1. What are cookies?

Cookies are small text files placed on your device (computer, smartphone, tablet) by a website you visit. They allow the site to recognise your device on subsequent visits, remember your preferences, keep you signed in and measure usage. We use the word "cookie" loosely in this policy to refer not only to HTTP cookies but also to the following functionally equivalent technologies:

Local and session storage: key-value stores in your browser that act like cookies but live longer and are not sent on every request.
IndexedDB: a structured client-side database we may use to cache responses for offline-friendly screens.
Pixels and beacons: tiny image or script references embedded in pages or emails that signal an event (page view, email opened) to a back-end.
Web fonts: font files loaded from third-party CDNs that may set their own cookies.
Device-fingerprinting techniques used by our anti-fraud and rate-limiting layers.

Cookies are either "first-party" (set by the domain you are visiting) or "third-party" (set by a different domain, typically a service provider we embed). They are also classified by lifetime: "session" cookies are deleted when you close your browser; "persistent" cookies survive until they expire or you delete them.

2. The categories of cookies we use

We group the cookies we use into four categories. The consent rules and your control options differ per category.

2.1 Strictly necessary cookies

These cookies are required for the Sites to work. Without them you could not sign in, your session could not be kept secure, and forms could not be submitted safely. We do not need your consent to use them, because they are necessary for the operation of the Service you have asked for. Switching them off in your browser will break parts of the Service.

2.2 Functional cookies

These cookies remember choices you make, such as your language, region, sidebar collapse state and dashboard preferences. Because they are not strictly necessary, we set them only with your consent under Article 5(3) of the ePrivacy Directive, through the functional category in our cookie banner. (Your cookie-consent decision itself is recorded in a strictly necessary cookie so that we can honour it without asking again.) Where a particular preference cookie is strictly necessary to deliver a feature you have actively asked for, we may set that one cookie without separate consent.

2.3 Performance and analytics cookies

These cookies help us understand how the Sites are used — aggregated, anonymous or pseudonymous metrics such as page views, time on page, navigation paths and feature adoption. We use them to fix issues, improve flows and prioritise features. They are set only where you have given consent through our cookie banner.

2.4 Marketing cookies

These cookies and pixels are set by our or third-party advertising partners to measure the effectiveness of marketing campaigns, build audience segments and serve relevant ads on other websites. They are set only where you have given consent through our cookie banner.

3. Inventory of cookies we use

The table below lists the cookies and similar technologies that the Sites may set. Where a provider is "third party", the cookie is set by that provider's own domain and its own policies apply in addition to ours. The exact list at any given moment depends on which features are enabled and which consent choices you have made; you can inspect what is actually set in your browser's developer tools (Application → Storage → Cookies).

3.1 Strictly necessary

Cookie	Provider	Purpose	Expires
__session	First party	Keeps you signed in after you authenticate.	14 days
csrf_token	First party	Protects form submissions and state-changing requests from cross-site request forgery.	Session
cookie_consent	First party	Stores your cookie-consent choices so we don't ask again on every page.	11 months
sb-* (Supabase)	Supabase Auth (first-party storage)	Authentication state for the underlying auth provider.	Up to 7 days
__cf_bm	Cloudflare (third party)	Bot-mitigation challenge issued by our CDN to distinguish humans from automated traffic.	30 minutes (rolling)
__stripe_mid, __stripe_sid	Stripe (third party)	Fraud-prevention identifiers used only on pages that load the Stripe payment form.	1 year / 30 minutes

3.2 Functional

Cookie	Provider	Purpose	Expires
ui_lang	First party	Remembers the language you selected.	12 months
ui_theme	First party	Remembers your light / dark mode preference.	12 months
dashboard_prefs	First party (local storage)	Stores your last selected category level, growth period and tab on the dashboard so it loads where you left off.	Until cleared
recent_categories	First party (local storage)	Remembers the categories you most recently drilled into so the breadcrumb suggests them.	30 days

3.3 Performance and analytics

Cookie	Provider	Purpose	Expires
_ga, _ga_*	Google Analytics (third party)	Distinguishes unique visitors and measures usage in aggregate.	Up to 2 years
_pk_*	Matomo / Plausible (third party)	Used where we have configured a privacy-friendly analytics provider as an alternative to Google Analytics.	Up to 13 months
sentry-*	Sentry (third party)	Identifies sessions and groups errors so we can fix bugs. We configure the integration to scrub personal data.	Session

3.4 Marketing

We do not currently run third-party advertising pixels by default. The partners below are examples of those we may engage when an advertising campaign is active; where no such campaign is configured, none of these cookies are set. Any partner we do activate is loaded only after you consent to the marketing category, and the live set is the one presented in the consent banner at that time.

Cookie	Provider	Purpose	Expires
_fbp	Meta (third party)	Measures conversions from Meta-served advertising.	3 months
li_at, BizoID	LinkedIn (third party)	Measures conversions from LinkedIn advertising and builds audience segments.	Up to 2 years
_gcl_au	Google Ads (third party)	Attributes conversions to Google Ads campaigns.	3 months

Marketing cookies are loaded only when you accept the marketing category in our consent banner. If you do not, no advertising script executes and no advertising cookie is set.

4. Legal basis

Strictly necessary cookies are exempt from the consent requirement under Article 5(3) of the EU ePrivacy Directive 2002/58/EC (as implemented by Lithuanian and other EU national law), because they are essential to provide the Service you have asked for. Every other category — functional, performance and analytics, and marketing, including all third-party cookies — is set only on the basis of your consent under Article 5(3). We do not set, read or fire any non-essential cookie, pixel or tag before you have given consent for its category.

Consent is requested through the cookie banner shown when you first visit the Sites, is granular per category, and is recorded together with its timestamp in the cookie_consent cookie so we can evidence and honour it. You can change or withdraw consent at any time as described in the next section; withdrawing consent stops the affected cookies being set going forward but does not by itself delete cookies already stored, which you can clear in your browser.

Separately, under some US state privacy laws our use of analytics and marketing cookies may amount to a "sale" or "sharing" of personal information. Your right to opt out of that activity, and how to exercise it (including via Global Privacy Control), is explained in Section 14 of our Privacy Policy.

5. How to manage cookies

5.1 In our cookie banner

The banner appears on your first visit and lets you accept all cookies, reject all non-essential cookies, or pick categories. You can reopen the banner at any time by clicking "Cookie settings" in the website footer and update your choices.

5.2 In your browser

All major browsers let you delete existing cookies and block new ones, either globally or per site. The exact path differs by browser:

Blocking or deleting strictly necessary cookies will break parts of the Sites. Blocking analytics or marketing cookies has no effect on the Service itself.

5.3 Browser-level signals

We honour the Global Privacy Control (GPC) signal where your browser sends one: receiving GPC has the same effect as you rejecting non-essential cookies in the consent banner. We do not rely on the deprecated Do Not Track header alone.

5.4 Opt-out tools

Industry-wide opt-out tools are available for advertising cookies:

6. Third-party recipients

Where a third-party cookie is set, the data collected by that cookie is shared with the named third party under their own terms and privacy policies. The third parties we may rely on, depending on configuration, include the providers listed in our Privacy Policy (Section 6.1). We require all third parties to commit contractually to appropriate security and data-protection safeguards before we embed their cookies.

7. International transfers

Some of our cookie providers operate from outside the European Economic Area, including the United States. Where this happens, the safeguards described in Section 7 of the Privacy Policy (adequacy decisions, Standard Contractual Clauses with supplementary measures, UK IDTA) apply to any personal data the cookie sends abroad.

8. Changes to this Cookie Policy

We may update this Cookie Policy as our use of cookies evolves — for example when we add or remove a third-party provider, or when we change the lifetime of a cookie. Material changes will be announced via the Sites or by email at least thirty (30) days before they take effect. The "Last updated" date at the top of this page shows the effective date of the current version.

9. Contact

Questions about cookies or this policy can be sent to privacy@trendskew.com.

Cookie Policy