Cookie Policy
How we use cookies and similar technologies on our website and platform.
Posted: May 16, 2026
1. About this Policy
This Cookie & Similar Technologies Policy ("Policy") explains how White Shoe AI, Inc. ("White Shoe AI," "we," "us," or "our") uses cookies, local-storage objects, web beacons, and comparable technologies (collectively, "cookies") when you visit whiteshoe.ai or any website that links to this Policy (the "Site"). It should be read together with our Privacy Policy at www.whiteshoe.ai/legal/privacy. Capitalized terms not defined here have the meaning given in that Privacy Policy.
Under the EU ePrivacy Directive, the UK Privacy and Electronic Communications Regulations (PECR), the GDPR, CCPA/CPRA, and other applicable laws, we must (i) inform you about the cookies we set, (ii) explain why we use them, and (iii) obtain your consent for any cookies that are not strictly necessary.
2. What are cookies?
Cookies are small text files placed on your device (computer, phone, tablet) when you visit a website. They allow the site to recognize your device and store information such as user preferences or authentication tokens. Related technologies—HTML5 Local Storage, Session Storage, web beacons, pixels, and SDKs—operate in a similar way, and for simplicity we refer to them here as "cookies."
3. Why we use cookies
We use cookies for the following purposes:
| Category | Purpose | Legal basis (GDPR) | Do they require consent? |
|---|---|---|---|
| Strictly Necessary | • Authenticate you and keep you logged in • Maintain session security and load balancing • Capture application errors so we can keep the service running • Enable core Site features | Art. 6 (1)(b) – contract performance; Art. 6 (1)(f) – legitimate interest (error capture) | No. These cookies and data are required for the Site to function reliably. |
| Functional | • Remember your theme/display preference • Remember banners or notices you have dismissed • Preserve campaign attribution data (UTM parameters) across the session so signups are credited correctly | Art. 6 (1)(a) – consent | Yes. Pre-selected as on; you can turn off in our consent banner. |
| Analytics | • Reproduce product bugs via Sentry Session Replay on a 10% sample of sessions (text masked, media blocked) | Art. 6 (1)(a) – consent | Yes. Loaded only after you accept analytics cookies. |
| Marketing | • Measure the effectiveness of our Google Ads campaigns • Identify which companies visit our Site (Apollo.io B2B visitor tracking) so we can prioritize outreach | Art. 6 (1)(a) – consent | Yes. Loaded only after you accept marketing cookies in our consent banner. |
We do not deploy social-media tracking cookies on our domain. If we add new categories in the future, we will (a) update this Policy, and (b) ask for your prior consent via the consent banner.
4. Cookies we set
| Cookie / Storage Key | Provider | First or third party | Typical duration | Purpose |
|---|---|---|---|---|
| sb-access-token | White Shoe AI / Supabase | First-party | Session (expires on sign-out or 60 minutes of inactivity; refreshed silently) | JWT used to verify your identity for API requests. |
| sb-refresh-token | White Shoe AI / Supabase | First-party | 7 days* | Refreshes the access token so you stay signed in. |
| supabase.auth.token (Local Storage) | White Shoe AI / Supabase | First-party | Until manual deletion / sign-out | Stores the same access & refresh tokens in encrypted form to persist login across browser restarts. |
| _vercel_experimental_csrf (if present) | Vercel | First-party | 30 minutes | Protects forms & APIs from CSRF attacks. |
| ws_cc_consent | White Shoe AI | First-party | 6 months | Stores your cookie consent choice and an audit timestamp. |
| theme (Local Storage) | White Shoe AI (next-themes) | First-party | Until manual deletion | Functional. Remembers your light/dark theme choice across visits. |
| legal-banner-dismissed (Local Storage) | White Shoe AI | First-party | Until manual deletion | Functional. Remembers that you dismissed our informational legal banner so we don't re-show it. |
| campaign_data (Session Storage) | White Shoe AI | First-party | Browser session (cleared when tab closes) | Functional. Stores UTM parameters and referrer from your landing URL so we can credit the correct campaign if you sign up later. |
| _gcl_au, _gcl_aw, _gac_* | Google Ads | Third-party (loaded only with consent) | Up to 90 days | Attributes signups to our paid ad campaigns for conversion measurement. |
| __apollo_*, apollo_* | Apollo.io | Third-party (loaded only with consent) | Up to 1 year | Identifies the company associated with a visit (via reverse IP) so our sales team can prioritize outreach. |
| Sentry Session Replay (sessionStorage) | Sentry (Functional Software, Inc.) | Third-party (loaded only with analytics consent) | Session | Records a masked replay of ~10% of sessions so engineers can reproduce bugs. All text is masked and media is blocked. Sentry error capture (without replay) runs as strictly necessary for service reliability. |
* Exact lifetimes are determined by our Supabase security settings and may change as we tighten or extend session limits.
5. Third-party cookies we do not set but you may encounter
| Scenario | Who sets them | Where & why |
|---|---|---|
| Payment checkout & billing portal | Stripe | Cookies load only on Stripe's own domains (checkout.stripe.com, billing.stripe.com). They handle fraud prevention, session continuity, and payment security. See Stripe's Cookie Policy for details. |
| Linked pages or embeds | Other providers | If we embed third-party content (e.g., Loom videos, Calendly forms) those providers may set their own cookies the moment you interact with the embed. Their policies will apply. |
6. Server-side consent record
When you make a consent choice in our banner (Accept all, Reject all, or a custom selection via Manage preferences), we record a short audit entry in our database in addition to the ws_cc_consent cookie on your browser. Each entry contains: the consent ID generated by your browser, the categories and services you accepted, the policy revision, a one-way HMAC-hash of your IP address (we never store your raw IP), your approximate country derived from CDN headers, the user-agent string, the page URL where the choice was made, the consent revision number, and a timestamp.
We keep this audit record so we can demonstrate, if asked by you or a regulator, that you provided valid consent (or that you opted out). The hash salt rotates periodically, which means older entries cannot be linked back to a specific IP. The record is not used for any other purpose and is never shared with marketing partners.
7. Managing your cookie preferences
You can change or withdraw your consent at any time using the button below. Our strictly-necessary cookies are required for the Site to function and cannot be disabled in-product, but you can clear them via your browser.
- Browser controls
Most browsers let you delete or block cookies entirely or per-site:- Chrome: Settings → Privacy & Security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Settings → Advanced → Website Data
- Edge: Settings → Cookies and site permissions
Blocking our essential cookies will log you out and may prevent the Service from working.
- Clear local-storage data
Use your browser's developer tools → Application/Storage tab to remove specific Local Storage keys (e.g., supabase.auth.token) or clear all site data. - Stripe or other third parties
Stripe and other providers offer their own opt-out choices through their cookie banners or account-settings pages.
8. Global Privacy Control and Do-Not-Track signals
We honor the Global Privacy Control (GPC) browser signal as a default opt-out of analytics and marketing cookies under the CCPA/CPRA. If your browser sends GPC (either via the Sec-GPC request header or the navigator.globalPrivacyControl JavaScript property), we suppress the consent banner's auto-display and record an opt-out as your default state. You can still affirmatively opt in to any category at any time via the Manage cookie preferences button above.
We do not currently honor the older “Do Not Track” (DNT) header because the standard is ambiguous and was withdrawn by the W3C; GPC has clearer legal recognition and we treat it as the modern equivalent.
9. Changes to this Policy
We may update this Policy to reflect legal, technical, or business changes. When we do, we will revise the “Last updated” date and, where changes are material, display a notice on the Site or obtain renewed consent if required by law (we'll bump the consent banner's revision number, which causes it to re-prompt all visitors).
10. Contact us
Questions or concerns? Please e-mail [email protected] or write to:
White Shoe AI
Email: [email protected]