Legal

Cookie Policy

Version 1.1 · Effective date: April 17, 2026

Last updated: April 18, 2026

1. What are cookies and local storage?

Cookies: Small text files that websites store on the user's device via the browser. They allow information to be remembered between visits and requests.

localStorage / sessionStorage: Browser storage mechanisms that allow web applications to save data on the user's device without automatically sending it to the server on each request. CoreLab uses both mechanisms to ensure the Platform functions correctly.

2. Cookies Used

2.1 Session Cookies — Authentication (Essential)

Name	Type	Duration	Purpose
`sb-[ref]-auth-token`	Secure session cookie	Browser session + auto-renewal	Stores the access token and refresh token for the authenticated session. Configured as inaccessible by JavaScript where possible.
`sb-[ref]-auth-token-code-verifier`	Temporary cookie	Short duration (OAuth flow)	Used temporarily during the Google authentication flow and password reset. Deleted upon completing the process.

These cookies are strictly necessary for authentication. Without them, the user cannot sign in or maintain an active session.

2.2 Language Cookie (Functional)

Name	Type	Duration	Purpose
`locale`	Preference cookie	Persistent (~1 year)	Stores the user's language preference (Spanish or English). Read by the server to render the interface in the correct language.

3. Browser Local Storage (localStorage)

localStorage is accessible only from CoreLab's domain and is not automatically sent to the server.

Authentication state (corelab-auth)

Cache of authentication state: includes the authenticated user, active organization, and role. Used to prevent interface flickering when loading the application. Not the authoritative source of the session — that is always the authentication cookie. Deleted upon signing out or when an expired session is detected.

Theme preference (corelab-theme)

Interface theme preference: dark or light. Read when the page loads to prevent visual flash of unstyled content. Deleted when manually clearing browser storage.

Language preference (locale)

Preferred language code. Complements the locale cookie for components that need to access this preference without querying the server.

Tutorial state (tutorial_completed)

Indicates whether the user has completed or dismissed the onboarding tutorial. Prevents showing the tutorial to users who have already completed it. Deleted when manually clearing storage.

4. Session Storage (sessionStorage)

sessionStorage exists only during the active browser session and is deleted when the tab is closed.

Authentication flow type: Flag indicating whether the authentication process originates from an invitation. Used to redirect correctly upon completing the flow and deleted immediately after being read.
Onboarding notification control: Prevents registration confirmation messages from appearing multiple times during the same browser session.

5. Third-Party Cookies

5.1 Typography (Google Fonts)

The Platform's typography is loaded from Google's external servers. This loading involves an HTTP request that may expose to Google the user's IP address, browser type, and request timestamp. Google may set its own cookies in relation to these requests. For more information: Google Fonts Privacy FAQ.

5.2 Payment Processor (Stripe)

When the user accesses the payment flow or billing portal, they temporarily leave CoreLab's domain and access Stripe's domains. Stripe may set its own cookies on those domains. For more information: Stripe Privacy Policy.

6. What CoreLab Does NOT Do with Cookies

CoreLab explicitly confirms that it:

Does not use advertising tracking cookies (Google Ads, Meta Pixel, etc.).
Does not use behavioral analytics cookies (Google Analytics, Hotjar, Mixpanel, etc.).
Does not share cookie data with advertising networks.
Does not sell cookie-based user behavior data.
Does not perform cookie-based targeting.

7. Legal Basis for Cookie Use

Storage Type	Legal Basis	Description
Authentication session cookies	Contractual necessity / Strictly necessary cookie	Without these cookies, the service cannot function. No explicit consent required.
Language cookie	Legitimate interest / Functional cookie	Improves experience by storing language preference.
Authentication state in localStorage	Technical necessity (same basis as session)	Functional cache to prevent interface flickering.
Theme preference in localStorage	Legitimate interest	Display preference chosen by the user.
Tutorial state in localStorage	Legitimate interest	Avoids showing a tutorial already completed.
Google typography	Legitimate interest	Typography loading necessary for interface design.

8. Cookie Control and Management

8.1 From Browser Settings

Chrome: Settings → Privacy and security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Manage Website Data
Edge: Settings → Cookies and site permissions

Warning: Blocking authentication session cookies will prevent sign-in and use of the Platform.

8.2 Clearing Local Storage

To remove CoreLab's local storage: in Chrome/Edge, open developer tools → Application → Storage → Clear site data. Or directly from the browser's cookie/storage settings for CoreLab's domain.

Consequence: Theme, language preferences, and tutorial state will be lost. The authentication session may not be affected.

9. Changes to this Policy

Any significant change in cookie usage will be communicated to active users by email at least 14 days in advance before the effective date.

10. Browser Privacy Signals (GPC and Do Not Track)

10.1 Global Privacy Control (GPC)

CoreLab detects and respects the GPC signal. Since CoreLab does not sell or share personal data for advertising purposes, its activation does not modify Platform behavior — these commitments already apply universally.

To enable GPC:

Brave: Active by default.
Firefox: Settings → Privacy & Security → Enhanced Tracking Protection.
Chrome / Edge: Compatible extension (DuckDuckGo Privacy Essentials, Privacy Badger).

10.2 Do Not Track (DNT)

CoreLab registers the DNT signal. Since no advertising tracking cookies or behavioral analytics systems are used, there is no practical difference in Platform behavior between users with and without DNT enabled.

11. Contact

CoreLab Creative
Email: info@corelabcreative.com
Suggested subject: [COOKIES] - brief description