1. What are cookies?
Cookies are small text files stored on your device when you visit a website. They let the site remember your actions and preferences (e.g. staying signed in, theme choice) and let us understand how the Service is used so we can improve it.
We also use similar technologies (localStorage, sessionStorage, server-set tokens) for the same purposes. In this Policy "cookies" refers to all of those.
2. Categories of cookies we use
We categorise cookies in line with the EU ePrivacy Directive, the UK PECR, and the IAB TCF v2.2 framework:
| Category | Required? | Purpose | Example |
|---|---|---|---|
| Strictly necessary | Yes — cannot be disabled | Authentication, security (CSRF), load balancing, payment session | sb-access-token, sb-refresh-token (Supabase auth); csrf-token |
| Preferences | No — set after a choice | Remember theme, language, dismissed onboarding, cookie consent record | spoolio.cookie-consent.v1; spoolio.theme |
| Analytics | Consent required | Aggregate usage analytics to understand which features matter | Plausible / posthog (anonymised); error monitoring (Sentry, scrubbed) |
| Marketing | Consent required | Conversion measurement for Spoolio's own ads on Meta / Google / TikTok / LinkedIn | _fbp (Meta), gcl_au (Google Ads); set only when consent is given |
3. Manage your preferences
You can manage your cookie preferences three ways:
- Through the cookie banner shown on your first visit (and on return visits if you have not yet recorded a choice).
- From Settings → Privacy at any time once signed in.
- From your browser settings. You can block, delete, or notify-on cookies. Note that blocking strictly-necessary cookies will break sign-in and the Service will not function.
Your choice is recorded for 12 months. After that we will ask you again. We respect Global Privacy Control (GPC) headers as a valid opt-out signal for sale/share where applicable.
4. Third-party cookies
We embed certain third-party services that may set their own cookies under their own privacy policies:
- Stripe— payment session + fraud prevention (strictly necessary while you're in checkout).
- Cloudflare — security + bot protection at the edge (strictly necessary).
- Analytics provider — only if you consent.
- Marketing pixels (Meta, Google, TikTok, LinkedIn) — only if you consent.
5. Do Not Track + Global Privacy Control
We recognise Global Privacy Control (GPC) signals as a valid opt-out from sale/share of personal data under CCPA/CPRA and equivalents. When we detect GPC we record the opt-out for your session and (where you are signed in) against your account.
We do not currently respond to legacy Do Not Track (DNT) headers, which were never formalised into a consistent standard.
6. Changes
We may update this Policy as our cookie usage evolves. The effective date above tracks the current version. Material changes will be communicated by in-product notice.
7. Contact
Questions about cookies: privacy@spoolio.ai.
Disclaimer. This policy is comprehensive but undergoes external counsel review pre-launch. It reflects Spoolio's intended operating practices as of May 10, 2026. For binding interpretation in any jurisdiction, please consult qualified legal counsel. Material changes will be versioned and announced via in-product notice and email at least 30 days before they take effect.
Questions about this policy: legal@spoolio.ai. Data-protection matters: privacy@spoolio.ai. EU/UK DPO: dpo@spoolio.ai.