Cookie Policy
Status: Draft v1 — closed beta only. Pending solicitor review before public launch.
Last updated: 21 May 2026
This policy is companion to our Privacy Policy. It explains how we use cookies on DewBee.
What's a cookie
A cookie is a small text file stored on your device by your browser when you visit a site. We use cookies only where they're necessary to keep our service working, or — when you've explicitly accepted — for analytics.
Cookies we use today
All cookies in this slice are strictly necessary under PECR. We do not require explicit consent for them, but we list them here for transparency.
| Cookie | Set by | Purpose | Lifetime |
|---|---|---|---|
| sb-<project>-auth-token | Supabase | Maintains your authenticated session after sign-in. httpOnly, Secure, SameSite=Lax. | 7 days from last sign-in |
| sb-<project>-auth-token-code-verifier | Supabase | Used during magic-link sign-in to bind the client to the OTP exchange. Mitigates auth code interception. | ~5 minutes (single sign-in attempt) |
These cookies are first-party (set by our domain). They contain only your authenticated session reference and cryptographic data needed to verify the session. They do not track you across sites; they do not contain your email or other PII directly.
Analytics (when you accept)
Vercel Web Analytics is enabled by default — it is cookieless and stores no identifier on your device. It collects only aggregate traffic shape (page views, referrer, device class, country) with no cross-site tracking.
Google Analytics 4 fires only after you click "Accept" on the consent banner. Until then, GA4 receives no measurable data about your visit. When accepted, GA4 sets the following cookies:
| Cookie | Set by | Purpose | Lifetime |
|---|---|---|---|
| _ga | Google Analytics | Distinguishes unique visitors | 13 months |
| ga<container-id> | Google Analytics | Persists session state for the measurement property | 13 months |
We have configured GA4 with IP anonymisation enabled, Google Signals OFF, and granular location/device collection OFF. Data retention is 14 months.
What we don't use
- No marketing cookies. No retargeting pixels (Facebook, LinkedIn, X / Twitter).
- No tag managers (GTM) loading third-party scripts.
- No advertising or behavioural-targeting SDKs.
Your choices
You can change your consent at any time:
- Open this page (/legal/cookies) and use the "Change cookie settings" link below
- Clear our cookies via your browser settings (this also signs you out)
- Decline analytics on first visit by clicking "Essential only" in the banner
You can clear cookies at any time via your browser settings. Doing so will sign you out and reset your analytics-consent choice (you'll see the banner again).
Do Not Track
We do not honour the obsolete Do Not Track header because the consent banner gives you a clearer, opt-in choice. If you decline analytics on the banner, no analytics cookies are set.
Re-prompt
We will ask you to renew your consent choice every 13 months, per ICO guidance.
Changes to this policy
If we add new cookies, we will:
- Update this policy at least 14 days before the change takes effect
- Re-prompt you via the consent banner so you can review the new categories
- Email closed-beta participants notifying them of the change
Contact
Disclaimer
This Cookie Policy is a draft prepared by the founder for the closed-beta deployment of DewBee. It has not yet been reviewed by qualified legal counsel. Before any public launch, this policy must be reviewed and updated by a qualified solicitor familiar with PECR, ICO Cookies Guidance, and the EU ePrivacy framework. It is not legal advice; it is a working draft.