Cookie + Tracking Notice

• Authentication cookies (essential). Set by Supabase Auth when you sign in. Used to identify you on subsequent requests so you don't have to log in on every page. HttpOnly, Secure, SameSite=Lax. Expires when you sign out or after extended inactivity.
• CSRF token cookie (essential). A short random value tied to your session, used to prevent cross-site request forgery on server actions and form submissions.
• Theme + locale preferences (functional). localStorage on your device, no server transmission. Stores whether you've toggled dark mode, picked a language, or dismissed a one-time onboarding banner.
• Capacitor secure-storage (iOS / Android only). Used by the native shell to remember the OAuth refresh token after Google Calendar consent. Encrypted by the OS keychain. Cleared when you disconnect Google Calendar or sign out.

• No Google Analytics, Mixpanel, Amplitude, Heap, Segment, or any other analytics SDK.
• No Facebook Pixel, Google Ads conversion tracking, or any advertising network.
• No session-replay tools (Hotjar, FullStory, LogRocket).
• No fingerprinting libraries, device-graph services, or cross-site identifiers.
• No third-party social-sharing widgets that phone home (e.g., Like buttons, embedded Twitter timelines).

When you take certain actions, you're handed off to third parties who may set their own cookies on their domains (not ours):

• Stripe Checkout — when a family pays an invoice by card, they're redirected to a Stripe-hosted page on checkout.stripe.com. Stripe sets cookies on its own domain for fraud detection. See Stripe's cookie policy.
• Apple ID / Sign in with Apple (if used) — authentication happens on appleid.apple.com, which sets its own session cookies during the OAuth flow.
• Google OAuth (when teachers connect Google Calendar) — authentication happens on accounts.google.com. Google sets its own session cookies during the OAuth flow.

These flows are short-lived. Once the handoff completes, you're back on noteandkey.app and only our essential cookies remain.

Because we only use essential / functional cookies, we don't show a cookie consent banner. Under most privacy laws (GDPR, ePrivacy Directive, PIPEDA, CCPA), consent is not required for cookies strictly necessary to deliver a service the user explicitly requested — which is all our cookies are.

If you don't want to be tracked across sites in general, your browser already has settings to block third-party cookies, send Do Not Track, or use a private window. Those work normally with our app.

On the iOS app:

• App Tracking Transparency (ATT) — we do not call requestTrackingAuthorization because we do not track you across other apps or websites.
• No IDFA collection. No IDFV used for tracking purposes.
• No third-party analytics SDKs bundled with the app binary.

On Android (when shipped): same posture. No Google Advertising ID collection. No Firebase Analytics or equivalent.

If we ever add a non-essential cookie (analytics, A/B testing, etc.), we'll add an explicit consent banner before it loads — and update this page first.

Privacy questions: support@noteandkey.app.