Cookie Policy — Searchbase
Last updated: 2026-05-08
This Cookie Policy explains what cookies and similar technologies Searchbase uses on https://searchbase.org, and how to control them. It complements — and is fully consistent with — § 7 of the Privacy Policy.
1. What are cookies?
A "cookie" is a small text file stored by your browser when you visit a website. We also use localStorage (a similar in-browser storage mechanism) and server-side session cookies under the same legal regime.
Cookies are categorised by purpose:
- Strictly necessary — without them the Service cannot function. No consent required (Italian Garante guidelines, 10 June 2021, § 4).
- Functional — improve usability but are not essential. No consent required when limited to UI preferences saved on your own device.
- Analytics — measure how the Service is used. Consent required (opt-in).
- Marketing / advertising — Searchbase does not use marketing or advertising cookies.
2. Cookies and storage we use
2.1 Strictly necessary
| Name | Type | Purpose | Set by | Retention |
|---|---|---|---|---|
sb-access-token | HTTP cookie (httpOnly) | Authenticated session token | Supabase Auth | Up to 1 hour, refreshed |
sb-refresh-token | HTTP cookie (httpOnly) | Refresh the access token | Supabase Auth | Up to 30 days |
__cf_bm | HTTP cookie | Cloudflare Bot Management | Cloudflare | 30 minutes |
cf_clearance | HTTP cookie | Cloudflare anti-bot challenge clearance | Cloudflare | Up to 1 year |
These are required to log in, keep your session alive and protect the Service from automated abuse. You cannot disable them and continue to use the Service.
2.2 Functional (no consent required, on-device only)
| Name | Storage | Purpose |
|---|---|---|
cookie-consent | localStorage | Stores your cookie consent choice |
sidebar-collapsed | localStorage | Sidebar collapsed/expanded state |
sidebar-workspaces-expanded | localStorage | Workspaces section expanded state |
onboarding-completed | localStorage | Whether you've completed onboarding |
scrapedog-user-memory | localStorage | Local mirror of your long-term memory entries |
chat-tier-v2 | localStorage | Last-selected chat tier (Quick / Search / Deep Research) |
These never leave your browser — they are not transmitted to our servers as cookies.
2.3 Analytics — consent required (opt-in)
| Name | Type | Purpose | Set by | Retention |
|---|---|---|---|---|
ph_* | Cookie + localStorage | Product analytics: feature-usage events, performance metrics, session continuity (per-user, identified-only) | PostHog EU Cloud (eu.i.posthog.com) | Up to 1 year |
PostHog runs only if you opt in via the cookie banner. We use PostHog's person_profiles: 'identified_only' setting, so anonymous visitors are not profiled.
2.4 Error tracking (no consent required)
We use Sentry for uncaught-error tracking. Sentry is configured with sendDefaultPii: false: stack traces are sent without IP address or identifying request data. Sentry does not use cookies on the page; it uses the __Secure-sentry-* set of internal cookies on its own domain when you load the Sentry dashboard, which is unrelated to Searchbase.
3. Third-party cookies on our pages
The only third-party cookies that may be set on a Searchbase domain are:
- Cloudflare — security/anti-bot (always on; necessary).
- PostHog — analytics (only with consent).
- Stripe — set on the Stripe-hosted checkout pages, not on Searchbase pages.
We do not embed third-party social-media widgets, advertising pixels, or fingerprinting scripts.
4. Managing your choices
4.1 In-app banner
The cookie banner shown on your first visit lets you accept all or reject all non-necessary cookies. The choice is stored in cookie-consent (localStorage) and applied on every subsequent page load. You can change your choice at any time by clearing site storage (browser settings) and reloading; an in-app "Cookie preferences" link is on the roadmap.
4.2 Browser controls
You can also block or delete cookies via your browser settings. Disabling necessary cookies will break authentication; disabling functional cookies will reset your UI preferences.
5. Do Not Track and Global Privacy Control
Searchbase honours Global Privacy Control (GPC) signals: a browser sending GPC will be treated as having opted out of analytics cookies, regardless of the banner state. The legacy DNT header is no longer a defined standard and is not honoured separately, but it is overridden by GPC where present.
6. Changes to this policy
We may update this Cookie Policy. The current version is always at https://searchbase.org/cookies. For material changes we will notify you by banner or email.
7. Contact
Questions about cookies: [email protected].
For our full data-protection notice, see the Privacy Policy.