Cookie Policy

This Cookie Policy explains how TuscanoLabs uses cookies and similar technologies on tuscanolabs.com. It applies in addition to our Privacy Policy and should be read together with it.

We try to keep our cookie usage minimal. We do not use advertising cookies or third-party retargeting pixels, and we do not sell behavioral data to anyone.

A cookie is a small text file that a website stores on your device when you visit. Cookies are widely used to make websites work, to remember preferences, and to provide aggregated information about how a site is used. "Similar technologies" include local storage, session storage, and pixel tags, which serve comparable purposes.

TuscanoLabs uses three categories of cookies and similar storage. Each is described in detail below.

• Essential — required for the Service to work (authentication, security, session state). Cannot be disabled.
• Security — used to verify that requests come from real humans, not bots, and to prevent abuse.
• Analytics — used to understand product usage in aggregate so we can improve the platform. Optional and can be disabled.

These are required for the Service to function. Disabling them will break sign-in, persistence, and security features.

• sb-access-token (Supabase) — your authenticated session token. Set when you sign in, cleared when you sign out. Duration: session / up to 1 hour, refreshed automatically
• sb-refresh-token (Supabase) — used to renew your session without forcing you to sign in again. Duration: 30 days
• Local storage entries (Supabase auth) — store the auth state across page reloads so you stay signed in
• tuscanolabs-referral — captures the referral source from a landing-page query parameter so we can credit a partner correctly. Duration: 30 days

These help protect TuscanoLabs and its users from automated abuse, scraping, and bots.

• Cloudflare Turnstile — set by our CAPTCHA provider on the public scan endpoints to verify that requests come from a real human. Duration: short-lived (typically minutes), tied to the challenge
• Cloudflare CDN cookies — set by Cloudflare on tuscanolabs.com to prevent abuse, distribute traffic, and detect known threats

These are optional and only loaded when you have not opted out. They help us understand which features get used so we can prioritize what to build next.

• PostHog (ph_*) — anonymous product analytics. Records aggregated events such as page views, button clicks, and conversion funnel steps. Does not capture form input or scan content. Duration: up to 1 year
• Sentry (sentry-trace, etc.) — error and performance monitoring. Used only when our application throws an error or measures a performance trace. Duration: per-request

Below is a summary of every cookie or storage entry TuscanoLabs sets, in plain English.

• sb-access-token — Essential — Authentication — ~1 hour, auto-refreshed
• sb-refresh-token — Essential — Session renewal — 30 days
• sb-* (local storage) — Essential — Persisted auth state — Until sign out
• tuscanolabs-referral — Essential — Partner attribution — 30 days
• Cloudflare Turnstile cookies — Security — Bot protection — Minutes
• Cloudflare CDN cookies — Security — Abuse protection — Per CDN policy
• ph_* (PostHog) — Analytics — Aggregated product usage — Up to 1 year
• Sentry trace IDs — Analytics — Error monitoring — Per request

You can control cookies in several ways depending on what you want to disable.

• Analytics — enable your browser's "Do Not Track" or "Global Privacy Control" signal. We honor both and will not load PostHog when either is set
• All non-essential cookies — use your browser's privacy settings to block third-party cookies, or use a privacy extension such as uBlock Origin or Privacy Badger
• Specific cookies — most browsers let you delete individual cookies from the site settings page. Note that deleting essential cookies will sign you out and may break some features
• GitHub OAuth tokens — disconnect GitHub from your account settings to immediately delete the stored token

All major browsers let you view, manage, and delete cookies. The exact steps differ by browser:

• Chrome — Settings → Privacy and security → Cookies and other site data
• Firefox — Settings → Privacy & Security → Cookies and Site Data
• Safari — Settings → Privacy → Manage Website Data
• Edge — Settings → Cookies and site permissions → Cookies and site data

We honor the Do Not Track (DNT) browser signal and the Global Privacy Control (GPC) signal. When either is set, we will not load PostHog analytics for your session. Essential and security cookies still apply because the Service cannot function without them.

We may update this Cookie Policy when we add, remove, or change a cookie or similar technology. Material changes will be announced in-product or by email to account holders before they take effect. The "Last Updated" date at the top of this page always reflects the current version.

Questions about cookies, tracking, or this policy can be directed to:

support@tuscanolabs.com