Cookies & tracking

We use cookies sparingly. Categories: Strictly necessary (cannot be disabled) · Supabase session cookies (sb-access-token, sb-refresh-token) — required for login. · CSRF token — required for Server Actions. Functional · locale, timezone preferences (user_metadata, not a cookie). Analytics · None on dashboard pages. · On public marketing pages: lightweight first-party analytics (page views + referrer only). No third-party Google Analytics or Meta Pixel. Marketing · None. No remarketing tags, no ad-network beacons. What we don't set: · No DoubleClick. · No Facebook Pixel. · No LinkedIn Insight. · No cross-site tracking of any kind. Public pages adhere to "Do Not Track" headers. Authenticated session cookies are HttpOnly + Secure + SameSite=Lax.