Cookies and similar technologies

Strictly necessary authentication cookies

Supabase Auth sets first-party cookies (names typically beginning sb-) so your session persists securely between requests. These are essential for sign-in and signed-in areas of the application.

Referral attribution (first-party cookie)

When you land with a valid referral code in the URL, we may place a short-lived first-party HTTP cookie (tos_ref) so the platform can attribute a signup fairly. It is not used for third-party advertising networks.

Third-party marketing and analytics cookies

We do not use third-party advertising cookies. We do not rely on analytics cookies for PostHog — when enabled, PostHog stores its SDK state in browser localStorage after you opt in on this device.

Product safety and analytics (PostHog, localStorage)

Deployments that set a public PostHog key expose the SDK so subscribers can choose to send minimal typed product events — for reliability observability, feature usage summaries, error/flow diagnostics, and proportionate indicators around safe AI-assisted flows. PostHog is not treated as strictly necessary for core sign-in or accounting; it stays off until you pick Allow product safety & analytics (banner or preference panel below). We must not transmit raw quote or proposal wording, uploaded files or names, prompts, completions, contacts, pricing line detail, or other sensitive customer content through these events — only lightweight metadata aligned with internal rules.

The SDK initialises with autocapture off and session replay disabled in the build we operate.

Service worker / PWA cache

Our progressive web app registers a service worker so static assets and selected routes load faster offline or on poor connections. Cache entries are stored locally in your browser — they are not used to track you across unrelated sites. You can clear site data or uninstall the PWA from your device settings at any time.

Preference controls (this browser)

Your choice for product safety/analytics applies per browser profile and is stored locally as JSON under the key tradeos_privacy_preferences. Clearing site data resets it — you'll see the banner again while a PostHog key remains configured.

Manage storage in your browser

You can also block or wipe cookies and local storage for Trade-OS from your device settings — that may log you out and remove referrals or analytics preference state until you revisit and choose again.