Cookie Policy

1. The short version

InkMate sets the minimum cookies needed for sign-in to work. We don't run analytics cookies. We don't run advertising cookies. We don't share cookie data with third parties for marketing.

Some pages route you out to Stripe (for example when a client pays a deposit or when a studio completes Stripe Connect onboarding). Stripe sets its own cookies on those flows. That's on Stripe's side — see section 4.

2. What cookies are

Cookies are small pieces of data a website asks your browser to remember between page loads. We use them to keep you signed in and to keep forms safe from cross-site abuse — that's it.

3. The cookies we set

3.1 Strictly necessary

• ✶NextAuth session token (next-auth.session-token or __Secure-next-auth.session-token in production). Keeps you signed in after authenticating. HTTP-only, Secure, SameSite=Lax. Expires when you sign out or after the configured idle window.
• ✶NextAuth CSRF token (next-auth.csrf-token or __Host-next-auth.csrf-token). Protects sign-in forms from cross-site request forgery. HTTP-only, Secure, SameSite=Lax. Session-scoped.
• ✶NextAuth callback URL (next-auth.callback-url). Tracks where to send you after sign-in. Session-scoped.

These can't be disabled while you're signed in — without them, sign-in literally won't work. They are not used for analytics or advertising.

3.2 Not set

• ✶No Google Analytics
• ✶No Facebook Pixel
• ✶No advertising or retargeting cookies
• ✶No third-party session-replay or heatmap tools

If we ever add product analytics, this page is updated before the cookie is set, and we'll surface consent for non-essential categories where required by law.

4. Third-party cookies

When you're redirected to a Stripe-hosted page (Stripe Checkout for deposits, Stripe Connect onboarding for studios, the Stripe Customer Portal), Stripe sets its own cookies on those flows. Those cookies live on Stripe's domains, not ours, and are governed by Stripe's policies:

• ✶Stripe Privacy Policy: stripe.com/privacy
• ✶Stripe Cookie Policy: stripe.com/cookies-policy/legal

We don't receive Stripe's cookie data; Stripe uses it for fraud prevention and payment processing.

5. How to disable cookies

You can block or delete cookies from your browser settings:

• ✶Chrome: Settings → Privacy and security → Cookies and other site data
• ✶Firefox: Settings → Privacy & Security → Cookies and Site Data
• ✶Safari: Preferences → Privacy → Manage Website Data
• ✶Edge: Settings → Cookies and site permissions → Manage and delete cookies

If you block the strictly-necessary cookies, sign-in to InkMate won't work — there's nowhere to store your session. The public landing page and unauthenticated pages still load fine.

6. Local storage

We don't treat browser local storage as a cookie, but for completeness: the dashboard may store small UI preferences locally (e.g. sidebar open state). Nothing identifying, nothing transmitted off-device.

7. Changes

If we add cookies (e.g. product analytics, A/B testing), we'll update this page and surface consent for non-essential categories where the law requires it.

8. Contact

Questions: privacy@inkmate.app.