Cookies

Short list. We don't use cookies for tracking — just for keeping you signed in.

Last updated May 9, 2026

Strictly necessary (always set)

These cookies make the app function — they're set whether or not you accept analytics:

  • sb-access-token / sb-refresh-token— Supabase Auth session cookies. Required to keep you signed in. Set by Supabase's SDK as HttpOnly and Secure. Expire on sign-out or after refresh-token rotation.
  • tf_expected_user / tf_cal_scope— short-lived cookies (max 5 minutes) set during the "Connect Google Calendar" flow to track which user initiated the OAuth handshake and whether to grant Calendar scope. Cleared on completion.

Analytics & consent

TimeFlow runs three analytics services. Two are cookieless (no opt-in needed); one is cookied and gated behind the consent banner you see on first visit.

  • Vercel Web Analytics & Vercel Speed Insights — cookieless. Vercel uses page-load fingerprinting and aggregated Web Vitals; nothing is set on your browser. Active by default; covered in the Privacy Policy.
  • Google Analytics 4 via Google Tag Manager (container ID GTM-KR4KQKWX) — uses cookies to recognize returning visitors and stitch the conversion funnel together. Cookies are only set if you click "Accept" on the consent banner.If you decline (or close the banner without choosing), GA4 still runs in Google's Consent Mode v2 "denied" state — events are pinged without cookies and Google models the aggregate, with no per-visitor identifier stored on your device.

Cookies set if you accept analytics

  • _ga — Google Analytics client identifier. Lifespan: 2 years. Used to distinguish unique browsers across sessions.
  • _ga_KR4KQKWX (GA4 property-specific) — session state for the GA4 property. Lifespan: 2 years.
  • Possible additional GTM/Google cookies (_gid, _gcl_*) if Google Ads or other tags are added inside GTM later. We'll update this list when that happens.

How to change your mind

Clear your browser's storage for usetimeflow.com (or just delete the tf_consent entry from localStorage) and reload — the banner will reappear and you can choose differently. We'll add a more direct "manage cookies" control later.

What we don't use

  • No Mixpanel. No Segment. No PostHog. No Hotjar / FullStory session replay.
  • No Facebook pixel. No advertising or remarketing cookies (and any future ad pixel will require explicit consent before loading).
  • No fingerprinting beyond the cookieless aggregates Vercel uses.

Behavioral learning (no cookies)

TimeFlow has an optional "Behavioral learning" feature (off by default; toggle in Settings → Privacy & Security) that lets AutoScheduler MAX learn from how you work. When on, in-app actions are logged as server-side rowskeyed to your user_id — no new browser cookies, no localStorage, nothing in the request headers. The full list of what's logged and how to export/delete it lives on the privacy page.

Local storage

The app uses your browser's localStorage for two things:

  • UI preferences (theme, default calendar view, secondary timezone, "What now?" widget sources).
  • Tracker state (which task is being timed, when started). Mirrors the server so a refresh keeps your timer running.

Local storage isn't a cookie technically — it doesn't leave your browser and isn't sent to our servers in HTTP requests. We mention it for transparency.

Paddle checkout (when paid plans launch)

Once paid subscriptions are live, the checkout flow will load paddle.com in-page on its own origin. Paddle.com Market Limitedsets its own session and fraud-prevention cookies on that origin during checkout — they're governed by Paddle's cookie policy, not by this page. Until billing turns on, no Paddle cookies are loaded.

How to disable cookies

You can disable cookies via your browser settings. If you do, the auth session cookies won't persist and you won't be able to stay signed in. The app needs them to function; we've kept the list short for exactly this reason.

Contact

TimeFlow is operated by NXTWAVE FZC. Questions about cookies — email dev.olegovich@gmail.com.