cardpulse
OFFLINE

Cookie Notice

The crumbs we leave.

Last updated · April 26, 2026

This Cookie Notice supplements our Privacy Notice and explains what cookies and similar technologies Cardpulse uses, why we use them, and how you can control them.

§ 1

What is a cookie?

A cookie is a small text file a website stores on your browser. It can hold a session identifier, a preference, or a token that proves you signed in. “Similar technologies” — pixels, web beacons, local storage — work the same way for our purposes; we use the term “cookies” below to cover all of them.

§ 2

What we use cookies for

Authentication (strictly necessary). Two HTTP-only cookies — cp_access (15-minute JWT) and cp_refresh (30-day refresh token, rotated on each use) — keep you signed in. Without these, the Services cannot function. Set and read only by Cardpulse.

OAuth state (strictly necessary). A short-lived session cookie protects against CSRF during the Google sign-in flow. It expires when the flow completes.

Preference (functional). We may store UI preferences (such as your last-selected variant grade or category filter) in localStorage. Optional; the app works without them.

Analytics (analytics). We may use Google Analytics to understand which features get used and where users drop off. Analytics cookies are set by Google, governed by Google’s privacy policy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, or by adjusting your Google Ads Settings.

No advertising cookies. Cardpulse does not run ads, does not sell personal information for targeted advertising, and does not place advertising-network cookies on your browser.

§ 3

The full list

The cookies and storage keys you may encounter on Cardpulse:

  • cp_access — HTTP-only, Secure (in production). Short-lived JWT used to authorize API calls. Lifetime: 15 minutes.
  • cp_refresh — HTTP-only, Secure (in production). Encrypted refresh token used to mint new access tokens. Rotated on each use; reuse triggers automatic revocation. Lifetime: 30 days.
  • session — Used by the OAuth flow during Google sign-in (CSRF protection). Cleared after the flow completes.
  • _ga, _gid, _ga_* — Google Analytics, if enabled. See Google’s documentation for lifetimes and purposes.

§ 4

How to control cookies

Most browsers let you reject or remove cookies in their settings. Doing so for the strictly-necessary cookies above will prevent you from staying signed in and will break the OAuth flow; the rest are safe to remove.

§ 5

Do-Not-Track

See §12 of our Privacy Notice: we do not currently respond to DNT browser signals because no uniform industry standard exists. If a standard is adopted that we are required to honor, we will update this notice to reflect our practice.

§ 6

Updates and contact

We may update this Cookie Notice as the Services evolve. The “Last updated” date at the top reflects the most recent revision. Questions can be sent to [email protected].