Cookie Policy

Cookies & local storage

Decoder is privacy-first. It uses only strictly necessary and functional storage to keep you signed in and remember your preferences. No analytics, no marketing, no profiling, no third-party tracking.

Why there is no cookie banner

Under EU ePrivacy and GDPR guidance, strictly necessary and purely functional storage tied to a feature you explicitly use does not require prior consent. We do not load any non-essential trackers, so a consent banner would be unnecessary friction.

What we actually store

The full list of cookies and browser storage used by Decoder:

Name	Purpose	Storage	Retention
sb-* (Supabase auth)	Keeps you signed in securely	Cookie / localStorage	Until sign-out or token expiry
i18nextLng	Remembers your interface language	localStorage	Until you clear browser data
theme	Remembers dark / light preference	localStorage	Until you clear browser data
decoder.disclaimer.acceptedAt	Records that you saw the sign-in disclaimer	localStorage	Until you clear browser data
user_acknowledgements	Stores your BYOK and onboarding acknowledgement	Server database (your account)	Until you delete your account or the acknowledgement

What we do NOT use

Decoder does not load any of the following:

Analytics tools (Google Analytics, Plausible, Vercel Analytics, PostHog, Mixpanel, Amplitude, Segment, …)
Marketing or advertising cookies and remarketing tags
Heatmaps or session recording (Hotjar, FullStory, …)
Third-party pixels (Meta Pixel, LinkedIn Insight, Google Tag Manager, …)

Third-party calls

When you analyze code, requests may be sent to the AI provider you explicitly configure (BYOK) or to a local model you run yourself. Those providers have their own policies. See the Data Flow page for details.

How to clear or withdraw

You can sign out at any time, clear your browser storage, or delete your account and acknowledgements from Settings. Removing an API key stops future calls to that provider.

Privacy Data flow Terms

Last updated: 2026-06-07