We keep cookies to the minimum that the service genuinely needs. Each cookie below is documented with its purpose, scope, and retention. Anything we don’t list is not in use.
1. Strictly necessary
Required for sign-in, session continuity, and CSRF protection. Cannot be disabled — without them you cannot use the service.
next-auth.session-token· session JWT · 15 minutes (refreshed on use).next-auth.csrf-token· CSRF guard · session.__Host-active-role· which role surface the multi-role user prefers · server-validated against the JWT effective set.
2. Functional
Set client-side; opt out at any time by clearing your browser storage. Disabling them downgrades the experience but does not block sign-in.
theme· light / dark / system preference · 1 year.sidebar:state· collapsed-vs-expanded sidebar pick · 1 year.
3. Analytics
Disabled at MVP. If we introduce analytics, you will see an opt-in banner (EU/EEA visitors) or an interstitial notice (India) before any non-essential cookie is set. We do not use third-party advertising trackers.
4. Third-party
The payment provider you choose (Cashfree for INR plans, Stripe for international) sets its own cookies on its hosted-checkout domain when you pay. Each is governed by the respective provider’s cookie policy.
5. Your controls
- Browser settings — block or clear cookies per site at any time.
- Account deletion via /account/privacy revokes all server-side session tokens and removes functional preferences within 30 days.