Preppy — Cookie Policy
Last updated: 2026-04-28 Version: 1.0 (pre-launch)
This Cookie Policy explains what cookies and similar technologies Preppy uses on trypreppy.com, why we use them, and how you can control them. It supplements our Privacy Policy.
1. What are cookies and similar technologies?
Cookies are small text files that a website places on your device. We also use:
- Local storage and sessionStorage — key–value pairs stored in your browser.
- IndexedDB (via the Dexie library) — a larger on-device database for offline caches and draft meal plans.
- Pixels and SDK events — only in the context of analytics (PostHog), after you consent.
For simplicity, we refer to all of these as "cookies" below.
2. Your choices
When you first visit Preppy, a cookie banner asks for your consent to non-essential cookies.
- Strictly necessary cookies are set without consent because the Service cannot function without them.
- Analytics cookies are set only if you accept them. You can change your mind at any time:
- re-open the banner from the footer link "Cookie preferences", or
- clear cookies in your browser settings.
Withdrawing consent does not affect past lawful processing.
3. Categories of cookies we use
3.1 Strictly necessary
Used to run the Service, keep you signed in, and secure your session. These cannot be disabled.
| Name | Provider | Purpose | Duration |
|---|---|---|---|
sb-access-token | Supabase (first-party) | Authentication token | Session / up to 1 hour |
sb-refresh-token | Supabase (first-party) | Keeps you signed in across sessions | 30 days |
sb-[project-ref]-auth-token | Supabase (first-party) | Auth-session container | 30 days |
preppy-cookie-consent | Preppy (first-party) | Records your cookie-banner choice | 12 months |
next-auth.csrf-token or equivalent | Preppy (first-party) | CSRF protection | Session |
__cf_bm, cf_clearance | Cloudflare | Bot protection, DDoS mitigation | 30 min – 1 year |
3.2 Preferences (first-party local storage)
Stored locally in your browser — not transmitted to our servers.
| Key | Purpose | Duration |
|---|---|---|
theme (via next-themes) | Light/dark/system preference | Persistent |
Dexie databases (e.g. preppy-offline) | Offline caches for meal plans, recipes | Persistent until cleared |
preppy-locale | Language preference (next-intl) | Persistent |
3.3 Analytics (only after consent)
We use PostHog for product analytics. Cookies are set only if you accept analytics in the banner.
| Name | Provider | Purpose | Duration |
|---|---|---|---|
ph_[project-key]_posthog | PostHog | Distinct user/session identifier for analytics | 365 days |
__ph_opt_in_out_[project-key] | PostHog | Records your analytics opt-in / opt-out choice | Persistent |
ph_* localStorage keys (feature-flag cache, etc.) | PostHog | Cache feature-flag values + auxiliary analytics state | Persistent until cleared |
We do not use advertising cookies. We do not fingerprint devices.
3.4 Error monitoring
Sentry error monitoring does not set persistent cookies by default. It may attach a short-lived transaction ID to error reports; IP addresses in error reports are truncated where feasible. This runs under our legitimate interest in a reliable service (see Privacy Policy §4).
4. Third-party services that may set their own cookies
If you choose to sign in with Google, Google may set cookies on the Google domain during the OAuth flow. This is governed by Google's privacy policy.
Google Fit and other optional integrations rely on OAuth; no persistent Fit cookies are set on the Preppy domain.
5. How to manage cookies in your browser
Most browsers let you block or delete cookies:
- Chrome: Settings → Privacy and security → Cookies and other site data.
- Firefox: Settings → Privacy & Security → Cookies and Site Data.
- Safari: Settings → Privacy → Manage Website Data.
- Edge: Settings → Cookies and site permissions.
Blocking strictly necessary cookies will break sign-in and other core features.
6. Do Not Track and Global Privacy Control
We honour the Global Privacy Control (GPC) signal as a withdrawal of consent for non-essential cookies. We do not currently respond to legacy "Do Not Track" browser headers because there is no industry standard for their interpretation.
7. Changes
We may update this Cookie Policy when we add, change, or remove cookies. Material changes will be flagged on the banner. Check the Last updated date at the top.
8. Contact
Questions? [privacy@trypreppy.com].