This is a draft pending legal review and does not constitute a binding cookie policy. The final version will be published before the platform enters production.
Cookie Policy
Last updated: May 2026 (draft) · Effective date: To be announced
What is a cookie?
A cookie is a small text file stored in your browser by a website. Cookies help sites remember information between page loads — for example, that you are signed in, or that you prefer a certain language. Cookies can be set by the website you are visiting (first-party cookies) or by third-party services embedded in the page.
Minilorry uses cookies sparingly. We do not use advertising cookies, tracking pixels, or behavioural profiling of any kind (D-002). The cookies we set are listed in full below.
Cookies we set
Essential cookies — cannot be disabled
| Cookie name | Purpose | Expires |
|---|---|---|
| sb-[project-ref]-auth-token | Supabase session token. Keeps you signed in across page loads. Required for all authenticated platform functionality. | 1 year |
| sb-[project-ref]-auth-token-code-verifier | PKCE code verifier used during the Google OAuth sign-in flow. Set temporarily during authentication and deleted on completion. | 5 minutes |
| mlry_signup_intent | Stores your selected signup role (vendor / customer / agent) during the Google OAuth redirect. Ensures you land in the correct onboarding wizard after authentication. | 15 minutes |
Analytics cookies — opt-out available
| Cookie name | Purpose | Expires |
|---|---|---|
| None currently. If analytics are added in future (privacy-preserving, self-hosted), they will be listed here and require opt-in consent. | ||
Deployment and infrastructure cookies
| Cookie name | Purpose | Expires |
|---|---|---|
| __vercel_live_token | Set by Vercel on preview deployments only. Not present in production. Used for Vercel's live collaboration overlay on preview URLs. | Session |
| __cf_bm | Set by Cloudflare. Bot management and DDoS protection — distinguishes humans from automated traffic. Required for security. | 30 minutes |
Third-party cookies
During Google OAuth sign-in, Google may set its own cookies in your browser. These are governed by Google's Privacy Policy, not ours. We do not control them.
We do not embed Google Analytics, Google Ads, Facebook Pixel, or any other advertising or behavioural tracking service. Minilorry does not participate in any cross-site user tracking (D-002).
Managing and opting out
Essential cookies
Essential cookies cannot be disabled without logging you out of the Platform. The Supabase session cookie is required for authentication — without it, the Platform will not know who you are between page loads.
Browser-level cookie controls
You can instruct your browser to refuse all cookies or to alert you when cookies are being sent. If you disable all cookies, portions of the Platform — including signing in — will not function correctly. Instructions for common browsers:
- Chrome: Settings → Privacy and security → Cookies and other site data
- Safari: Preferences → Privacy → Manage Website Data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Edge: Settings → Cookies and site permissions → Cookies and site data
Future opt-in consent
If we introduce any non-essential cookies in future (for example, privacy-preserving analytics), we will display a cookie consent banner and require explicit opt-in before setting them. The banner will also allow you to review and withdraw consent at any time.
No advertising. No selling. No profiling.
We do not sell your browsing data to any third party. We do not build behavioural profiles for advertising purposes. We do not share cookies or tracking identifiers with advertising networks. The only data we share with third parties is what is necessary to operate the Platform — and that is listed in our Privacy Policy.
Contact
Questions about cookies or data practices: