Legal
Cookie Policy
Last updated: June 12, 2026
We validate other websites’ cookie behavior for a living, so we hold ourselves to the standard we audit: Consent Validator sets essential cookies only. No analytics trackers, no advertising cookies, no third-party tracking — which is also why you won’t see a consent banner here: none is needed for strictly necessary cookies.
1. Cookies we set
- Authentication session (Supabase,
sb-*) — keeps you signed in to your account. Set when you log in; removed when you sign out or the session expires. Strictly necessary. - OAuth security state (
ga4_oauth_state) — a short-lived (10-minute) anti-forgery token set only while you connect a Google Analytics account, to protect the OAuth flow against CSRF attacks. Strictly necessary, and only if you use that integration.
That is the complete list. We do not set analytics, preference, or advertising cookies on either the marketing site or the application.
2. Cookies on websites we scan
When you run a validation, our automated browser observes the cookies that the scanned website sets — that is the product. Those cookies exist only inside an isolated, disposable browser session on our scan infrastructure. They are never set on your device or on your visitors’ devices, and the session is destroyed when the scan completes. What we retain is the evidence: a record of which cookies the scanned site set in each consent state.
3. Managing cookies
You can clear or block cookies in your browser settings at any time. Because the only cookies we set are essential, blocking them will prevent sign-in and break the application — there is nothing optional to opt out of.
4. Changes
If we ever introduce non-essential cookies (for example, product analytics), we will update this page first, explain the purpose, and — where consent is required — ask for it before setting them. See also our privacy policy and terms of service.