Cookie Policy — Searchbase

Last updated: 2026-05-08


This Cookie Policy explains what cookies and similar technologies Searchbase uses on https://searchbase.org, and how to control them. It complements — and is fully consistent with — § 7 of the Privacy Policy.


1. What are cookies?

A "cookie" is a small text file stored by your browser when you visit a website. We also use localStorage (a similar in-browser storage mechanism) and server-side session cookies under the same legal regime.

Cookies are categorised by purpose:

  • Strictly necessary — without them the Service cannot function. No consent required (Italian Garante guidelines, 10 June 2021, § 4).
  • Functional — improve usability but are not essential. No consent required when limited to UI preferences saved on your own device.
  • Analytics — measure how the Service is used. Consent required (opt-in).
  • Marketing / advertising — Searchbase does not use marketing or advertising cookies.

2. Cookies and storage we use

2.1 Strictly necessary

NameTypePurposeSet byRetention
sb-access-tokenHTTP cookie (httpOnly)Authenticated session tokenSupabase AuthUp to 1 hour, refreshed
sb-refresh-tokenHTTP cookie (httpOnly)Refresh the access tokenSupabase AuthUp to 30 days
__cf_bmHTTP cookieCloudflare Bot ManagementCloudflare30 minutes
cf_clearanceHTTP cookieCloudflare anti-bot challenge clearanceCloudflareUp to 1 year

These are required to log in, keep your session alive and protect the Service from automated abuse. You cannot disable them and continue to use the Service.

2.2 Functional (no consent required, on-device only)

NameStoragePurpose
cookie-consentlocalStorageStores your cookie consent choice
sidebar-collapsedlocalStorageSidebar collapsed/expanded state
sidebar-workspaces-expandedlocalStorageWorkspaces section expanded state
onboarding-completedlocalStorageWhether you've completed onboarding
scrapedog-user-memorylocalStorageLocal mirror of your long-term memory entries
chat-tier-v2localStorageLast-selected chat tier (Quick / Search / Deep Research)

These never leave your browser — they are not transmitted to our servers as cookies.

2.3 Analytics — consent required (opt-in)

NameTypePurposeSet byRetention
ph_*Cookie + localStorageProduct analytics: feature-usage events, performance metrics, session continuity (per-user, identified-only)PostHog EU Cloud (eu.i.posthog.com)Up to 1 year

PostHog runs only if you opt in via the cookie banner. We use PostHog's person_profiles: 'identified_only' setting, so anonymous visitors are not profiled.

2.4 Error tracking (no consent required)

We use Sentry for uncaught-error tracking. Sentry is configured with sendDefaultPii: false: stack traces are sent without IP address or identifying request data. Sentry does not use cookies on the page; it uses the __Secure-sentry-* set of internal cookies on its own domain when you load the Sentry dashboard, which is unrelated to Searchbase.


3. Third-party cookies on our pages

The only third-party cookies that may be set on a Searchbase domain are:

  • Cloudflare — security/anti-bot (always on; necessary).
  • PostHog — analytics (only with consent).
  • Stripe — set on the Stripe-hosted checkout pages, not on Searchbase pages.

We do not embed third-party social-media widgets, advertising pixels, or fingerprinting scripts.


4. Managing your choices

4.1 In-app banner

The cookie banner shown on your first visit lets you accept all or reject all non-necessary cookies. The choice is stored in cookie-consent (localStorage) and applied on every subsequent page load. You can change your choice at any time by clearing site storage (browser settings) and reloading; an in-app "Cookie preferences" link is on the roadmap.

4.2 Browser controls

You can also block or delete cookies via your browser settings. Disabling necessary cookies will break authentication; disabling functional cookies will reset your UI preferences.


5. Do Not Track and Global Privacy Control

Searchbase honours Global Privacy Control (GPC) signals: a browser sending GPC will be treated as having opted out of analytics cookies, regardless of the banner state. The legacy DNT header is no longer a defined standard and is not honoured separately, but it is overridden by GPC where present.


6. Changes to this policy

We may update this Cookie Policy. The current version is always at https://searchbase.org/cookies. For material changes we will notify you by banner or email.


7. Contact

Questions about cookies: [email protected].

For our full data-protection notice, see the Privacy Policy.