or provider configuration. Where an exact name has not been confirmed by a production browser audit, we describe the service, the purpose, and the consent category rather than claiming to provide an exhaustive list of every possible technical tracker.
2. Difference between cookies and similar technologies
A cookie is a small file placed on, or read from, your device by the browser.
Other mechanisms may have similar effects without being, legally or technically, cookies in the strict sense:
- localStorage stores information in your browser until it is deleted, replaced, or the browser is reset;
- sessionStorage stores information for the browsing session or until the tab or browser is closed, depending on how it is implemented;
- pixels, tags, and third-party SDKs may send events, load scripts, read or write identifiers, or trigger calls to analytics, advertising, payment, or authentication providers;
- some device intelligence or fraud-prevention tools primarily use technical signals, request IDs, device IDs, or network metadata, sometimes without placing a traditional cookie.
In this policy, we use the term “cookies and similar technologies” to cover all of these mechanisms.
3. Our preference categories
Necessary
This category covers cookies and similar technologies that are strictly necessary for the operation of the service or reasonably necessary for security, authentication, journey continuity, user-requested payment, consent management, CSRF protection, fraud and abuse limitation, and certain essential preferences such as language.
These technologies remain active because, without them, EditMyPDF cannot operate properly or cannot secure certain operations.
Analytics
This category covers technologies used to:
- measure how the website and product are used;
- understand user journeys and product events;
- analyze site performance;
- improve usability, journeys, and service reliability.
On EditMyPDF, these technologies are off by default and are only activated after your Analytics consent.
Advertising
This category covers technologies used to:
- attribute conversions;
- measure marketing campaigns;
- improve the relevance of advertising activities;
- store, read, or transmit certain advertising identifiers after consent.
On EditMyPDF, these technologies are off by default and are only activated after your Advertising consent.
Technologies triggered only by user action
Some integrations open their interactive flow only if you explicitly request a function such as:
- signing in or starting an authentication flow;
- opening a payment or checkout flow;
- importing or exporting a document via Google Drive or Dropbox.
Supporting browser SDKs for certain functions may preload on compatible pages to prepare the requested experience. Even where a supporting SDK preloads, the interactive login, Picker, Chooser, OAuth, or checkout flow opens only after your action. These integrations may also use their own cookies, storage, or scripts on their own domains or through embedded components where necessary for the requested function, security, fraud prevention, or authentication.
4. EditMyPDF first-party cookies and technologies
The table below describes the first-party cookies and browser storage currently identified on the EditMyPDF side.
| Name / key | Type | Scope | Purpose | Category | Duration / TTL | Trigger | Technical details / notes |
|---|---|---|---|---|---|---|---|
editmypdf_lang | Cookie | First-party | Store the website / interface language | Necessary | 365 days (Max-Age=31536000) | When a language preference is set or restored | Functional preference cookie |
trial_token | Cookie | First-party | Trial session tracking, usage limiting, and abuse prevention | Necessary | About 1 day | When a trial flow or usage-limiting logic is engaged | HttpOnly, Path=/, SameSite=Lax |
settings_session | Cookie | First-party | Admin / settings session | Necessary | 30 minutes | Only in admin / settings flows | Path=/api, SameSite=Strict |
settings_csrf | Cookie | First-party | CSRF protection for admin / settings actions | Necessary | 120 minutes (aligned with the admin / settings session window) | Only in admin / settings flows | Path=/api, SameSite=Strict |
editmypdf:lang | localStorage / browser storage | First-party | Store language in certain front-end flows | Necessary | Variable depending on browser behavior and manual deletion | When using the site | Technology similar to a cookie |
editmypdf:theme | localStorage / browser storage | First-party | Store the theme or certain interface preferences | Necessary | Variable depending on browser behavior and manual deletion | When using the site | Technology similar to a cookie |
editmypdf:auth-intent | sessionStorage | First-party | Resume or secure certain authentication or sign-in steps | Necessary | Up to 30 minutes, or until the tab / session ends | During certain authentication flows | One-shot resume marker removed after consumption |
editmypdf:billing-checkout-resume | sessionStorage | First-party | Resume a billing / checkout flow | Necessary | Up to 30 minutes, or until the tab / session ends | When a payment or subscription flow is started | One-shot resume marker removed after consumption |
editmypdf:trial-started | localStorage | First-party | Store that a trial flow has started | Necessary | Until cleared by the browser, the user, or product logic | When a trial is started | Used for state resumption / limitation / UX |
editmypdf:tiktok-ttclid | localStorage | First-party | Store a TikTok advertising identifier / click ID for attribution and conversion measurement | Advertising | Up to 30 days; cleared immediately when Advertising consent is not granted or is withdrawn | Only after Advertising consent | Must not be stored before Advertising consent |
| Internal draft, UI preference, onboarding, pipeline, and journey-resume keys | localStorage / sessionStorage | First-party | Interface preferences, temporary drafts, journey resumption, checkout/onboarding state, front-end configuration for certain processing steps | Necessary | Session-based or variable depending on the storage type | When using the service | We group here several purely functional keys rather than listing them one by one |
What this means in practice
- Items classified as Necessary are used for operation, security, or journey continuity.
- localStorage / sessionStorage entries are not always visible in the browser’s cookie list, but they should be treated like trackers when they are used to remember a state, preference, or identifier.
- The
editmypdf:tiktok-ttclidstorage is treated separately because it serves an Advertising purpose and should only be retained after the corresponding consent has been given.
5. Third-party technologies in the browser
EditMyPDF uses, or may use, the following third-party services in the browser.
| Service | Provider | Type / scope | Main purpose | Category | Trigger | Duration / notes |
|---|---|---|---|---|---|---|
Google Tag Manager (GTM-PWMD647D) | Tag manager / browser tags | Deploy and manage certain measurement tags depending on the active configuration | Analytics | Enabled for measurement purposes after Analytics consent | The container or tags deployed through it may change over time; the associated cookies or identifiers depend on the effective configuration | |
Google Analytics 4 (G-9WPC6SGG52) | Web analytics | Measure usage, site performance, product events, and user journeys | Analytics | After Analytics consent | The exact names of Google cookies may vary depending on the browser, domain, configuration, and enabled Google products | |
Microsoft Clarity (project ID vwvvv4xih9) | Microsoft | Behavioral analytics / session insights | Understand usage, journeys, usability, and certain product interactions | Analytics | After Analytics consent | Clarity may use cookies or a cookieless mode depending on the consent signal and region; exact names must be confirmed in a browser audit |
Meta Pixel (pixel ID 1465283955263559) | Meta | Marketing pixel | Campaign measurement, conversion attribution, and marketing relevance improvement | Advertising | After Advertising consent | The exact cookies / identifiers may vary depending on Meta, the browser, the session, and the integration settings |
TikTok Pixel (pixel code D6S885RC77U4MV0OBSUG) | TikTok | Marketing pixel | Traffic measurement, campaign performance, conversions, and marketing improvement | Advertising | After Advertising consent | The exact cookies / identifiers may vary depending on TikTok, the browser, the session, and the integration settings |
TikTok first-party advertising identifier (editmypdf:tiktok-ttclid) | EditMyPDF / TikTok (depending on use) | First-party browser storage | Relay or retain a TikTok click ID / attribution identifier | Advertising | After Advertising consent | Used as a technology similar to a cookie; must remain consistent with your Advertising choices |
| Auth0 | Okta/Auth0 | SDK / session cookies / authentication flows | Authentication, session management, SSO, potential MFA, and protection of certain sign-in flows | Necessary | When a user signs in, maintains a session, or triggers an authentication flow | The exact cookie names may depend on the flow, custom domain, browser, and enabled features; a browser audit is required for an exhaustive list |
| Stripe / Stripe.js / Embedded Checkout | Stripe | Payment scripts / components | Perform the requested payment, secure the checkout, prevent fraud, and ensure continuity of a payment session | Necessary (or functionally necessary to the requested service) | Stripe.js or supporting payment components may start loading on compatible pricing or billing pages before checkout opens; the interactive checkout or payment element opens when you start a payment flow | Stripe may set or read its own cookies / storage or collect certain technical signals related to payment and fraud; exact names depend on the flow and provider |
| Fingerprint Pro | Fingerprint | Device intelligence / technical signals | Fraud detection, abuse limiting, integrity checks, and protection of the trial period and the service | Necessary | When an anti-abuse or security control is required | This mechanism may rely mainly on technical signals and a visitor identifier rather than a traditional cookie. In the current service configuration, short-lived request or event controls are generally measured in seconds or minutes, including about 15 minutes for event freshness; broader server-side anti-abuse histories may be retained for up to 180 days. See the Privacy Policy for retention details. |
| Google Drive import/export | SDK / Picker / OAuth / popup | Allow file import or export with Google Drive at the user’s request | Necessary / functional for the requested import/export feature | Supporting browser SDKs may preload on compatible conversion pages; the Picker or authentication window opens only after you start the function | May preload Google scripts on compatible conversion pages to prepare browser import/export; the interactive Picker or authentication window opens only after your action, and any cookies are generally related to that requested function | |
| Dropbox import/export | Dropbox | SDK / Chooser / OAuth / popup | Allow file import or export with Dropbox at the user’s request | Necessary / functional for the requested import/export feature | Supporting browser SDKs may preload on compatible conversion pages; the Chooser or authentication window opens only after you start the function | May preload Dropbox scripts on compatible conversion pages to prepare browser import/export; the interactive Chooser or authentication window opens only after your action, and any cookies are generally related to that requested function |
Important notes about third parties
- We do not invent third-party cookie names. For Auth0, Stripe, Google, Microsoft Clarity, Meta, TikTok, Google Drive, Dropbox, and Fingerprint, the exact names of cookies or storage entries may depend on the actual scenario executed, the browser, country, domain, SDK, and provider configuration.
- For that reason, this policy transparently documents the services, purposes, consent categories, and triggers, even where the exhaustive list of each technical name still needs to be confirmed by a production browser audit.
- When a third-party service is triggered only because you use a specific function (sign-in, payment, import/export), this does not necessarily make it advertising-related; it may instead be strictly necessary or functionally necessary for the service you requested.
- In the current Google Drive flow, the token is effectively one-shot / transient rather than a persistent EditMyPDF browser credential: it is obtained only after your action, reused only during the current page runtime while valid, and is not intentionally persisted by EditMyPDF across browser restarts or long-term browser storage.
6. Server-side measurement and conversion tracking
In addition to trackers that run in the browser, EditMyPDF also uses — or may use, depending on the active configuration — certain server-side measurement and conversion flows.
These flows are distinct from browser cookies:
- they do not necessarily place a file on your device;
- they may nevertheless send a provider events, technical metadata, conversion identifiers, or other measurement-related information;
- the fact that a flow is “server-side” does not automatically remove it from the rules applicable to the purpose pursued.
| Service | Provider | Nature of the mechanism | Purpose | Applicable category | Notes |
|---|---|---|---|---|---|
| GA4 Measurement Protocol | Server-side delivery of events to Google Analytics | Event measurement, supplemental measurement, conversions, and linking client-side and server-side interactions | In practice: Analytics where the purpose is product/site measurement; to be confirmed depending on the events actually sent | This flow is separate from Google Analytics cookies set in the browser | |
| Meta Conversions API | Meta | Server-to-server delivery of conversion or marketing events | Attribution, campaign measurement, conversions | Advertising | Separate from the Meta Pixel; may operate in combination with the browser pixel |
| TikTok Events API | TikTok | Server-to-server delivery of conversion or marketing events | Attribution, campaign measurement, conversions | Advertising | Separate from the TikTok Pixel; may operate in combination with the browser pixel |
Important information
These server-side flows are documented here so that you understand that measurement may also exist outside local browser storage. They should be read together with the consent categories applicable to their purpose (Analytics or Advertising), not as a way to bypass your preferences.
AI and document-processing providers are different
The core document-processing providers currently used by EditMyPDF, such as OpenAI, Anthropic, xAI, and Google Cloud Vision, are currently called from EditMyPDF’s backend for document-processing operations. In the current product architecture, they are not listed in this cookie policy as browser-side trackers because the core AI/document-processing path does not rely on their browser SDKs or browser cookies.
The categories of data sent to those providers, their contractual role, and the retention information relevant to those server-side calls are described in the Privacy Policy, not in this browser-tracker policy.
The Privacy Policy also contains the provider-by-provider information we currently publish about international transfers, including the current region or endpoint assumptions we use and the transfer mechanism we publicly rely on for those providers.
The Privacy Policy also contains the broader recipient / subprocessor matrix for backend providers and browser-side measurement providers, including our current public role assumptions for each main provider family.
7. Authentication, payment, security, and anti-fraud
Authentication
When you use sign-in or session-management functions, EditMyPDF may rely on Auth0 or authentication-related components. These components may use session cookies or other technical mechanisms necessary for:
- opening and maintaining a session;
- single sign-on (SSO), where available;
- handling certain verification flows;
- protection against certain attacks.
We treat these mechanisms as Necessary where they are required for the sign-in function or account protection.
Payment
On compatible pricing or billing pages, EditMyPDF may start loading Stripe.js before you open a payment flow. The interactive Stripe Embedded Checkout or payment element opens only after your action. These components may use their own cookies, storage, or technical signals to:
- display payment elements properly;
- secure the transaction;
- prevent fraud;
- link the different steps of the same checkout.
We do not classify these mechanisms as “analytics” by default. Where they are strictly necessary to perform the payment you requested or to secure that payment, we treat them as Necessary or, more broadly, as functionally necessary mechanisms for the service explicitly requested.
Separate from those browser-side Stripe components, EditMyPDF also keeps limited server-side Stripe metadata needed for billing operations, such as customer, checkout-session, subscription, invoice, product, and price identifiers, subscription state, paid-access expiry, and certain limited checkout risk or attribution fields. We do not store full card numbers, card security codes, raw Stripe webhook payloads, or a standard local chargeback/dispute payload archive in our billing tables. The retention periods and billing-dispute explanations for those server-side billing records are described in the Privacy Policy.
Security, fraud prevention, and abuse prevention
EditMyPDF also uses security and anti-abuse mechanisms, including:
- session and CSRF protections;
- trial usage limiting logic;
- abuse-prevention controls;
- device intelligence / fingerprinting mechanisms via Fingerprint Pro.
These mechanisms are used to protect the service, limit abusive behavior, detect automated or fraudulent use, and preserve the integrity of the trial period. They are not implemented for advertising personalization.
Where EditMyPDF considers those controls necessary for security, fraud prevention, abuse prevention, trial protection, or service integrity, certain device-intelligence or fingerprint-based checks may run before optional Analytics or Advertising consent is granted.
Subject to ongoing technical validation, EditMyPDF classifies these mechanisms as Necessary insofar as they pursue security, service integrity, and abuse-prevention purposes.
As an operational indication, the browser-side trial_token currently lasts about 1 day. Separate server-side anti-abuse and Fingerprint controls may operate on much shorter windows ranging from seconds or minutes to 24 hours, with certain graph or linkage relations lasting up to 7 days and broader persisted enforcement records retained for up to 180 days. Those server-side retention windows are described in the Privacy Policy because they are not all browser cookies.
8. How to manage your preferences
You can manage your choices at any time from the cookie preference center made available by EditMyPDF.
From this center, you can:
- accept or refuse the Analytics and Advertising categories;
- keep only Necessary technologies active;
- change your decision later.
You can also delete certain cookies and storage entries from your browser settings. However, doing so may prevent certain features from working properly, especially session management, authentication, language settings, checkout, abuse prevention, or journey resumption.
The cookie preference center only manages browser-side trackers and similar technologies. For account-level privacy actions such as requesting a personal-data export or submitting an account-deletion request, please use the logged-in account settings area or contact us as described in the Privacy Policy. The Privacy Policy also describes our current internal admin/support and incident-handling access model for retained run and document data.
9. Updating and withdrawing consent
You may withdraw or change your consent at any time through the cookie preference center. Withdrawal or modification does not affect the lawfulness of operations already carried out before your choice changed, but it will apply going forward depending on the nature of the tracker or integration concerned.
If you withdraw your consent, certain non-necessary cookies or storage entries may be deleted, may stop being used, or may no longer be reloaded during future visits, depending on how the relevant provider and your browser operate.
10. Questions / contact
If you have any questions about this policy, your cookie preferences, or your data protection requests, you can write to us at:
11. Changes to this policy
We may update this policy to reflect:
- changes in tools or providers;
- changes in our sign-in, payment, security, or measurement flows;
- regulatory or documentation changes.
The “Last updated” date at the top of this page identifies the applicable version.