Cookie Policy
Last updated: May 6, 2026 · v1.0
Companion to our Privacy Policy. Read it for the full picture of how we handle personal data.
What is a cookie?
A cookie is a small text file stored in your browser when you visit a site. We also use related local-storage and session-storage entries; for simplicity this policy refers to all of these as “cookies”. Cookies let us keep you signed in, protect your account from cross-site request forgery, and (where you opt in) understand product usage.
Your choice
The first time you visit DataRoom Snap from the EEA, UK, or Switzerland, our cookie banner asks you to consent on a per-category basis. Necessary cookies cannot be disabled because the application cannot operate without them. Analytics, Error reporting, and Marketing cookies are all opt-in and can be revoked at any time.
Two ways to update your choice:
- Use the “Cookie preferences” link in the footer of every page to re-open the banner.
- Visit /settings → Privacy — this is also where you can opt out of all non-essential processing globally on your account.
Every consent change is recorded in our consent log with a timestamp, the policy version, and the per-category booleans — so we have audit-ready evidence of lawful basis for every analytics and error-report event.
Necessary
Always onRequired for the application to function: authentication, CSRF protection, and gated share-link access. Cannot be turned off because the platform cannot operate without them. No consent required (legitimate interest under PECR / ePrivacy because they are strictly necessary for a service the user requested).
| Cookie | Purpose | Retention | Party |
|---|---|---|---|
| sb-<project>-auth-token | Supabase authentication session. Encodes the signed-in user and is rotated on refresh. | Session + 1 hour rolling refresh; cleared on sign-out | First-party |
| sb-<project>-auth-token.0 / .1 | Supabase auth token chunked when oversize. Same lifecycle and security flags as the parent cookie. | Session + 1 hour rolling refresh | First-party |
| __Host-csrf-token | CSRF protection on state-changing routes. Bound to the request origin via __Host- prefix. | Session | First-party |
| share-link-pin / share-link-otp | Records that a share-link recipient has cleared the PIN / OTP gate so they do not have to re-enter it on every page in the same session. | Session, max 24 hours | First-party |
| cookie-consent | Stores your cookie-banner choice (per-category booleans + version + timestamp) so we do not re-prompt on every visit. | 12 months, then re-prompted | First-party |
Analytics (PostHog)
OptionalHelps us understand which features are used and where users get stuck. Event payloads are scrubbed of document content and PII. Disabled by default for EEA / UK / Swiss visitors until explicit opt-in via the cookie banner.
| Cookie | Purpose | Retention | Party |
|---|---|---|---|
| __ph_<project> | PostHog distinct-id and session identifier. | 12 months | Third-party (PostHog Inc.) |
| __ph_<project>_session | PostHog session replay state (we do not enable session-replay payload capture in the dashboard; this cookie remains for session boundary detection). | 30 minutes (rolling) | Third-party (PostHog Inc.) |
Error reporting (Sentry)
OptionalCaptures uncaught exceptions and stack traces so we can fix bugs. Document content and request bodies are scrubbed before transmission. Relies on legitimate interest; opt-out is available.
| Cookie | Purpose | Retention | Party |
|---|---|---|---|
| __sentry_session | Sentry session-id used to correlate multiple errors from the same browser session. | Session | Third-party (Functional Software, Inc. dba Sentry) |
| __sentry_replay | Sentry session-replay sampling state. Replay payload capture is configured off by default; this cookie remains for sampling decisions. | 24 hours | Third-party (Functional Software, Inc. dba Sentry) |
Marketing
OptionalReserved category. DataRoom Snap does not currently set or allow third-party marketing cookies on the marketing site or in the dashboard. If we ever add an advertising or retargeting pixel, this category will be populated and you will be re-prompted for consent.
No cookies in this category at this time.
Browser-level controls
You can also block or delete cookies directly in your browser. Chrome, Edge, Firefox, Safari, and Brave all expose per-site cookie controls in their settings. If you block Necessary cookies, the application will not work — you will not be able to sign in, and share-links will repeatedly re-prompt for the PIN.
Changes to this policy
If we add a new category of cookie or a new third party, we update the policy version here and re-prompt you via the cookie banner on the next visit. Material changes are also flagged in our changelog at /trust.
Contact
Questions about cookies or any other data processing: dpo@dataroomsnap.com.