Cookie Policy
Last updated: April 8, 2026
1. Scope
This policy explains how Multiloop uses cookies and similar browser storage technologies.
2. Categories
Multiloop groups cookies and similar storage into three categories. You can change your choices any time on the cookie preferences page.
- Essential — always on. Authentication, security, and the consent record itself. Without these the site does not work.
- Analytics — optional, default off. First-party measurement only: anonymous session id, attribution capture, and our own conversion-event records. Used to understand how the site is used. No third-party analytics scripts.
- Marketing — optional, default off. Reserved for future ad-platform pixels. Nothing is loaded today. If you reject this category we will not load any marketing pixel later either.
We do not use advertising cookies today. Browser storage (for example localStorage) for product preferences and UI state is part of the essential category and is needed for the in-product experience.
3. Cookies We Use
3.1 Essential Authentication and Security Cookies
These cookies are required for core login, security, and protected-access flows.
| Cookie Name | Purpose | Duration | Category |
|---|---|---|---|
| sb-*-auth-token | Supabase auth session cookie(s) | Session and/or provider-managed TTL | Essential |
| sb-*-auth-token-code-verifier | PKCE auth flow support | Session | Essential |
| trusted_device | 2FA trusted-device state | Up to 30 days | Essential/Security |
| share_session_{shareCode} | Access state for password-protected share pages | Up to 24 hours | Essential/Security |
| ml_consent | Records your cookie preference choices | Up to 1 year | Essential |
Exact Supabase cookie names and durations can vary by environment/provider behavior. Blocking essential auth cookies can break sign-in and protected access flows.
3.2 Analytics Cookies
Set only after you choose Accept in the cookie banner or enable analytics on the preferences page. Without analytics consent these cookies are never written.
| Cookie Name | Purpose | Duration | Category |
|---|---|---|---|
| ml_attr | First-touch attribution snapshot (UTM source, medium, campaign, referrer host, landing path). First-party only. | Up to 30 days | Analytics |
| ml_sid | Anonymous session id used to correlate pre-account funnel steps. First-party only. | Up to 180 days | Analytics |
We also use Vercel Web Analytics for service measurement in production. This analytics tooling is configured for product and performance insights rather than advertising. It is intended to operate without advertising cookies. We may redact or suppress sensitive URLs before analytics events are sent. Share-link analytics may store pseudonymous event fields server-side.
3.3 Marketing Cookies
None today. If we add a third-party advertising pixel in the future (for example for measuring a Reddit ad campaign), it will be loaded only after you accept the marketing category, and it will be listed here.
4. Local Storage
We also use localStorage for functionality and preference persistence.
| Key | Purpose |
|---|---|
| theme | Theme and UI preferences |
| feature/tutorial flags | Dismissal and onboarding state |
| draft and UI cache keys | Client-side convenience state for app features |
localStorage is stored in your browser profile on your device. Depending on feature behavior, some stored state can drive server interactions when you use the app.
5. Third Parties
Third-party providers used by the app or optional auth flows may set or rely on essential technical cookies or storage in connection with service delivery.
- Supabase: authentication cookies and session handling
- Cloudflare/Vercel: infrastructure, security processing, and Vercel Web Analytics in production
- Discord: provider-managed cookies or storage if you choose Discord auth or linking flows
Operational monitoring and incident-routing tooling such as Better Stack is handled server-side and does not currently add separate browser cookies through the app.
6. Managing Cookies
6.1 Preference Center
The fastest way to change what Multiloop is allowed to do in your browser is the cookie preferences page. You can accept or reject the analytics and marketing categories there at any time. Revoking is the same single click as accepting.
When you change preferences here we record an append-only audit row with the version of this policy and the categories you accepted. We do not store your IP address with this record.
6.2 Essential Cookies
Essential cookies cannot be disabled without losing core functionality. If you delete auth cookies, you will be logged out and need to sign in again.
6.3 Browser Settings
You can also manage cookies in browser settings:
6.4 Clearing Local Storage
You can clear localStorage via browser developer tools or by clearing site data in browser privacy settings.
7. Updates to This Policy
We may update this policy as technologies or service behavior changes. Material changes will be communicated through appropriate notice mechanisms.
8. Contact
Questions about cookies or browser storage: privacy@multiloop.app or contact@multiloop.app