Cookie Policy

Effective May 17, 2026

1. Scope of this policy

This policy covers both dailymood.me (the landing site) and my.dailymood.me (the actual web app). Each domain sets its own cookies; the list below covers both.

2. Strictly necessary cookies

These are required for the service to function. Under PDPA, they don't require consent. If you block them, the site won't work.

  • Session cookie (`next-auth.session-token`) — keeps you logged in on my.dailymood.me. Managed by NextAuth.js.
  • CSRF token — protects against cross-site request forgery attacks.
  • Stripe (`m`, `__stripe_mid`) — set when you reach Stripe Checkout to prevent fraud. Set directly by Stripe.
  • `dm-consent-seen` — records that you've seen the cookie notice banner, so we don't show it again. Lives in your browser's localStorage.
  • Cloudflare Turnstile — a human-verification check (anti-bot) used only when you try the "analyze my mood" box on the home page. Loaded from challenges.cloudflare.com to prevent spam and automated abuse. It's a security mechanism — not used for tracking or advertising.

3. Preference cookies

  • `NEXT_LOCALE` / `dm-lang` — remembers your language choice (Thai or English) so you see the right one on your next visit.

4. Analytics cookies

We use Google Analytics 4 (GA4) to understand how people use the site (which pages get the most visits, which browsers people use, etc.). We don't identify individuals. We enable anonymize_ip so your IP isn't stored in full.

Cookies set by GA4:

  • `_ga` — distinguishes unique users. 2-year expiry.
  • `_ga_*` — session state per property.

A banner notifies you on first visit that cookies are in use; continued use is treated as acknowledgement. To opt out of GA, block its cookies via your browser settings or install the Google Analytics Opt-out Browser Add-on.

5. Conversion measurement (Google Ads)

When you reach this site by clicking one of our ads on Google Search, Display, or YouTube, we use a Google Ads conversion tag to count that ad as having reached you. We don't identify you individually and don't use this data to build a personal profile.

Cookies set by Google Ads:

  • `_gcl_au` — links an ad click to a site visit. 3-month expiry.
  • `_gcl_*` — tracks campaign-level conversions.

To opt out of Google Ads tracking, manage your ad preferences at Google Ad Settings or block cookies in your browser settings.

6. What we don't use

To be clear, we do not use:

  • Meta Pixel (Facebook/Instagram), TikTok Pixel, LinkedIn Insight Tag
  • Session recording tools (Hotjar, FullStory, Microsoft Clarity)
  • Third-party chat widgets (Intercom, Crisp)
  • Embedded YouTube / Twitter / Instagram on our pages

7. Third-party data processors

The providers below process data server-side — they don't set cookies in your browser, but PDPA requires us to disclose them:

  • Google — OAuth (login) and AI models for AI features.
  • Stripe — payment processing for Pro.
  • Resend — transactional email (verification, password reset).
  • Cloudflare R2 — image and avatar storage.
  • Cloud hosting provider — runs our app and database.

See our Privacy Policy for more detail.

8. Managing cookies and opting out

To opt out of analytics or conversion tracking:

Note: If you block strictly-necessary cookies, you won't be able to log in and core DailyMood features won't work.

9. Contact our DPO

For questions about cookies or data protection, contact our Data Protection Officer at [email protected].