VeloLog — Cookie Policy
Version 1.0 · Drafted [Date] · Takes effect [Date + 30 days]
This Cookie Policy explains how VeloLog uses cookies and similar technologies on the Platform (velolog.io and our official apps). It forms part of our Privacy Policy — please read both together.
1. What are cookies?
A cookie is a small text file stored on your device when you visit a website. Cookies let the site recognise you on later visits and remember preferences.
This Policy also covers similar technologies:
- Local Storage and Session Storage — browser storage similar to cookies but with a different API.
- Pixels and beacons — small tracking images. We don't use these.
- Fingerprinting — identifying a device by its configuration. We don't use this.
2. Categories we use
| Category | Loads by default? | Legal basis |
|---|---|---|
| Strictly necessary | Yes — the Platform doesn't work without them | Article 6(1)(b) GDPR (contract) and Recital 25 ePrivacy exemption |
| Functional | Only if you accept | Article 6(1)(a) GDPR (consent) |
| Analytics | Only if you accept | Article 6(1)(a) GDPR (consent) |
| Marketing | Not currently used | n/a |
3. Cookies we set
The table below lists every cookie and similar storage item we set, its purpose, duration, and category. We commit to keeping this list accurate — if it falls behind, please email privacy@velolog.io.
3.1. Strictly necessary
| Name | Set by | Purpose | Duration |
|---|---|---|---|
sb-access-token | Supabase | Authenticated session | Session |
sb-refresh-token | Supabase | Refreshes the access token | 30 days |
csrf-token | VeloLog | Cross-site-request-forgery protection | Session |
velog-locale | VeloLog | Language preference for the current page (so you don't see English when you've set German) | 1 year |
Local Storage items:
| Key | Purpose | Cleared when |
|---|---|---|
velog:auth:state | Login state for the React app | Logout, browser clear |
velog:onboarding:dismissed | Records that you've dismissed the onboarding tip | Browser clear |
velog:cookie-consent | Your cookie-category choices (necessary so we don't re-prompt every page load — required to honour your consent decision) | When you reset cookie preferences from the footer |
Server-side state tokens (not cookies, but related). When you sign in with Google or Apple, we briefly store a single-use OAuth state token in our database (the oauth_states table) for up to 15 minutes to protect against CSRF attacks during the OAuth round-trip. The token is deleted as soon as the sign-in completes — no cookie is involved on your side, and the token contains no personal data of yours.
3.2. Functional (consent required)
| Name | Set by | Purpose | Duration |
|---|---|---|---|
velog-theme | VeloLog | Light/dark theme preference | 1 year |
velog-layout | VeloLog | Saved dashboard layout choices | 1 year |
3.3. Analytics (consent required)
| Name | Set by | Purpose | Duration |
|---|---|---|---|
ph_${id}_posthog | PostHog (EU) | Anonymous session identifier and event collection | 1 year |
ph_${id}_distinctid | PostHog (EU) | Pseudonymous identifier so we can join events from the same session | 1 year |
PostHog is configured to anonymise IP addresses (last octet stripped), not record session replays (where the full page interaction is captured as a video), and honour Do Not Track.
3.4. Marketing
We do not currently use marketing cookies. If we add any in future, we will:
- update this Policy at least 30 days before they go live;
- add the category to the consent banner;
- not load any until you explicitly opt in.
3.5. Third-party cookies set when you use integrations
Some third-party providers set their own cookies when you use a specific feature:
| Provider | When | What |
|---|---|---|
| Stripe | At checkout | Fraud-prevention cookies (e.g. __stripe_mid, __stripe_sid) — strictly necessary for payment processing |
| Strava | At OAuth authorisation | Strava's own cookies for the duration of the OAuth flow |
| Google / Apple | At OAuth sign-in | Their cookies for the sign-in flow |
| Cloudflare | On every request | __cf_bm for bot management — strictly necessary |
These cookies are governed by the third party's cookie policy, not ours.
4. Your choices
4.1. The consent banner
On your first visit (and on changes to the cookie set), a banner asks which categories you accept. You can:
- Accept all — all categories load.
- Accept strictly necessary only — functional/analytics don't load.
- Customise — choose category-by-category.
4.2. Changing your mind
Open Cookie Preferences in the footer at any time. Changes apply immediately. We re-prompt automatically if we add a new category.
4.3. Do Not Track
If your browser sends the DNT: 1 header, we treat it as a withdrawal of consent for analytics and marketing categories — even if you previously accepted them via the banner.
4.4. Browser-level controls
Most browsers let you block or clear cookies in settings. Blocking strictly-necessary cookies may break login and other Platform features. Common help pages:
5. Server-side analytics (no cookie required)
We collect minimal server-side analytics — request counts by route, response times, error rates — that do not require cookies and cannot be tied back to a specific user. This is processed under legitimate interest for operational purposes (Article 6(1)(f) GDPR) and described in §12.5 of our Privacy Policy.
6. Changes to this Policy
Material changes to the cookie set or this Policy will be communicated at least 30 days in advance. Non-material changes (typo fixes, clarifications) may be made without notice.
The version history is at velolog.io/legal/cookies-history.
7. Contact
Questions about cookies: privacy@velolog.io. Data Protection Officer: dpo@velolog.io.