Last updated: May 2026
Cookie Policy
This policy explains what cookies and similar technologies Passed Plan uses, why we use them, and how you can control them.
1. What Are Cookies?
Cookies are small text files placed on your device by a website you visit. They are widely used to make websites work, improve efficiency, and provide reporting information to site operators. Cookies set by the site you are visiting are called "first-party cookies." Cookies set by parties other than the site operator are called "third-party cookies."
We also use related technologies such as local storage and session storage, which function similarly to cookies but store data in your browser rather than as separate files. This policy covers all such technologies collectively.
2. Cookies We Use
2.1 Strictly Necessary Cookies
These cookies are required for the Service to function. They cannot be disabled without breaking core functionality. No consent is required for strictly necessary cookies.
| Cookie | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| sb-auth-token | Passed Plan (Supabase) | Authenticates your session after login. Without this cookie you would need to sign in on every page visit. | Session / 1 hour (refreshed automatically) | First-party |
| sb-refresh-token | Passed Plan (Supabase) | Allows your session to be refreshed without requiring a new login. | 7 days | First-party |
| __Host-csrf | Passed Plan | Cross-site request forgery protection. Ensures form submissions originate from our own pages. | Session | First-party |
| pp-vault-hint | Passed Plan | Stores an encrypted key derivation hint in browser local storage to speed up vault unlock. Contains no plaintext secrets. | Persistent (until cleared) | First-party (local storage) |
2.2 Analytics Cookies
We use PostHog for product analytics. PostHog is configured in privacy-first mode: IP addresses are anonymised, personally identifiable information is masked, and data is not shared with advertising networks. Analytics cookies help us understand how the product is used so we can improve it.
| Cookie | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| ph_* | PostHog | Identifies an anonymous browser session for aggregate usage analytics (feature usage, session length, page views). No PII is collected. | 1 year | First-party (set by our domain, processed by PostHog) |
| ph_session_* | PostHog | Tracks the current analytics session window. | 30 minutes (rolling) | First-party |
You can opt out of PostHog analytics by visiting your account Privacy Settings, or by enabling the Do Not Track signal in your browser (we honour DNT).
2.3 Payment Cookies (Stripe)
When you visit the checkout flow, Stripe sets cookies on the checkout.stripe.com or js.stripe.com domain to enable secure payment processing, fraud detection, and to remember your payment preferences. These are third-party cookies set only during the checkout session.
| Cookie | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| __stripe_mid | Stripe | Fraud prevention and risk assessment for payment transactions. | 1 year | Third-party (stripe.com) |
| __stripe_sid | Stripe | Links the browser session to the Stripe checkout session. | 30 minutes | Third-party (stripe.com) |
| m | Stripe | Fraud prevention. Identifies the browser across Stripe-powered checkout pages. | 2 years | Third-party (stripe.com) |
Stripe's use of cookies is governed by Stripe's Privacy Policy. We cannot disable Stripe's cookies without disabling payment processing.
2.4 Advertising Cookies
Passed Plan does not use advertising cookies. We do not partner with ad networks, retargeting platforms, or social media pixels. No cookie on our domain tracks you across other websites for advertising purposes.
3. How to Manage Cookies
3.1 Browser Settings
Most browsers allow you to view, block, and delete cookies through their settings. Note that blocking all cookies will prevent the Service from functioning correctly — at minimum, authentication cookies must be allowed.
Browser cookie management guides:
3.2 Do Not Track
Passed Plan honours the Do Not Track (DNT) browser signal. When DNT is enabled, we disable PostHog analytics collection for your session. Strictly necessary cookies and Stripe payment cookies are not affected by DNT.
3.3 Account Privacy Settings
Logged-in users can manage analytics cookie preferences in Settings → Privacy. This preference is stored server-side and applied across all your devices and sessions.
4. Updates to This Policy
We may update this Cookie Policy as we add or remove cookies from the Service. The date at the top of this page reflects the most recent revision. Significant changes will be communicated via the account notification system.
5. Contact
Questions about our use of cookies can be directed to support@passedplan.com.