Cookie Policy

A cookie is a small text file your browser stores when you visit a site. Local storage and session storage are similar mechanisms that hold data in the browser without sending it back to the server on every request.

Karven uses a mix of cookies and browser storage. Some are strictly necessary to deliver the service; others are optional and only run with your consent.

• Strictly necessary: keeps you signed in, protects against CSRF, remembers your plan tier. These always run; the law does not require consent for cookies that are necessary to deliver an explicitly requested service.
• Functional: remembers display preferences such as the cookie banner decision itself, or the dark/light theme. Only set after you accept.
• Analytics: anonymous, aggregate product analytics that help us understand which features are used. Only set if you accept analytics in the banner. Currently inactive; we will update this page before we turn anything on.
• Advertising and tracking: none. We do not run any third-party advertising trackers, retargeting pixels, or cross-site fingerprinting scripts.

Strictly-necessary cookies and storage:

• sb-access-token (cookie, session, 1 hour). Supabase access token. Identifies you to the application. Set on signin, cleared on signout.
• sb-refresh-token (cookie, persistent, 7 days). Supabase refresh token. Used to renew the access token without you having to sign in again.
• __Host-csrf (cookie, session). Anti-CSRF token. Validates that form posts come from a Karven page.
• karven-flash (cookie, session). One-shot success/error messages shown after a redirect.
• anon_id (localStorage, persistent). Anonymous identifier used to record your cookie-banner decision when you're not signed in.
• cookie_consent (localStorage, persistent). Your cookie-banner decision. Cleared if you re-set preferences.
• vercel-* (cookie, varies). Vercel hosting platform cookies for routing and security.

Optional cookies and storage (only set with consent):

• ph-* (cookie, persistent, 12 months). Anonymous product analytics via PostHog, when enabled. We will update this page when we switch this on.
• theme (localStorage, persistent). Your light/dark theme preference.

We also embed a small number of third-party iframes and widgets that may set their own cookies on the third party's domain: Stripe Checkout, Google Sign-In and reCAPTCHA. Those cookies are governed by the relevant third party's policy, not this one.

On your first visit a banner offers three choices: accept all, reject non-essential, or manage preferences. Your decision is stored locally and a record is written to our cookie_consents table so we have proof of the consent decision if a complaint is lodged.

You can change your decision at any time by clicking the small "Cookie preferences" link in the footer of any marketing page, or by clearing the cookie_consent key from your browser storage and refreshing the page.

You can also block or delete cookies from your browser settings. Blocking strictly-necessary cookies will break sign-in.

Karven honours the Global Privacy Control (GPC) signal as an opt-out of all non-essential cookies. If your browser sends GPC, we set the consent record to "essential" automatically on first visit and do not show the banner.

Do Not Track is a legacy header that browsers no longer reliably set; where it is present we treat it the same as GPC.

If we add a new cookie or change the purpose of an existing one we will update this page and refresh the version date at the top. Material additions will trigger the banner again so you can re-confirm your choices.

If you spot a cookie not listed here, or if you're unsure why one is being set, please email privacy@karven.com.au and we'll either explain it or remove it.