1. What cookies are and what we use them for
A cookie is a small text file a website asks your browser to store, so the site can recognise you on later visits. "Similar technologies" includes localStorage, sessionStorage, IndexedDB, and pixel tags — for this policy we treat them all the same way.
We use cookies in four categories: strictly necessary (no consent required — without these the site doesn't work), security (also necessary — protect your session), preferences (remember your settings), and analytics (understand how the product is used in aggregate). Essential and security run by default. Preferences are set when you use the feature (you switch the theme; the theme cookie is set). Analytics — our first-party attribution beacon — runs only after you opt in via the consent banner, everywhere, and never under Do-Not-Track / Global Privacy Control.
2. The full list
Every cookie we set on apexgeo.app and the dashboard, what it does, and how long it lasts. If we add or remove a cookie, this list and the last-updated date change.
| Name | Category | Purpose | Retention | Party |
|---|---|---|---|---|
| sb-<project-ref>-auth-token | Strictly necessary | Supabase auth token — keeps you signed in to the dashboard. The <project-ref> placeholder is replaced with the actual project ID at runtime; the cookie is HttpOnly and same-site. | 1 hour rolling refresh; cleared on sign out. | First-party |
| sb-<project-ref>-auth-token-code-verifier | Strictly necessary | PKCE verifier used during the OAuth sign-in flow to protect against authorization-code interception. | Session; deleted after sign-in completes. | First-party |
| __Host-csrf-token | Security | CSRF protection — confirms write requests originated from our UI, not a malicious page. | Session; rotated on sign in. | First-party |
| apex-theme | Preferences | Remembers your dashboard theme preference (dark default). | 1 year. | First-party |
| NEXT_LOCALE | Preferences | Remembers your locale preference for localised pages. | 1 year. | First-party |
| _apex_consent (localStorage) | Preferences | Remembers whether you accepted or declined the attribution beacon, so the consent banner only shows once. | Until you clear site data. | First-party |
| _apex_vid (localStorage) | Analytics | Rotating first-party identifier for the attribution beacon — links a visit to the AI engine that referred it. Not cross-site, no ad profile. Only set after you accept. | Until you clear site data. | First-party |
3. What we do NOT use
- No advertising or marketing cookies. We don't set or allow any third-party ad cookies, retargeting pixels, or cross-site tracking on apexgeo.app or the dashboard.
- No data brokers, no ad-tech partners. We don't share device or browser identifiers with anyone in the advertising ecosystem.
- No third-party analytics. We run no Google Analytics, no ad pixels, and no third-party trackers. The only analytics we run is our own first-party attribution beacon (next bullet).
- First-party attribution beacon (consent-gated). On our own site we run
apex-beacon.js— the same crawl→click beacon we offer customers — to measure which AI search engines refer visitors to us. It stores a rotating first-party identifier inlocalStorageand sends a redacted IP (last octet masked); it is not cross-site and builds no ad profile. It stays dormant until you accept via the consent banner and never runs if your browser sends Do-Not-Track or Global Privacy Control.
4. Consent (EU, UK, South Africa, Brazil, others)
Every cookie listed above is either strictly necessary or a preference cookie that you control by interacting with the UI feature (theme switch, locale picker). Strictly necessary and security cookies are exempt from consent under ePrivacy Art. 5(3) ("strictly necessary for the provision of an information-society service explicitly requested by the subscriber or user"). Preference cookies are set in response to your explicit action (you change the theme; the theme cookie is set).
Our one non-essential technology — the first-party attribution beacon — is off by default and requires your explicit opt-in. A consent banner offers Accept / Decline; the beacon's rotating identifier is only stored, and the beacon only sends, after you Accept, satisfying GDPR Art. 6 + ePrivacy, UK PECR, POPIA s11 and LGPD Art. 7. Declining (or sending Do-Not-Track / Global Privacy Control) keeps it fully dormant, and your choice is remembered so the banner shows once.
5. How long cookies last
Each cookie's expiry is shown in the table above. Session cookies last only while your browser tab is open; persistent cookies last for the stated duration unless you delete them earlier. Refresh tokens get rotated on every sign-in, so an old token stops working as soon as you re-authenticate.
6. How to control cookies
- In your browser: every modern browser lets you block, delete, or be alerted about cookies. The settings live under Privacy / Security. Note that blocking strictly-necessary cookies will sign you out and break the dashboard.
- Preferences cookies (theme, locale): change the UI control that set the cookie (theme switch, locale picker). The cookie is overwritten with your new choice.
- Global Privacy Control (GPC) and Do Not Track (DNT): GPC and DNT are designed to opt out of cross-site tracking and non-essential cookies. We do not sell or share personal data (CCPA §1798.135) or participate in cross-site advertising, and our one non-essential technology — the first-party attribution beacon — honours these signals now: if your browser sends GPC or DNT, the beacon does not run and sets nothing, with no action needed from you.
7. Cross-border considerations
Cookies set on apexgeo.app are first-party and stored under our domain only. The platform is hosted across regions described in the Privacy Policy; cookie payloads themselves (mostly opaque tokens) move with your session.
8. Changes to this policy
When we add or remove a cookie, we update the table and the last-updated date. Material changes (e.g. introducing a new non-essential cookie that requires consent) trigger a re-prompt on your next visit.
9. Contact
Questions about cookies or this policy: [email protected]. See also the Privacy Policy for the broader picture of how we handle data and the Trust Center for our security posture.