Cookie Policy
Last updated: May 13, 2026
This page explains what cookies and similar technologies Passd uses on passd.io, why, and how you can control them. For the broader picture of how we handle data, see the Privacy Policy.
1. The short version
Passd uses a small number of first-party cookies — cookies set by passd.io itself — to keep you signed in, remember your dark/light theme preference, and credit a friend who referred you. We do not use advertising cookies, do not embed third-party tracking pixels, and do not share information with ad networks.
We do use a privacy-respecting product-analytics processor (PostHog, US region) to record page-level events and a masked session replay. PostHog uses storage in your browser to function; details are in section 4 below.
2. Cookies we set on passd.io
Essential — needed for the Service to work
| Cookie | Purpose | Lifetime |
|---|---|---|
sb-access-token, sb-refresh-token | Sign-in session. Set by our authentication provider (Supabase) after you redeem a magic link. Without these you cannot stay signed in. | Session + 1 hour (access) / 30 days (refresh) |
Preferences — remember choices you've made
| Cookie | Purpose | Lifetime |
|---|---|---|
passd-theme | Stores your dark/light mode preference so the page loads in the right theme. | 1 year |
Referral — credit a friend who sent you
| Cookie | Purpose | Lifetime |
|---|---|---|
passd_ref | Set when you click a /r/<code> referral link. If you later subscribe, this is how we credit the friend who referred you with a free month. | 30 days |
3. Local storage (not cookies, but worth disclosing)
We use your browser's localStorage for a few non-tracking conveniences:
- Onboarding state — so closing the tab partway through doesn't lose your progress.
- A small counter that caps error-toast volume per day so an error loop can't spam our analytics quota.
Nothing in localStorage is sent to any third party. Clearing your browser data clears these values.
4. Analytics — PostHog
PostHog is our product-analytics processor (PostHog Cloud, US region). It records:
- Page-level events (page viewed, button clicked, feature used) so we can see which features are useful and which are confusing.
- A session replay with full input masking. Every form field, every text node, and every image is masked at the recording layer before any bytes leave your browser. The replay shows page structure and click positions, not the words you type or the values you enter. Free-form input is masked permanently, no exceptions.
PostHog uses localStorage and a first-party cookie under passd.io to maintain a stable distinct ID for your browser. PostHog acts as our data processor under a written agreement; it does not have rights to use your information for its own purposes.
Opt out of analytics at any time. Visit passd.io/settings/privacy and click Delete my analytics data. We pass the request to PostHog within seconds; PostHog completes the deletion asynchronously, typically within 30 days. Your account, payments, and Passd Score are unaffected — that's a separate flow.
5. What we do not use
- No advertising cookies — not Google Ads, not Meta Pixel, not TikTok Pixel, not any retargeting network.
- No third-party tracking pixels embedded in pages or transactional emails.
- No cross-site tracking of any kind.
- No "share with our partners" cookies. We don't have partners we share data with.
6. How to control cookies
Every modern browser lets you block cookies, delete cookies, or limit them to first-party only. Here are the relevant settings for the major browsers:
- Chrome: Settings → Privacy and security → Cookies and other site data.
- Safari: Settings → Privacy → Manage Website Data.
- Firefox:Settings → Privacy & Security → Cookies and Site Data.
- Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data.
Heads up: if you block essential cookies (the Supabase sign-in cookies), you will not be able to stay signed into Passd. The preference and referral cookies are optional — blocking them just means you'll see the page in default theme and we won't be able to credit a referrer if you arrived via a referral link.
7. Do Not Track
We honor the spirit of Do Not Track by default — we do not run cross-site advertising trackers regardless of any DNT header. There is no industry consensus on the technical handling of DNT, so we do not change behavior in response to the header itself.
8. Global Privacy Control (GPC)
For California residents, Passd recognizes the Global Privacy Control signal as a valid opt-out request for the sale or sharing of personal information. Because we do not sell or share personal information in the first place, the signal has no practical effect on our processing — but we register it the same as an explicit opt-out.
9. Changes to this policy
We may update this policy from time to time. Material changes will be reflected by the Last updated date at the top of this page and, for significant changes, communicated by email at least 14 days before taking effect.
10. Contact
Questions: support@passd.io.