Cookie Policy
Last updated: April 15, 2026 · Version 2.0.0
This Cookie Policy explains how PromptAssay uses cookies and similar technologies when you visit our website or use the Service. It supplements our Privacy Policy, which describes more broadly how we handle your data.
What cookies are
A cookie is a small text file that a website places on your device to remember information about you between page loads. Similar technologies — local storage, session storage, HMAC-signed tokens — serve similar purposes. In this policy we use "cookie" as shorthand for all of them.
Cookies we use
PromptAssay uses only first-party cookies. We do not load third-party advertising tags, analytics pixels, or behavioral tracking scripts.
| Cookie | Category | Purpose | Duration | Flags |
|---|---|---|---|---|
sb-access-token | Essential | Authenticates your session with the Supabase Auth service; required to be logged in. | ~1 hour | HttpOnly, Secure, SameSite=Lax |
sb-refresh-token | Essential | Refreshes your session so you don't have to log in constantly; required to stay logged in. | Up to 7 days (rolling) | HttpOnly, Secure, SameSite=Lax |
active_org_id | Essential | Remembers which workspace you are viewing. HMAC-signed and bound to your user so a different user's cookie cannot be replayed. | 30 days | Secure, SameSite=Lax |
pa_impersonation | Essential | Platform administrator use only. Marks an active impersonation session for customer support and enforces the impersonation guards described in our Privacy Policy. | 60 minutes | Secure, SameSite=Lax |
cookie_consent | Essential | Stores your consent preferences (essential / analytics / marketing categories) so the banner is not shown again and so the Service knows which non-essential cookies it may set. HMAC-signed so it cannot be tampered with client-side. | 12 months | Secure, SameSite=Lax |
pa_visitor_id | Essential | An anonymous identifier used to attribute a consent choice to a visitor before they have an account. HMAC-signed. Does not contain personal data and is not shared with any third party. | 12 months | Secure, SameSite=Lax |
Analytics cookies
None at this time. We do not load Google Analytics, PostHog, Mixpanel, Amplitude, Plausible, or any similar client-side analytics tool. If we ever introduce one, it will fall under the "Analytics" category in the consent banner, will be strictly opt-in, and this policy will be updated before it is loaded.
We do record first-party product events server-side (for example: prompt created, version created, critique requested, playground run) in our own database. These events do not involve cookies on your device, do not include the content of your prompts or outputs, and are retained for 90 days. They are used to operate the Service (quota counting, dashboards, debugging) and are not considered cookies for the purpose of this policy. See the Privacy Policy for details.
Marketing cookies
None at this time. We do not run advertising, do not retarget, and do not load tracking pixels from advertising platforms. If this changes, the banner "Marketing" category will apply and this policy will be updated.
How to manage cookies
In the Service. When analytics or marketing cookies become available, you can change your preferences in the consent banner; clearing your site data in your browser will cause the banner to reappear on your next visit.
In your browser. All major browsers allow you to block or delete cookies. If you block essential cookies, you will not be able to log in or use the Service. Instructions vary by browser:
- Chrome: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Settings → Privacy → Manage Website Data
- Edge: Settings → Cookies and site permissions
Do Not Track. Most browsers include a "Do Not Track" signal. Because there is no industry consensus on how to interpret DNT, we do not currently respond to DNT signals, but we also do not engage in the kind of cross-site tracking that the DNT signal is designed to limit.
Global Privacy Control. We honor the Global Privacy Control "Sec-GPC" signal as a valid opt-out under CCPA/CPRA for any future advertising cookies; today we do not set any advertising cookies, so there is nothing to opt out of.
Changes
If we change the cookies we use, we will update this policy and the "Last updated" date at the top. Introducing any non-essential cookie category (analytics or marketing) will trigger a renewed consent prompt before the cookie is set.
Contact
Questions about cookies: privacy@promptassay.ai.
See also: Privacy Policy · Terms of Service · Acceptable Use Policy · Data Processing Addendum.