RevenueRaccoon
Sign inGet started

Cookie Policy

Effective: April 25, 2026

This Cookie Policy describes the cookies and similar storage technologies (localStorage, sessionStorage) used by RevenueRaccoon and our sub-processors. We treat localStorage and sessionStorage as equivalent to cookies for the purposes of this policy.

1. Categories

  • Strictly necessary: required for authentication, session management, security, CSRF protection, payment processing, and first-party preference storage (theme, active workspace). These are not tracking mechanisms and cannot be disabled while using the Service.
  • Analytics: aggregated usage data and error diagnostics that help us improve reliability and product experience. Off by default for users in opt-in regions (EEA/UK/CH/BR).

2. Cookies and Storage We Set

  • Supabase auth (sb-*) — strictly necessary. Holds your authenticated session.
  • CSRF token — strictly necessary. Prevents cross-site request forgery against authenticated endpoints.
  • Theme and workspace preferences (localStorage) — strictly necessary. Remembers your last-selected theme and active organization. First-party only; not shared with third parties or used for tracking.

3. Cookies and Storage Set by Third Parties

The following sub-processors may set cookies or use browser storage when you load pages of the Service. See our Privacy Policy for their roles.

  • Google OAuth (__Secure-*, G_AUTHUSER_*) — strictly necessary during sign-in. Set on Google domains, not ours, and only when you choose to sign in with Google.
  • Stripe (__stripe_mid, __stripe_sid) — strictly necessary on checkout and billing pages for fraud detection. Set by Stripe.js.
  • PostHog (ph_* cookies and localStorage) — analytics. Stores an anonymous device identifier and event queue. Session recording is enabled with all text and form inputs masked; network request bodies and headers are not captured. Recording is disabled at boot for users whose stored consent rejects analytics, and is stopped at runtime when consent is withdrawn.
  • Sentry (sessionStorage and short-lived in-memory buffers) — analytics. Used for error grouping and a low-sample session replay (10% of sessions; 100% on error) with all text and form inputs masked and media blocked. Replay is disabled at boot for users whose stored consent rejects analytics, and is stopped at runtime when consent is withdrawn. Sentry error reporting itself remains active under legitimate-interest (security/reliability), with PII scrubbing applied via beforeSend.
  • Vercel — our hosting provider may set short-lived cookies for deployment routing, DDoS protection, and bot detection.

4. Managing Cookies

You can change your cookie preferences at any time using the Cookie preferences link in the footer of every page, or from Settings → Privacy if you are signed in. Visitors from regions requiring opt-in (the EEA, the UK, Switzerland, and Brazil) are shown a consent banner on first visit; non-essential storage stays disabled until accepted.

You can also clear or block cookies through your browser settings. Blocking strictly-necessary cookies will prevent the Service from working correctly (you will not be able to sign in or pay). Do Not Track is honored independently of the banner — see Section 5.

Each consent decision is recorded in an immutable audit log so we can demonstrate compliance with GDPR Article 7(1). Authenticated users can view their consent history under Settings → Privacy.

5. Do Not Track

When your browser sends a Do Not Track signal, our PostHog configuration suppresses browser-side analytics events from your session (pageviews, clicks, and feature interactions). Server-side events tied to your account (such as completing a simulation) are still recorded for billing, audit, and reliability purposes; these are linked to your account identifier rather than a browser fingerprint.

6. Contact

Questions: privacy@revenueraccoon.app.