Cookie Policy

These are required for Plauditly to function and are exempt from consent under the ePrivacy Directive Art. 5(3) and CCPA. We use:

• Auth session (Supabase). Keeps you signed in across pages. Set as HttpOnly, Secure, SameSite=Lax. Lifetime: up to 30 days idle, or until you sign out.

That's the entire essential-cookie list. No others are set by us on first-party origin.

During the Stripe Checkout or Stripe Customer Portal flows (linked from /billing), Stripe sets cookies on its own domain (checkout.stripe.com, billing.stripe.com). These are essential for the payment flow to work; full detail at stripe.com/cookie-settings.

No advertising cookies, no Google Analytics, no Mixpanel, no Facebook/Meta pixels, no LinkedIn Insight tag, no third-party chat widget cookies. The support chatbot is in-page React, not a third-party script.

We use Vercel Web Analytics to count page views and basic referrer info in aggregate. It does not use cookies, doesn't store personal identifiers, and doesn't track individuals across sites. Because it sets no client-side identifier, no ePrivacy consent is required.

• Chat widget state. The floating support chat keeps your in-progress conversation in sessionStorage so it survives page navigation within a single tab. Cleared when you close the tab. No personal data, no message log retained after.
• Dashboard preferences. If you change dashboard view options, the choice is saved to localStorage for your browser only — never sent to a server. Cleared when you clear browser site data.

We recognize and honor the Global Privacy Control (Sec-GPC: 1) browser signal as a valid opt-out of "sale" and "sharing" of personal information under applicable US state privacy law (currently California, Colorado, Connecticut, Texas, Minnesota, Maryland, Delaware, Oregon, Montana, Nebraska, New Hampshire, New Jersey, and additional states as their laws take effect).

Because Plauditly does not sell or share personal information in the first place, no behavior change is required to honor the signal. The proxy middleware reads the Sec-GPC: 1header on every request and records it on a short-lived first-party cookie (pl-gpc) so the rest of the stack — including the support chatbot and analytics ingestion — can treat the visitor as having opted out of any future sale/share processing the moment such a feature existed. California, Colorado, and Connecticut residents are covered by the same plumbing.

ePrivacy and GDPR require consent only for non-essential cookies. Plauditly doesn't set any non-essential cookies on first visit. That's why there's no consent banner — there's nothing to consent to beyond the strictly-necessary session cookie, which ePrivacy explicitly exempts.

If we ever introduce analytics or feature cookies that would require consent, we will add a compliant banner with a clear accept/reject choice (no dark patterns, no "legitimate interest" auto-allow) before doing so.

You can clear cookies and local/session storage from your browser settings at any time. Clearing the auth session cookie will sign you out of Plauditly.

Cookie questions: privacy@plauditly.app.