Cookie Policy
1. What cookies are
Cookies are small text files placed in your browser. We also use related technologies (localStorage, sessionStorage) for the same purposes. This policy covers all of them as "cookies" for simplicity.
2. Categories we use
2.1 Strictly necessary (no consent required)
| Cookie | Purpose | Duration |
|---|---|---|
| sb-access-token | Auth session (Supabase) | 1 hour rolling |
| sb-refresh-token | Auth refresh (Supabase) | 30 days |
| cf_turnstile_clearance | Bot challenge result (Cloudflare Turnstile) | 30 minutes |
| __Host-csrf | CSRF token | Session |
These are required for the Service to function. They cannot be declined while you are signed in.
2.2 Functional (set when you save preferences)
| Cookie | Purpose | Duration |
|---|---|---|
| findrix_locale | Preferred language (Phase 4) | 1 year |
| findrix_cookie_consent | Records your cookie choice | 1 year |
2.3 Analytics (consent required)
| Service | Purpose | Duration |
|---|---|---|
| PostHog (eu.i.posthog.com) | Anonymized product analytics | 13 months |
| Google Analytics 4 (googletagmanager.com) | Traffic & usage analytics (_ga, _ga_* cookies; Google Consent Mode v2) | Up to 2 years |
PostHog and Google Analytics run only after you click "Accept all" on our cookie banner. They record anonymized events (page views, button clicks) and do not record passwords or sensitive form fields. Until you accept, Google Analytics runs in Consent Mode with storage denied — it sets no _ga cookies. We never enable Google's advertising or remarketing signals (ad storage, ad personalization stay denied at all times).
3. Manage your choice
The cookie banner that appears on first visit lets you accept or reject analytics cookies. To change your choice later: clear your site data for findrix.ai in your browser, then reload — the banner will re-appear.
Browser-level controls are also available — see your browser's help pages for "manage cookies".
4. Third-party cookies
We do not embed third-party advertising trackers, social media pixels, or remarketing tags. The only third-party cookies present are from sub-processors essential to the Service (Cloudflare, Supabase, Stripe on paid tiers) and, with your consent, our analytics providers PostHog and Google Analytics.
5. Do Not Track
We honor browser-level Do Not Track signals: when set, we never grant analytics consent regardless of cookie banner status. No analytics cookies are set — PostHog is not loaded at all, and Google Analytics stays in Consent Mode "denied" (no _ga cookies, no identifiable analytics).
6. Updates
When we add new cookies, we update this page and re-prompt for consent on next visit.
7. Contact
Cookie questions: privacy@findrix.ai. See also our Privacy Policy.
