Cookie Policy

Stackup uses cookies and similar technologies (localStorage, in-memory tokens) to keep you signed in, remember your preferences, and understand how the product is used. This draft policy lists what we set, why, and how long it sticks around.

1. The categories

Strictly necessary — sign-in, CSRF protection, session continuity. These can’t be switched off. Analytics — anonymous usage metrics (PostHog EU), helps us see which features earn their keep. Marketing — only set if you opt in; used for conversion measurement on ads we run.

2. The list

sb-access-token (necessary, Supabase auth, session) — keeps you signed in. sb-refresh-token (necessary, 90 days) — silently refreshes your session. stackup_cookie_consent_v1 (necessary, 12 months) — your choice on this banner, stored in localStorage. ph_* (analytics, 12 months) — PostHog distinct_id. __stripe_* (necessary on billing pages only) — required by Stripe Elements for anti-fraud.

3. Your choice

Use the banner that appears on your first visit, or come back here to change your mind. Rejecting non-essential cookies will not degrade the product’s core function.

4. Sensitive data

We never put bank tokens, full transaction data, or personal identifiers in cookies or localStorage. Those live server-side and are encrypted at rest.

5. Changes

If we add a new third-party cookie or change category, we’ll prompt you again. The cookie banner version is captured in the storage key (currently v1).

6. Contact

Email privacy@stackup.app with any cookie-specific questions.