Cookie Policy
This policy explains the cookies, browser storage, and analytics-related technologies Multiloop uses.
Plain English Summary
- Essential cookies keep sign-in, security, share access, and consent records working.
- Optional Multiloop analytics cookies are off until you accept analytics.
- Vercel Web Analytics runs in production for service measurement and is separate from the optional Multiloop analytics cookies listed below.
- No advertising or marketing pixel is loaded today.
1. Scope
This policy explains how Multiloop uses cookies and similar browser storage technologies, including localStorage. It should be read with our Privacy Policy.
2. Categories
Multiloop groups cookies and similar storage into three categories. You can change optional choices any time on the cookie preferences page.
- Essential: always on. Authentication, security, share access, app functionality, and the consent record itself. Without these the site does not work correctly.
- Analytics: optional and default off for Multiloop-set analytics cookies, first-party conversion records, and first-party funnel stitching. Used to understand product usage and improve reliability.
- Marketing: optional and default off. Reserved for future ad-platform pixels. Nothing is loaded today.
Browser storage for product preferences, drafts, UI state, and feature state is part of the essential category when it is needed for the in-product experience.
3. Cookies We Use
3.1 Essential Authentication, Security, and Access Cookies
These cookies are required for login, account security, protected access, and consent records.
| Cookie Name | Purpose | Duration | Category |
|---|---|---|---|
| sb-*-auth-token | Supabase auth session cookie or cookie family. | Session and/or provider-managed TTL. | Essential |
| sb-*-auth-token-code-verifier | PKCE authentication flow support. | Session. | Essential |
| trusted_device | Two-factor trusted-device state. | Up to 30 days. | Essential/Security |
| share_session_{shareCode} | Access state for password-protected share pages. | Up to 24 hours. | Essential/Security |
| ml_consent | Records your cookie category choices. | Up to 1 year. | Essential |
Exact Supabase cookie names and durations can vary by environment and provider behavior. Blocking essential cookies can break sign-in and protected access flows.
3.2 Optional Multiloop Analytics Cookies
These are set only after you choose Accept all in the cookie banner, save analytics as enabled in the preference center, or otherwise accept analytics. If analytics is rejected or revoked, these cookies are cleared where possible.
| Cookie Name | Purpose | Duration | Category |
|---|---|---|---|
| ml_attr | First-touch attribution snapshot, such as UTM source, medium, campaign, referrer host, and landing path. | Up to 30 days. | Analytics |
| ml_sid | Anonymous session id used to connect pre-account funnel steps and consent events. | Up to 180 days. | Analytics |
3.3 Production Web Analytics
We use Vercel Web Analytics in production for product and performance measurement. This is separate from the optional Multiloop analytics cookies above. Our wrapper removes query strings and hashes, suppresses auth callback pages, and replaces sensitive share codes with generic path labels before analytics events are sent.
Share-link analytics may also store pseudonymous event fields server-side, such as hashed viewer identifiers, referrer, and user-agent data.
3.4 Marketing Cookies
None today. If we add a third-party advertising pixel in the future, it will be loaded only after you accept the marketing category and it will be listed here.
4. Local Storage
We also use localStorage and similar browser storage for functionality and preference persistence.
| Key or Family | Purpose |
|---|---|
| theme | Theme and UI preferences. |
| feature/tutorial flags | Dismissal, onboarding, and feature state. |
| draft and UI cache keys | Client-side convenience state for app features. |
localStorage is stored in your browser profile on your device. Depending on feature behavior, stored state can affect later server interactions when you use the app.
5. Third Parties
Third-party providers used by the app or optional auth flows may set, read, or rely on technical cookies or storage in connection with service delivery.
- Supabase: authentication cookies and session handling
- Vercel: hosting, runtime, and Vercel Web Analytics in production
- Cloudflare: infrastructure, security processing, and Turnstile challenge processing on signup and waitlist forms
- Google: provider-managed cookies or storage if you choose Google auth flows
- Apple: provider-managed cookies or storage if you choose Apple auth flows
- Discord: provider-managed cookies or storage if you choose Discord auth or linking flows
Operational monitoring and incident-routing tooling such as Better Stack is handled server-side and does not currently add separate browser cookies through the app.
6. Managing Cookies
6.1 Preference Center
The fastest way to change optional Multiloop browser tracking choices is the cookie preferences page. You can accept or reject the analytics and marketing categories there at any time.
When you change preferences, we record an append-only audit row with the policy version and the categories you accepted. We do not store your IP address with this consent record.
6.2 Essential Cookies
Essential cookies cannot be disabled through Multiloop without losing core functionality. If you delete auth cookies, you will be logged out and may need to sign in again.
6.3 Browser Settings
You can also manage cookies in browser settings:
6.4 Clearing Local Storage
You can clear localStorage through browser developer tools or by clearing site data in browser privacy settings.
7. Updates to This Policy
We may update this policy as technologies or service behavior changes. Material changes will be communicated through appropriate notice mechanisms.
8. Contact
Questions about cookies or browser storage: privacy@multiloop.app or contact@multiloop.app.