Skip to main content
← Back to home

Cookie Policy

Last Updated: 22 June 2026

Version: 1.4 | Status: Published

Effective Date: February 2026

1. Scope of This Policy

This Cookie Policy applies to all SCORE domains:

  • scorehq.io – This marketing website (the site you are on now)
  • hub.scorehq.io – The SCORE platform (when you log in to use SCORE)

It explains what cookies and similar technologies we use on each and how you can control them.

2. What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They can help sites remember your preferences, keep you signed in, or understand how the site is used.

Cookies can be session (deleted when you close your browser) or persistent (they remain until they expire or you delete them). They may be set by us (first-party) or by other services we use (third-party). Cookies that are HttpOnly and SameSite cannot be read by JavaScript, which helps protect against certain attacks.

3. This Website (scorehq.io)

When you browse scorehq.io, we use local storage and, where forms are present, Cloudflare Turnstile may set a short-lived cookie. With your consent, we also use PostHog analytics to understand how the site is used.

Storage Type Purpose Type Duration
Dark mode (localStorage) Remember your light/dark theme preference Strictly Necessary Persistent (until cleared)
cf_clearance (Cloudflare Turnstile) Bot protection on public-facing forms (sign-up, login, contact) Strictly Necessary ~30 minutes
ph_* (PostHog, EU) Web analytics — counts visits and which pages are used (EU-hosted; IP discarded; no advertising or cross-site tracking) Analytics & product improvement (consent required) Up to 12 months
score_cookie_consent Remembers your cookie choices (categories, policy version, timestamp) Strictly Necessary 12 months

The dark-mode preference, Cloudflare Turnstile and the score_cookie_consent cookie are strictly necessary for the site to function and to honour your choices; under PECR no consent is required for these. Dark mode storage is not used for tracking. Cloudflare Turnstile receives only the challenge request and browser metadata for bot detection — no form field values are transmitted.

Analytics (PostHog) requires your consent. PostHog does not load and writes no ph_* cookies or storage until you opt in via our cookie banner — analytics is off by default. You can accept, reject, or change your choice at any time using the “Cookie settings” link in the footer. If you reject, the site remains fully usable. We host PostHog in the EU (eu.i.posthog.com), discard visitor IP addresses, mask captured text, and do not use advertising or cross-site tracking; see the PostHog privacy notice. We record your choice in the score_cookie_consent cookie (set on .scorehq.io) so it can also apply when you visit the SCORE platform; we re-ask after 12 months or if this policy materially changes.

This site also loads fonts from Google Fonts (fonts.googleapis.com and fonts.gstatic.com). We do not use Google Analytics, advertising, or cross-site tracking on this website.

4. SCORE Platform (hub.scorehq.io)

When you use the SCORE platform at hub.scorehq.io, we use a small number of strictly necessary cookies to run the service, plus optional analytics, session replay, and experiment technologies that we only switch on with your consent. A consent banner (section 4.2) lets you accept or reject these the first time you visit — before and after you log in — and you can change your choice at any time.

4.1 Strictly Necessary Cookies (no consent required)

These are essential for the platform to work — signing in, security, and remembering your cookie choices. Under PECR they can be set without consent because the service cannot function without them. All are first-party.

Cookie / Storage Purpose Type Expiry
_score_session Authentication / session, CSRF protection, flash messages Strictly Necessary — HttpOnly, Secure, SameSite=Lax 24 hours
_remember "Remember me" persistent login (Rodauth) Strictly Necessary — HttpOnly, Secure, SameSite=Lax ~14 days
Rails CSRF token Anti-forgery security (request validation) Strictly Necessary — session field Session
score_cookie_consent Remembers which cookie categories you allowed, so we can honour your choice (shared with scorehq.io) Strictly Necessary — Secure, SameSite=Lax (readable by our scripts so the choice can be applied; not HttpOnly, and not used for tracking) 12 months
cf_clearance (Cloudflare Turnstile) Bot-protection challenge result on login / sign-up (cookie + sessionStorage) Strictly Necessary ~30 minutes

4.2 Your Cookie Choices (consent banner)

The first time you use the platform — both before and after you log in — a consent banner appears. It offers, with equal prominence:

  • Accept all — turn on every optional category
  • Reject all — keep only strictly necessary cookies
  • Manage preferences — choose each optional category individually

Strictly necessary cookies are always on and cannot be switched off. The three optional categories are:

Category What it does
Analytics & product improvement Helps us see which features are used so we can improve SCORE.
Session replay Records masked screen interactions to diagnose bugs and usability issues.
Experiments & A/B testing Lets us trial improvements with a subset of users before rolling them out.

Optional technologies stay switched off until you opt in. We load the analytics and replay tools in a dormant state and only activate them once you have given consent. If you reject, or simply close the banner without accepting, they stay off and set no cookies.

Changing your mind. You can revisit your choices at any time using the persistent "Cookie settings" button on the platform, or from Settings → Privacy & Cookies, where you can also view your recorded consent. Withdrawing consent stops the relevant technology and is as easy as giving it.

How long your choice lasts. Your choice is stored for 12 months, after which we ask again. We will also ask again if we materially change the cookies or technologies we use — we track this with a policy version, currently version 1.

4.3 Analytics & Product Improvement (consent: analytics)

When you allow analytics, we use PostHog (EU Cloud) to understand which features are used so we can improve the product.

Identifier Purpose Type Expiry Provider
ph_* (e.g. ph_<project>_posthog) Product analytics — page views, feature usage Cookie + localStorage ~12 months PostHog (EU)
score_anonymous_id Links a pre-login cookie choice to your device localStorage Until cleared SCORE (1st party)

PostHog is hosted in the EU (eu.i.posthog.com). The PostHog SDK loads in an opted-out, in-memory state and sets no analytics cookies unless you opt in. See the PostHog privacy notice.

4.4 Session Replay (consent: session_replay)

When you allow session replay, we record masked screen interactions to diagnose bugs and usability problems. Text inputs are masked, so we do not capture what you type. Two providers are used:

Identifier Purpose Type Provider
PostHog session recorder Masked replay for usability / bug diagnosis localStorage / session PostHog (EU)
Sentry Replay Masked replay attached to error reports localStorage / session Sentry (EU)

Both mask text inputs (and, in production, all text and media). Replay is off unless you opt in: the Sentry Replay integration is only added once you consent. Sentry error monitoring without replay runs as a strictly-necessary reliability function and is described in section 4.6. See the PostHog privacy notice and the Sentry privacy policy.

4.5 Experiments & A/B Testing (consent: experiments)

When you allow experiments, we use PostHog feature flags to trial improvements with a subset of users before rolling them out more widely.

Identifier Purpose Type Expiry Provider
PostHog feature flags A/B testing and staged rollouts Cookie / localStorage ~12 months PostHog (EU)

4.6 Other Third-Party Services on the SCORE Platform

We also use the following services on the SCORE platform:

Service Purpose Type
Sentry (browser.sentry-cdn.com) Error tracking, performance monitoring, user feedback widget Strictly Necessary / Reliability (replay is consent-based — see 4.4)
Featurebase (do.featurebase.app) In-app support messenger, help centre, release changelog, public feedback board Functional / Support
Cloudflare Turnstile Bot-protection challenge on login and sign-up forms Strictly Necessary

Cloudflare Turnstile receives only the challenge request and browser metadata for bot detection — no form field values (email, password) are transmitted to Cloudflare. Sentry's error-monitoring SDK runs as a strictly-necessary reliability function and does not set tracking cookies; its session replay integration is optional and only activated with your session_replay consent (see section 4.4).

The Featurebase support messenger and feedback board (loaded from do.featurebase.app) may set a small number of first-party or third-party cookies and/or use localStorage to keep your conversation session alive, remember whether the messenger is open, and verify your identity via a signed JSON Web Token (JWT) issued by SCORE. These are required for the messenger and board to function. Featurebase does not place advertising or cross-site tracking cookies on the SCORE platform. Cookies and storage set by Featurebase are documented by the vendor at help.featurebase.app. If you clear site data for do.featurebase.app or block third-party cookies, the in-app messenger may no longer work; you can still contact us by email at hello@scorehq.io.

We do not use Google Analytics, Hotjar, or any marketing or advertising cookies on the SCORE platform.

5. What We Don’t Use

Across all SCORE domains we do not use:

  • Marketing or advertising cookies
  • Google Analytics, Hotjar, or similar third-party advertising analytics
  • Cross-site tracking or ad-network cookies
  • Automated decision-making or profiling based on cookie data

On the marketing website (scorehq.io) the only non-essential technology is consent-based PostHog analytics, which is off by default and loads solely with your consent (see section 3). On the SCORE platform (hub.scorehq.io) the only analytics, session replay, and experimentation technologies we use are the consent-based ones described in section 4 — provided by PostHog (EU) and Sentry (EU) — and they remain switched off unless you opt in. You can withdraw consent at any time via the "Cookie settings" link in the footer (both sites) or Settings → Privacy & Cookies (on the platform).

6. If We Change the Cookies We Use

Optional cookies and similar technologies are governed by a policy version (currently version 1) built into the consent mechanism. If we materially change the set of cookies or technologies we use, or their purposes, we will:

  • Update this Cookie Policy and the "Last Updated" date
  • Add, amend, or remove the relevant rows in sections 3 and 4
  • Bump the policy version, which re-prompts every user for fresh consent before any new non-essential technology is switched on
  • Obtain your consent before setting any new non-essential cookie, as required under PECR

7. Managing Cookies and Storage

You can control or delete cookies and local storage through your browser:

  • Chrome: Settings → Privacy and Security → Cookies and other site data
  • Firefox: Settings → Privacy & Security → Cookies and Site Data
  • Safari: Preferences → Privacy → Manage Website Data
  • Edge: Settings → Cookies and site permissions → Manage and delete cookies

Blocking or deleting the platform cookies (_score_session, _remember) will log you out or prevent you from staying signed in. Clearing local storage for scorehq.io will reset your dark mode preference to the default.

8. Updates to This Policy

We may update this Cookie Policy to reflect changes in how we use cookies or similar technologies, or in law. When we do, we will update the "Last Updated" date. Material changes will be communicated where appropriate (e.g. via a notice on the website or platform).

9. More Information

Questions about cookies?
Email: compliance@scorehq.io

Related policies:

Regulatory information:
This Cookie Policy is intended to comply with UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

10. Cookie Declaration

Last audited: June 2026
Next audit: September 2026

For a full list of cookies and similar technologies used on each domain, see section 3 (this website, scorehq.io) and section 4 (SCORE platform, hub.scorehq.io) above.

Version History

  • v1.4 (22 June 2026): Major update for the platform cookie-consent banner. Restructured §4 into strictly-necessary cookies (§4.1, adds score_cookie_consent, CSRF, cf_clearance), the consent banner and four categories (§4.2), and consent-based analytics (§4.3, PostHog EU, score_anonymous_id), session replay (§4.4, PostHog + Sentry, masked), and experiments (§4.5, PostHog feature flags). Reframed Sentry in §4.6 (error monitoring strictly necessary; replay consent-based). Added consent-based PostHog web analytics on scorehq.io (§3, off by default, EU-hosted, IP discarded) with a first-visit banner and footer “Cookie settings”. Replaced §6 with a policy-version re-consent rule (version 1, 12-month expiry). Moved this policy to /cookie-policy to match the platform consent banner link.
  • v1.3 (29 April 2026): Added Cloudflare Turnstile (cf_clearance cookie) for bot protection on scorehq.io public forms and hub.scorehq.io login/sign-up; added "Cross-site tracking cookies" to What We Don't Use.
  • v1.2 (10 April 2026): Added Featurebase support messenger to §4.1 third-party services, noting cookies/localStorage required for in-app chat, help centre and changelog functionality.
  • v1.1 (10 March 2026): Expanded to full policy: scope, cookie descriptions, third-party services, browser management, future changes.
  • v1.0 (February 2026): Initial version.

220 Yards Ltd
Company No. 07563087
Email: compliance@scorehq.io
Website: scorehq.io