Cookie Policy

(1) Auth cookie: stores your Supabase session token so you stay logged in. HttpOnly, Secure, SameSite=Lax, 7-day expiry, rotated per Supabase settings.

(2) Locale preference: remembers whether you picked zh-TW or en. 1-year expiry.

(3) CSRF token: protects against cross-site request forgery. Cleared at session end.

All of the above are strictly necessary; disabling them will prevent the service from functioning.

No Google Analytics, no Facebook Pixel, no ad tracking, no cross-site marketing tags, no behavioral SDKs.

If we later introduce a privacy-respecting analytics tool (e.g., Plausible or a self-hosted Umami), we'll update this page and notify you.

The following services may set cookies in their own domains: (a) Supabase (session cookie on login), (b) Vercel (edge cache identifiers, no PII), (c) Lemon Squeezy (on checkout pages, under their policy).

We do not embed third-party ad cookies.

You can clear or block cookies in your browser settings, but blocking the auth cookie will make login impossible.

We do not display a consent banner — because we only use strictly necessary cookies, no opt-in is required under GDPR or Taiwan PDPA. If we ever add non-essential cookies, we'll ask first.

Questions about cookies or privacy: privacy@usecontractcheck.com.