HelloMavens

Policy

Cookie Policy

Last updated: May 5, 2026

The short version

We use a tiny number of cookies and equivalent browser storage. None of them track you across other sites. Two categories:

  • Necessary— required for the site to work (sign-in session, the consent record itself, security cookies). Always on; you can't disable these and still use the product.
  • Measurement— privacy-respecting analytics so we know which pages help and which don't. You control these from the cookie banner or the Cookie preferences link in the footer (also linked below).

We do not use marketing or advertising cookies. There is no Google Analytics, no Meta pixel, no third-party ad SDK on this site.

What each category covers

Necessary cookies are set by us and cannot be turned off without breaking the product:

  • Supabase auth session cookie — keeps you signed in to your report.
  • CSRF / PKCE state cookies during sign-in flows.
  • Cookie consent record itself (stored in localStorage so we don't re-prompt you every page load).

Measurement cookies are set by PostHog when you opt in:

  • ph_* — PostHog session and distinct-id cookies. We use these to compute funnel completion rates, page-view counts, and section drop-off in aggregate. PostHog is configured to opt-out by default; until you accept, no event fires.

How we decide whether to show the banner

The consent gate is jurisdictional:

  • EU / UK visitors — banner shown; analytics paused until you accept (opt-in posture per GDPR / UK GDPR).
  • US / rest-of-world visitors — banner not shown; analytics auto-accepts after 200ms (implicit-consent posture). You can still opt out any time via the Cookie preferences link.
  • Browsers sending Global Privacy Control (GPC) — analytics stays off regardless of region. The GPC signal is a hard opt-out per CCPA/CPRA.

The Accept and Reject buttons on the banner have equal visual weight — no dark patterns.

Audit trail

Every consent decision (accept, reject, change) is recorded server-side: the categories chosen, the policy version in effect, the jurisdiction code, the GPC signal, and a hashed (not raw) user-agent + IP. We never store your raw user-agent or raw IP in this log. We use this trail to demonstrate compliance and to bump everyone to a fresh prompt if we materially change how cookies are used.

Change your mind any time

You can reopen the cookie preferences dialog any time:

Changes apply immediately — accepting fires PostHog opt-in for future events; rejecting opts out and resets the local PostHog state.

Other browser storage

Aside from the cookies above, we use localStoragefor two non-tracking purposes: storing your consent decision so we don't re-prompt you on every page load, and saving questionnaire progress so you can resume an audit you started but didn't finish. Both are bound to your browser; we never read them server-side.

Contact

Cookie questions: mike@hellomavens.com