Cookie Policy

A cookie is a small text file a website stores in your browser. We also use related technologies like localStorage and sessionStorage. For the purposes of this policy, “cookies” refers to all of them.

Strictly necessary. Required to run the platform. If you block these the site breaks. Examples:

• chatalott_session — your signed session JWT, HTTP-only, expires in 7 days. Without it you can't stay logged in.
• __Host-csrf — cross-site request forgery token for state-changing form submissions.
• Redis-backed rate-limit counters keyed on your IP and email to resist brute-force login attacks.

Functional. Remember your preferences so the UI behaves the way you left it. Not required, but turning them off makes the app feel forgetful. Examples:

• Onboarding progress, sidebar collapsed state, selected vault view.
• Cookie-banner dismissal flag (so we don't show it on every page).

Analytics. Anonymized usage telemetry through Vercel Analytics so we can tell what's working. No cross-site tracking, no user profiles, no ad targeting.

Marketing / advertising. None. We don't run Facebook Pixel, Google Ads tags, LinkedIn Insight, or any similar ad-tech. Our growth is paid-product + word-of-mouth.

A handful of embedded third parties set their own cookies when you interact with specific features:

• Stripe — when you reach a checkout or billing page, Stripe's fraud-prevention scripts set cookies to secure the payment session. See Stripe's Cookie Policy.
• Google — if you connect Google Calendar or sign in with Google, Google sets its own authentication cookies.
• Vercel — our hosting provider sets a short-lived cookie to route requests to the correct edge region. It contains no user-identifying data.

Browser controls. All modern browsers let you clear cookies, block them, or set per-site rules. Blocking strictly- necessary cookies will log you out and break forms — this is a limit of how HTTP works, not something we choose.

Analytics opt-out. You can disable Vercel Analytics in your browser with the “Do Not Track” header. We honor DNT even though the standard was never formalized.

Cookie banner. On your first visit you'll see a banner asking for your choice. You can revisit it any time by clearing chatalott_cookie_consent from localStorage.

If we change the cookies we use we'll update this page and the “Last updated” date at the top. If the change is material (e.g. we start using an analytics provider that wasn't listed here) we'll re-prompt for consent.