Skip to content
⚠️ DRAFT — requires UK legal counsel review before launch. Not legal advice.

Cookie Policy

Last updated: 2026-06-21 · OpenSassy

This policy is written against UK PECR and UK GDPR, and lists only what OpenSassy actually sets — verified by reviewing the platform's code, not a generic template.

The short version

OpenSassy does not set any browser cookies. We don't use cookies for login, preferences, or analytics. Instead, the app stores a small number of items in your browser's localStorage and sessionStorage — these work similarly to cookies (they sit on your device) but are never sent automatically with every request the way a cookie is, and there is no cookie consent banner because there is nothing here that PECR's cookie rules apply to in the traditional sense. We still document everything stored, in the spirit of transparency.

What we actually store (localStorage / sessionStorage)

Audited directly against the OpenSassy web codebase. None of these are sent to a server automatically — they're read by the page's own JavaScript and attached to API requests (e.g. as an Authorization header) when needed.

Strictly necessary required to use the platform

Keep you signed in and scoped to the right business/customer account. Without these you'd be logged out on every page load.

KeyPurposeLifetime
sassy_tokenYour sign-in session (JWT)Until logout or expiry (~7 days)
sassy.jwtLegacy alias of the same session token, kept for older pagesUntil logout or expiry
org_idWhich business you're currently working inUntil you switch businesses or log out
sassy_founder_token / founder_tokenFounder's own session, kept separately so it survives impersonating a business (and is restored on exit)Until logout
sassy_customer.<org_id>An end-customer's own booking session for a specific business (per REQ-005 customer accounts)~30 days

Functional improves the experience, not essential

Remember interface state and onboarding progress — no personal data.

KeyPurposeLifetime
sassy_nav_expandedWhether the side navigation is expanded or collapsedPersistent
sassy_onboarding_complete / sassy_first_session_doneWhether you've completed first-run onboarding, so we don't show it twicePersistent
sassy_welcome_pendingWhether a welcome message is queued in the chatUntil shown
sassy_visitor_name / sassy_visitor_emailPre-fills the sign-up form if you typed your name/email on the landing page firstPersistent until used
dev-user-roleLocal development only — not present in production buildsPersistent
opensassy_prospectsFounder-only sales pipeline notes, kept on the founder's own devicePersistent

Session-only (sessionStorage)

Cleared automatically when you close the tab.

KeyPurposeLifetime
ai_candidate_id / ai_service_idHolds your in-progress booking selection between steps of the AI booking flowTab session
Sassy chat widget cacheRecent chat turns, so the floating assistant survives a page refresh within the tabTab session

Analytics / advertising / third-party tracking

None. OpenSassy has no Google Analytics, Meta Pixel, PostHog, Mixpanel, Hotjar, or any other tracking or advertising script wired in as of this audit. If that changes, this page (and a cookie consent banner) will be updated before the change ships — COUNSEL: confirm the process for re-auditing this page is contractually required before any analytics is added.

Supabase authentication

OpenSassy's sign-up/login flow on some pages uses Supabase Auth in the browser. By default this also persists its session in localStorage (not a cookie). If this changes to a cookie-based Supabase session in a future build, this section will be updated to reflect that. COUNSEL: confirm no first-party cookie is set server-side by any current route before this page is finalised — verify against a live response, not just the code.

Managing or clearing this data

Because nothing here is a cookie, your browser's cookie controls won't show or block it. Instead:

  • Logging out clears your session token directly.
  • Your browser's "Clear site data" / "Clear browsing data" → Site settings/Cookies and site data for the-sassy.com will remove everything listed above.
  • Disabling localStorage in your browser will prevent you from staying logged in to OpenSassy.

Your rights

Under UK GDPR you have the right to access, correct, and delete personal data we hold, including any identifiers stored in your browser. Contact hello@the-sassy.com to exercise these rights. See our Privacy Policy for the full picture of what we process.

Changes

We will update this policy whenever the platform starts storing something new in the browser, or starts using actual cookies (e.g. if we add analytics). The date above reflects the last code audit.