Cookie Policy

These are required for the site to function. They don't need consent under PECR/GDPR.

• sb-* — Supabase authentication session. Set on login, cleared on sign-out. HttpOnly, Secure. ~1 hour rolling expiry.
• cookie_consent — your recorded choice (accepted / rejected) so we don't show the banner again. 1 year.
• eval_lab_access — operator access flag for the internal eval lab. Only set if you're on the operator team. 30 days.

Set only if you click Accept all on the cookie banner. Used to measure how the product is used and where visitors drop off — never to identify you personally.

• anon_id — random UUID identifying your browser. 1 year. Used to stitch your visits together (e.g. drop-off funnels). Linked to your account on signup.
• analytics_sid — random UUID identifying your current visit. Sliding 30-min idle expiry. Used so server-fired events (chat, signup) attribute to the right session.

When consent is rejected (or not yet given) we still fire a bare page_view event with the normalised path (e.g. /app/m/[id]/chat), no query string, no referrer, no props — strictly necessary for spam/fraud detection and debugging.

Some flows require third-party cookies controlled by the processor:

• Payment processors (when wired) — for fraud detection
• Age verification (when wired) — for AVS attestation
• Email (Resend) — for delivery + open tracking on transactional emails

None of these are loaded until you actively use the relevant feature. Each has its own policy linked at the point of use.

You can:

• Click Reject non-essential in the banner
• Clear cookies via your browser at any time — we'll re-show the banner
• Manage account-level preferences at account settings
• Request all data we hold about you (or its deletion) via the privacy policy