Cookies and similar technologies
Last updated: 2026-07-10. This policy explains what cookies and similar technologies (“cookies”) ProofRows sets when you use ProofRows, why we set them, and how to change your preferences.
1. What are cookies and similar technologies?
A cookie is a small text file a website asks your browser to store, tied to a name, and to send back on subsequent requests. We use the word “cookie” in this policy to cover all four technologies that can read or write information on your device: HTTP cookies, localStorage, sessionStorage, and request-hash identifiers (a daily-rotating fingerprint of an HTTP request used for analytics). The legal rules under the EU ePrivacy Directive and the UK PECR apply to all of them.
Some cookies are strictly necessary to deliver a service you have asked for — for example, keeping you signed in. These do not require your consent. Every other cookie requires your prior, freely-given, specific, informed, and unambiguous consent under the GDPR and equivalent laws.
2. Cookies we use
The table below is exhaustive for the public marketing site and the authenticated app today. We re-audit it every quarter and update this page when anything changes.
| Name | Vendor | Purpose | Category | Expiry | First/Third |
|---|---|---|---|---|---|
| sb-<project-ref>-auth-token | Supabase | Holds your Supabase Auth session (an encoded JWT) so the app can identify you across page loads. Set on /auth/callback and refreshed on every server request. | Strictly necessary | Sliding 1 year (refreshed on use) | First-party |
| sb-<project-ref>-auth-token-code-verifier | Supabase | PKCE code-verifier used during sign-in and email-link flows to defeat authorization-code interception. Cleared on success. | Strictly necessary | Session (cleared on success) | First-party |
| __stripe_mid | Stripe | Stripe fraud-prevention device identifier, set on the Stripe Checkout domain when you click Subscribe. | Strictly necessary (payment) | 1 year | Third-party (Stripe) |
| __stripe_sid | Stripe | Stripe Checkout session identifier, set on the Stripe Checkout domain during a checkout flow. | Strictly necessary (payment) | 30 minutes | Third-party (Stripe) |
Things we do not currently set. We do not use Google Analytics, Google Tag Manager, Meta Pixel, LinkedIn Insight, Hotjar, TikTok, Pinterest, HubSpot, Intercom, Calendly, YouTube embeds, or any third-party advertising cookies. Sentry is loaded for error reporting only with replaysSessionSampleRate: 0, so no Sentry session-replay cookies are set. PostHog is referenced in our environment configuration but its SDK is not imported anywhere in the application today. Vercel Web Analytics and Vercel Speed Insights are not enabled.
When we add any of the above, we will list them here, update the consent banner to include the new category, and request re-consent from existing users before the new code starts running.
3. Lawful basis
Strictly necessary cookies — the two Supabase auth cookies and the two Stripe payment cookies — are set without consent because they are required to deliver the service you have asked for (Article 5(3) of the ePrivacy Directive, ICO strictly-necessary exception, equivalent under CCPA, LGPD, Quebec Law 25). All other cookies require your consent.
Analytics cookies — such as Sentry session-replay (currently disabled) and PostHog (not loaded) — are only set after you opt in via the cookie banner. Under UK PECR as amended by the Data (Use and Access) Act 2025, first-party analytics cookies used solely to improve our own service are exempt from consent provided we offer a free opt-out; we will offer that opt-out as a matter of course in the consent banner.
Marketing cookies are not in use. The category exists in the consent banner to future-proof the design; if we add marketing technology later, you will be asked to opt in before it loads.
4. Your choices
The first time you visit, a banner appears at the bottom of the page with three buttons: Accept all, Reject non-essential, and Manage preferences. Reject and Accept have equal visual weight, and the three categories inside “Manage preferences” are off by default — we never pre-tick a non-essential category.
You can change your mind at any time: click Cookie preferences in the website footer (and in Settings → Privacy for signed-in users) to re-open the preferences dialog. Withdrawal is as easy as giving consent — it is one click in the same dialog. We also honour the browser-level Global Privacy Control signal: if your browser sends Sec-GPC: 1 or sets navigator.globalPrivacyControl = true, we treat that as “reject non-essential” and show a small confirmation chip in the banner saying “Global Privacy Control honored.”
We log every consent decision — accept, reject, or a granular choice — with a timestamp, the policy version, and an anonymised hash of your IP and user agent, so we can demonstrate compliance if a regulator asks. Logs are kept for at least 18 months in line with Quebec Law 25 guidance.
5. Browser controls
You can block or delete cookies in your browser at any time. Doing so will sign you out of ProofRows and may break other sites; for ProofRows specifically, blocking the two Supabase auth cookies will prevent you from staying signed in. Useful entry points:
- Chrome: Settings → Privacy and security → Cookies and other site data
- Safari: Preferences → Privacy → Manage Website Data
- Firefox: Settings → Privacy → Cookies and Site Data
- Edge: Settings → Cookies and site permissions → Cookies and site data
6. Global Privacy Control (GPC)
Global Privacy Control is a browser- or extension-level signal that communicates your opt-out preference under the California Consumer Privacy Act and a growing list of US state privacy laws (Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas as of January 2026). We honour GPC: when we detect the signal, we do not set non-essential cookies and we display a visible “Opt-Out Preference Signal Honored” notice as required by the California Privacy Protection Agency’s 2026 regulations.
7. Do Not Sell or Share (California / CCPA)
ProofRows does not sell or share personal information for cross-context behavioural advertising. We do not run third-party advertising or marketing pixels. If our practices ever change, we will update this page and surface a Do Not Sell or Share My Personal Information link in the footer of every page. California residents may also exercise access, deletion, and correction rights by emailing privacy@proofrows.com.
8. Updates to this policy
We will update this page when we add, remove, or change the purpose of any cookie. The “Last updated” date at the top reflects the most recent change. If the change adds a new category of non-essential cookie or a new vendor, we will re-prompt existing users before the new code runs.
9. Contact
Questions about this policy, or a data-access / data-deletion request under GDPR, UK GDPR, CCPA, Quebec Law 25, LGPD, or any other applicable law, can be sent to privacy@proofrows.com. We respond within the deadlines set by the applicable law (one month under GDPR, 45 days under CCPA, 30 days under Law 25).
See also: Privacy policy · Terms of service.