Last updated: May 10, 2026
This Cookie Policy explains how cookies and similar technologies (such aslocalStorage, sessionStorage, pixels, and HTTP-only session cookies) are used in the context of ROAS.to. It covers two distinct surfaces, and the legal responsibility for each is different:
roas.to / www.roas.to) and inside the dashboard. ROAS.to is the controller for theseIf you are a visitor to a website that uses ROAS.to's tracking technology, this Cookie Policy is informational only — please consult that website's own privacy and cookie disclosures, and direct any rights requests to the operator of that website. See Section 5 of our Data Deletion page for more.
| Cookie / storage key | Purpose | Type | Duration | Set by |
|---|---|---|---|---|
__session, __client, __refresh_* | Authenticate you, keep you signed in, prevent session hijacking | Strictly necessary | Session – up to 1 year | Clerk (auth provider) |
roas_consent | Records your cookie consent choice on the marketing site (accepted / rejected) so we don't prompt you again unnecessarily | Strictly necessary (consent state) | 365 days | ROAS.to |
| UI preferences (in-browser) | Stores dashboard preferences (theme, column selections, filter and sort state) locally in your browser | Functional | Until you clear browser storage | ROAS.to (localStorage) |
_fbp, _fbc | Measure the performance of advertising we run for ROAS.to itself on Meta. Set only after you accept cookies on the consent banner (or in jurisdictions where opt-in consent is not required) | Measurement / ad performance | Up to 90 days | Meta Pixel (loaded by ROAS.to) |
_ga, _ga_*, _gid | Aggregate page-view and funnel measurement for ROAS.to itself, via Google Analytics 4. Set only after you accept cookies on the consent banner (or in jurisdictions where opt-in consent is not required) | Measurement / analytics | Up to 2 years (_ga); 24 hours (_gid) | Google Analytics 4 (loaded by ROAS.to) |
personalization_id, muc_ads, guest_id* | Measure the performance of advertising we run for ROAS.to itself on X (formerly Twitter). Set only after you accept cookies on the consent banner (or in jurisdictions where opt-in consent is not required) | Measurement / ad performance | Up to 2 years | X Pixel (loaded by ROAS.to) |
| Vercel Analytics (no cookie) | Anonymous page-view counting for ROAS.to. Uses no cookies and no client-side storage; the visitor's IP is truncated at the edge and discarded after session-bucketing. Loaded regardless of the consent banner because, under the ePrivacy Directive Article 5(3) carve-out for "strictly cookieless, aggregate-only analytics," no consent is required. Vercel Analytics is listed at /subprocessors | Functional / aggregate analytics (no storage) | N/A — no client-side storage | Vercel Analytics |
_ef_transaction_id, ef_tid_c_o_*, ef_tid_c_a_*, ef_affid, _roas_ef_aff | Attributes paying customers to the affiliate who referred them, so we can compensate affiliates as required by our affiliate-program contract. First- party, scoped to roas.to. Contains an opaque tracking id, the affiliate id, and the offer id — no personally-identifying information about the visitor | Affiliate attribution — see Section 1.2 for the framing | Up to 30 days | Everflow SDK (loaded by ROAS.to from amd83trk.com) and ROAS.to |
We use a geo-aware consent banner. Visitors located in the European Economic Area (EU-27 plus Iceland, Liechtenstein, and Norway), the United Kingdom, and Switzerland see an opt-in banner the first time they arrive. Until consent is given, no advertising-measurement cookies are set (this includes Meta Pixel cookies such as _fbp and _fbc, Google Analytics 4 cookies such as _ga and _ga_*, and X (Twitter) Pixel cookies such as personalization_id); only strictly necessary and functional storage operates. Visitors located elsewhere may have advertising-measurement cookies set on first load, consistent with applicable law and the soft opt-in approach permitted in those jurisdictions.
Affiliate-program attribution cookies (the Everflow row above) are an exception we treat differently and want to be transparent about. They fire on first load — including in the EU/UK/CH window before the visitor has clicked Accept or Reject — so that an affiliate who refers a paying customer is correctly attributed even if the visitor takes the click before responding to the banner. If you actively reject non-essential tracking via the consent banner, we will not set or refresh these cookies for the duration of that preference, and we will clear any previously-set affiliate cookies and their local-storage mirrors.
We acknowledge that under the ePrivacy Directive Article 5(3), affiliate-tracking cookies are non-essential and ordinarily require prior opt-in consent regardless of the underlying GDPR legal basis for the processing. We are accepting that EU-side regulatory exposure as a documented business decision while ROAS.to is pre-launch and not actively marketing into the EU/UK/CH. We will revisit and gate these cookies behind explicit consent before onboarding affiliates in those jurisdictions, materially buying paid media into them, or in response to any supervisory-authority inquiry. We chose this disclosure over a stronger legal framing because being honest about a documented risk is more defensible than asserting a basis that does not survive scrutiny under ePrivacy.
You can change your decision at any time using the "Cookie preferences" link in the footer. Rejecting cookies clears any previously-set measurement cookies and prevents new affiliate-attribution cookies from being set. You can also disable cookies entirely in your browser, but this may degrade or break authenticated features of the dashboard.
The Service does not use cross-context behavioral advertising on roas.to itself, and we do not respond to any specific Do-Not-Track header beyond the consent-based logic described above. Where required by applicable US state privacy laws, we honor the Global Privacy Control (GPC) signal as an opt-out of "sale" or "sharing" — though we do not in fact sell or share personal information for cross-context behavioral advertising.
Read this section carefully if you are a ROAS.to Customer.
ROAS.to provides optional tracking technology that Customers may install on their own websites and apps. When deployed, this technology may set cookies and write to browser storage on the Customer's domain (or on a custom domain CNAME that the Customer has pointed at our edge worker). For the data set by these technologies, the Customer is the controller; ROAS.to is the processor on the Customer's instructions, as set out in our Data Processing Addendum.
| Key | Where | Purpose | Duration | Set by |
|---|---|---|---|---|
_roas_vid | Cookie + localStorage | First-party visitor identifier used to stitch a later conversion event back to the originating page view, enabling ad-level attribution even when click identifiers are stripped or expire | 365 days | pixel.js / shopify.js / bridge.js |
_roas_sub1, _roas_sub2, _roas_sub3 | Cookie | Persist campaign / ad set / ad identifiers from the URL so attribution survives navigation | 30 days | pixel.js / snippet |
_roas_sub4 | Cookie | Internal session-attribution chain (page / variant / click identifier) for on-page tests and link rotations | 30 days | pixel.js / snippet |
_roas_sub5, _roas_fbclid | Cookie | Persist the Facebook click identifier so it can be forwarded to Meta's Conversions API on a later conversion event | 90 days | pixel.js |
_lo_sub1, _lo_sub2, _lo_sub3 | sessionStorage | Same-tab attribution mirror for sub-IDs so cookie-blocked sessions still have within-tab attribution | Tab session | pixel.js / snippet |
_fbp | Cookie (where the Customer's Meta Pixel sets it) | Read by our pixel and forwarded to Meta's Conversions API for event deduplication. We do not fabricate this value if it is missing | Up to 90 days (set by Meta's pixel) | Meta Pixel (Customer-installed) |
| Edge / CNAME cookies | Cookie (Customer's custom domain) | For Customers using our snippet worker on a custom hostname (CNAME via Cloudflare for SaaS), our edge worker may set HMAC-signed UID and variant cookies for A/B-test routing on the Customer's domain | Configurable; default 30 days | roas-edge worker |
tid / click_id | Cookie (track.roas.to redirect) | Short-lived cookie for click attribution and bot detection on link redirects through our tracker | Session – 30 days | roas-edge / track.roas.to |
Where the Customer chooses to deploy ROAS.to's tracking technology on a website, app, or landing page, the Customer is responsible for:
ROAS.to does not deploy a consent banner on Customer properties and does not maintain a relationship with the Customer's end users. Section 9 of the Terms of Service imposes a pass-through indemnification: failure by the Customer to obtain notice or consent or to comply with applicable law in respect of these cookies and storage technologies is the Customer's responsibility, and the Customer indemnifies ROAS.to for related claims.
From the visitor's perspective, cookies set by our pixel/snippets/edge worker are typically first-party— they are scoped to the Customer's domain (or to a custom hostname pointed at our edge), not to roas.to. This makes them more resilient against browser anti-tracking measures than third-party cookies, but it also means responsibility for them sits with the Customer, the operator of the domain on which they are set.
ROAS.to does not "sell" or "share" personal information for cross-context behavioral advertising under the CCPA. As to data Customer processes via the Service, the Customer is the business and is responsible for determining and disclosing whether any of its own activity constitutes a sale or share under the CCPA, and for honoring opt-outs accordingly.
youronlinechoices.eu) and the DAA WebChoices page (youradchoices.com) offer third-party advertising opt-out controls. These tools do not directly affect the cookies described hereWe may update this Cookie Policy from time to time to reflect changes in the cookies we use, in the technology we deploy, or in legal requirements. The "Last updated" date above indicates when the most recent changes were made. Material changes will be communicated as set out in the Privacy Policy.
Questions about cookies on roas.to: privacy@roas.to. For cookies set by our tracking technology on a Customer site, please contact the operator of that site first; if you cannot identify or reach the operator, Section 5 of our Data Deletion page describes how to escalate to us.