TL;DR
- Koydo does not run advertising and does not use advertising cookies. Ever.
- We use a small number of strictly-necessary cookies for login and security. These cannot be disabled.
- We use a small number of functional cookies for accessibility, theme, and locale. You can disable them in settings.
- We use analytics cookies (Mixpanel, Vercel) only with your consent in the EEA / UK / Switzerland; outside those regions, you can opt out in settings.
- For users under 18, analytics cookies are blocked by code, regardless of region or settings.
- Mobile apps (Flutter, native iOS Swift, native Android) do not use web cookies. Native consent is handled via Apple App Tracking Transparency (ATT) on iOS and Google's User Messaging Platform (UMP) on Android.
Plain-language summary
Koydo does not run advertising and does not use advertising cookies.
1. Categories We Use
1.1 Strictly Necessary
| Cookie / storage key | Purpose | Provider | Retention | Type |
|---|---|---|---|---|
sb-access-token, sb-refresh-token | Supabase authentication session | Supabase | Session + 1 hour refresh window | HTTP-only, Secure, SameSite=Lax |
__cf_bm | Cloudflare bot management (network protection) | Cloudflare | 30 minutes | HTTP-only, Secure |
__stripe_mid, __stripe_sid | Stripe checkout session integrity (only on checkout pages) | Stripe | 1 year / 30 minutes | HTTP-only, Secure |
koydo-csrf-token | CSRF protection on state-changing requests | Koydo | Session | HTTP-only, Secure, SameSite=Strict |
koydo-consent-state | Stores your consent choices for non-essential cookies | Koydo | 12 months | First-party, Secure |
These cookies cannot be disabled because the Service cannot function without them.
1.2 Functional (consented or userset)
| Storage key | Purpose | Provider | Retention | Type |
|---|---|---|---|---|
koydo-locale | Your selected language | Koydo (localStorage) | Until cleared by user | First-party |
koydo-theme | Your selected theme (light / dark / high-contrast) | Koydo (localStorage) | Until cleared | First-party |
koydo-a11y-prefs | Accessibility preferences (font size, motion, dyslexic font) | Koydo (localStorage) | Until cleared | First-party |
koydo-onboarding-state | Which onboarding steps you've completed | Koydo (localStorage) | Until cleared | First-party |
These are user-set preferences; they don't track you. You can clear them via your browser at any time.
1.3 Analytics (consented; blocked for users under 18 regardless of consent)
| Cookie | Purpose | Provider | Retention | Type | Gating |
|---|---|---|---|---|---|
mp_* (e.g., mp_<token>_mixpanel) | Product analytics — feature usage, drop-off, performance | Mixpanel | 1 year | First-party (proxied) | Blocked for all users under 18 by code |
| Vercel Analytics tokens | Page-load performance metrics, Web Vitals | Vercel | Session | First-party | Blocked for users under 18 by code |
For users in the EEA, UK, or Switzerland, these analytics are loaded only if you give consent in the cookie banner. Outside those regions, they load by default and you can opt out in Account Settings → Privacy.
1.4 Performance / Error Monitoring
| Storage key | Purpose | Provider | Retention | Type | Gating |
|---|---|---|---|---|---|
| Sentry session IDs (in-memory, not stored as a cookie) | Crash and error monitoring with PII auto-scrubbing | Sentry | Session | Server-side | PII scrubbed by policy for child accounts |
1.5 Advertising
None. Koydo does not run advertising and does not use advertising cookies. This is a deliberate product decision and not subject to consent toggles because there is nothing to consent to.
Plain-language summary
These cookies cannot be disabled because the Service cannot function without them.
2. Consent Mechanism
2.1 EEA / UK / Switzerland
On your first visit, you'll see a consent banner with three options: Accept all, Reject non-essential, and Customize. Your choice is stored in koydo-consent-state and respected on every subsequent visit. You can change your choice anytime from the footer link "Manage Cookies" or in Account Settings → Privacy. We do not use "dark patterns" — Reject is as easy as Accept; both are one click; both are equally prominent.
2.2 United States, Canada, and Other Regions
We do not require a banner under the laws of these regions, but we provide the same controls in Account Settings → Privacy. You can also use:
- The Global Privacy Control (GPC) browser signal — Koydo automatically interprets a GPC signal as opting out of analytics tracking.
- The "Do Not Sell or Share My Personal Information" link at /legal/do-not-sell (California, Colorado, Connecticut, and other states with opt-out rights).
2.3 Children Under 18
Regardless of region or consent choice, Mixpanel analytics and Vercel Analytics are both blocked by code for all users under 18. There is no toggle to override this — it is a hard gate enforced client-side and verified by automated tests in continuous integration (src/__tests__/lib/analytics/).
Plain-language summary
On your first visit, you'll see a consent banner with three options: Accept all, Reject nonessential, and Customize.
3. Mobile Apps (Flutter, native Swift, native Android)
Koydo's mobile applications do not use web cookies. Where mobile measurement or consent is relevant:
- iOS uses Apple's App Tracking Transparency (ATT) framework. The native iOS prompt is shown on first launch where applicable.
- Android uses Google's User Messaging Platform (UMP) for EEA / UK consent collection in app.
- For the legacy Matura Capacitor WebView shell, the web cookie banner is hidden when running inside the native shell (handled by
body.koydo-embed-modestyling). Native consent is collected at the app level instead. Koydo is migrating away from WebView shells; new mobile apps are Flutter or native Swift only.
Plain-language summary
Koydo's mobile applications do not use web cookies.
4. Updating This Inventory
This inventory is reviewed at every Privacy Policy revision (see Privacy Policy §12) and at every change to Koydo's analytics or infrastructure stack. The current authoritative version is recorded at Koydo's legal version history. If you have questions about a specific cookie or storage key not listed here, contact privacy@koydo.app — we will respond within 30 days and update this inventory if necessary.
Cookies inventory v2026-05-09 — Effective May 9, 2026
Plain-language summary
This inventory is reviewed at every Privacy Policy revision (see Privacy Policy §12) and at every change to Koydo's analytics or infrastructure stack.