ApexGEO

Legal

Cookie Policy

Last updated: · Effective immediately for new customers; existing customers see at least 30 days' notice before material changes via in-product banner and email.

This policy explains the cookies and similar technologies ApexGEO uses on apexgeo.app and the dashboard, what they're for, and how you can control them. We've designed our cookie footprint to be small — most of what we set is essential to keep you signed in, prevent CSRF, and remember your preferences. We don't use advertising cookies and we don't share data with ad networks.

1. What cookies are and what we use them for

A cookie is a small text file a website asks your browser to store, so the site can recognise you on later visits. "Similar technologies" includes localStorage, sessionStorage, IndexedDB, and pixel tags — for this policy we treat them all the same way.

We use cookies in four categories: strictly necessary (no consent required — without these the site doesn't work), security (also necessary — protect your session), preferences (remember your settings), and analytics (understand how the product is used in aggregate). The first two run by default. The second two run only after you give consent in regions that require it (EU/UK, certain Brazilian and South African contexts).

2. The full list

Every cookie we set on apexgeo.app and the dashboard, what it does, and how long it lasts. If we add or remove a cookie, this list and the last-updated date change.

NameCategoryPurposeRetentionParty
sb-<project-ref>-auth-tokenStrictly necessarySupabase auth token — keeps you signed in to the dashboard. The <project-ref> placeholder is replaced with the actual project ID at runtime; the cookie is HttpOnly and same-site.1 hour rolling refresh; cleared on sign out.First-party
sb-<project-ref>-auth-token-code-verifierStrictly necessaryPKCE verifier used during the OAuth sign-in flow to protect against authorization-code interception.Session; deleted after sign-in completes.First-party
__Host-csrf-tokenSecurityCSRF protection — confirms write requests originated from our UI, not a malicious page.Session; rotated on sign in.First-party
apex-themePreferencesRemembers your dashboard theme preference (dark default).1 year.First-party
NEXT_LOCALEPreferencesRemembers your locale preference for localised pages.1 year.First-party

3. What we do NOT use

  • No advertising or marketing cookies.We don't set or allow any third-party ad cookies, retargeting pixels, or cross-site tracking on apexgeo.app or the dashboard.
  • No data brokers, no ad-tech partners.We don't share device or browser identifiers with anyone in the advertising ecosystem.
  • No third-party analytics on the public marketing site today. If we add one (e.g. privacy-preserving analytics like Plausible or self-hosted analytics), this page updates and consent prompts kick in where required.

4. Consent (EU, UK, South Africa, Brazil, others)

Every cookie listed above is either strictly necessary or a preference cookie that you control by interacting with the UI feature (theme switch, locale picker). Strictly necessary and security cookies are exempt from consent under ePrivacy Art. 5(3) ("strictly necessary for the provision of an information-society service explicitly requested by the subscriber or user"). Preference cookies are set in response to your explicit action (you change the theme; the theme cookie is set).

Because we do not currently set any non-essential cookies (no analytics, no advertising, no third-party trackers), there is no consent banner on the site. When we add a non-essential cookie — e.g. privacy-preserving analytics — we will introduce a consent flow that satisfies GDPR Art. 6 + ePrivacy, UK PECR, POPIA s11 and LGPD Art. 7 before the cookie is set, and this policy will be updated to describe it.

5. How long cookies last

Each cookie's expiry is shown in the table above. Session cookies last only while your browser tab is open; persistent cookies last for the stated duration unless you delete them earlier. Refresh tokens get rotated on every sign-in, so an old token stops working as soon as you re-authenticate.

6. How to control cookies

  • In your browser: every modern browser lets you block, delete, or be alerted about cookies. The settings live under Privacy / Security. Note that blocking strictly-necessary cookies will sign you out and break the dashboard.
  • Preferences cookies (theme, locale): change the UI control that set the cookie (theme switch, locale picker). The cookie is overwritten with your new choice.
  • Global Privacy Control (GPC) and Do Not Track (DNT): GPC and DNT are designed to opt out of cross-site tracking and non-essential cookies. Because we do not currently set any non-essential cookies, do not sell or share personal data (CCPA §1798.135), and do not participate in cross-site advertising, GPC and DNT have nothing on apexgeo.app to opt out of today. When we add a non-essential cookie that would be in scope for these signals, we will honour them before that cookie is set and update this policy accordingly.

7. Cross-border considerations

Cookies set on apexgeo.app are first-party and stored under our domain only. The platform is hosted across regions described in the Privacy Policy; cookie payloads themselves (mostly opaque tokens) move with your session.

8. Changes to this policy

When we add or remove a cookie, we update the table and the last-updated date. Material changes (e.g. introducing a new non-essential cookie that requires consent) trigger a re-prompt on your next visit.

9. Contact

Questions about cookies or this policy: [email protected]. See also the Privacy Policy for the broader picture of how we handle data and the Trust Center for our security posture.

Questions about this policy?

Email [email protected] for privacy and data-protection questions, or [email protected] for terms and contract questions. We respond within 30 days as required by GDPR Art. 12 and POPIA s24; most questions land back the same week.

Related: Privacy Policy · Terms of Service · Cookie Policy · Trust Center