Cookies.

sb-access-token · Supabase Auth · Lifetime: 1 hour, refreshed automatically. Holds your active sign-in session. Without it you can't be logged in.

sb-refresh-token · Supabase Auth · Lifetime: 30 days. Lets the access token rotate without forcing you to sign in again.

x-request-id · Studio · Per request. Logs correlate to this id when we investigate a bug. No personal data.

ph_* · PostHog · Lifetime: 1 year. Anonymous product analytics — pages visited, features used, where the experience drags. Helps us prioritise what to fix. Off by default.

ph_session_* · PostHog · Lifetime: 30 minutes. Stitches a session into a single replay so we can debug specific bug reports. Off by default; respects DNT.

The cookie banner on first visit lets you accept or decline. You can change your choice any time from Settings → Privacy. Declining sets ph_optout and PostHog stops firing immediately.

Stripe Checkout sets its own cookies on its hosted pages (only when you're going through the subscription flow). Their policy is at stripe.com/privacy.