Cookies

Short list. We don't use cookies for tracking — just for keeping you signed in.

Last updated May 1, 2026

The full list

TimeFlow sets the following cookies:

  • sb-access-token / sb-refresh-token— Supabase Auth session cookies. Required to keep you signed in. Set by Supabase's SDK as HttpOnly and Secure. Expire on sign-out or after refresh-token rotation.
  • tf_expected_user / tf_cal_scope— short-lived cookies (max 5 minutes) set during the "Connect Google Calendar" flow to track which user initiated the OAuth handshake and whether to grant Calendar scope. Cleared on completion.

What we don't use

  • No Google Analytics. No Mixpanel. No Segment. No PostHog.
  • No Facebook pixel. No advertising or remarketing cookies.
  • No third-party tracking embedded in the app.

Local storage

The app uses your browser's localStorage for two things:

  • UI preferences (theme, default calendar view, secondary timezone, "What now?" widget sources).
  • Tracker state (which task is being timed, when started). Mirrors the server so a refresh keeps your timer running.

Local storage isn't a cookie technically — it doesn't leave your browser and isn't sent to our servers in HTTP requests. We mention it for transparency.

How to disable cookies

You can disable cookies via your browser settings. If you do, the auth session cookies won't persist and you won't be able to stay signed in. The app needs them to function; we've kept the list short for exactly this reason.

Contact

TimeFlow is operated by NXTWAVE FZC. Questions about cookies — email dev.olegovich@gmail.com.