Cookie Policy

What a cookie is

A cookie is a small file your browser stores when you visit a website. Sites use cookies to remember things between visits — whether you’re signed in, which preferences you’ve set, and (with your consent) how you ended up here. Some “cookies” on this page are technically localStorage entries, which serve the same purpose. The rules in this policy apply to both.

Strictly necessary

These run without consent because the site cannot function without them.

• Authentication session. A Supabase-issued session cookie that proves you’re signed in. Set after you log in; cleared when you sign out. Expires after a few weeks of inactivity.
• CSRF protection. A cryptographic nonce that prevents another site from submitting forms on your behalf. Session-scoped.
• Cookie preference (spunto_consent_marketing). Stores your Accept / Reject decision so we don’t ask again every visit. Lasts up to 13 months, then we ask again.
• Sidebar / rail layout (studio.rail-collapsed). Remembers whether you collapsed the assistant rail so the next page paint matches your previous choice. Lasts up to a year.
• Theme preference (spunto-theme in localStorage). Stores your light / dark / system choice so the right theme paints on first load.
• Welcome flag (spunto:welcome in sessionStorage). Remembers that you’ve seen the one-time welcome banner this session. Cleared when you close the browser.
• Alpha-access cookie (spunto_alpha). HMAC-signed flag confirming you entered the alpha access code. Required to view any page on the site during the closed alpha. Lasts up to 90 days.

Analytics (your choice)

Google Analytics only loads if you accept the banner. PostHog is different: it runs in cookieless mode from your first visit (counting unique visitors anonymously via a server-side daily hash). If you accept, it switches to cookie mode for returning visitors. If you reject, it stays cookieless. Details for each below.

• PostHog (ph_*). Product analytics for both the public website and the authenticated app. EU region. On the public website, PostHog runs in cookieless mode from your first visit — a server-side daily-rotating hash that counts unique visitors without storing anything in your browser. If you accept the banner, it switches to cookie mode so we can see returning visitors. If you reject, it stays cookieless. Inside the app, we run PostHog with cookies under a legitimate-interest basis (you have an account, you’ve accepted our Terms) and you can opt out at any time from Settings → Privacy.
• Google Analytics 4 (_ga, _ga_*). Traffic measurement on our public website only. Operated by Google LLC under the EU-US Data Privacy Framework. We do not load Google Analytics inside the authenticated app. Lifetime: managed by Google’s defaults for the _ga family.

What we do not use

• No advertising or remarketing pixels.
• No cross-site tracking cookies.
• No social-network “share” trackers.
• No third-party fingerprinting.

How to change your mind

• On the public site: click Manage cookies in the footer to reopen the banner.
• Inside the app: go to Settings → Privacy. Toggle Product analytics on or off, or reopen the cookie banner.
• Browser-level: your browser settings let you delete cookies or block them entirely. That works too; we honour it.

Consent Mode

When you reject analytics cookies, we still send Google a signal (called “Consent Mode v2”) saying you have not granted consent. Google uses this to estimate aggregate traffic without identifying you. We do not enable ad-personalization signals regardless of your choice.

More information

The broader Privacy Policy covers what data we collect, where it’s stored, and your rights. Questions? Email privacy@spunto.ai.