Skip to content
kairo
Try Kairo

Cookies

Last updated
Effective
Entity
Kairo Labs LLC · Illinois, USA

Last updated: May 2026 · This page explains the cookies and similar technologies Kairo Labs LLC sets on your device.

Kairo Labs LLC ("Kairo") uses a small, specific set of cookies and browser storage values — only for things that make the product work or that you opt into. We do not set advertising or cross-site tracking cookies, and we do not allow third parties to set cookies through our pages.

Kairo is a local-firstapplication. Most of the values we store live in your browser's local storage, not in cookies. They never leave your device unless you sign in to a paid plan — in which case the same values are mirrored to your account so they follow you between devices. We list both kinds below.

1. Browser cookies we actually set

Strictly necessary (always on)

Required for the Service to work — to keep you signed in and route requests. You cannot disable these and still use the product.

  • sb-access-token / sb-refresh-token (set by Supabase Auth) — your sign-in session. HttpOnly, Secure, SameSite-Lax. Persists until sign-out or token rotation (refresh token ~30 days).

These are the only cookies Kairo currently sets on the browser layer. Authentication and CSRF protection are handled by the Supabase Auth flow above and by SameSite cookie attributes; we do not set a separate kairo_csrf cookie.

2. Local storage values

Local storage is browser-only and never transmitted with HTTP requests. These values stay in your browser unless you explicitly sign in and mirror them to your account. Clearing browser data clears all of them.

Functional (on by default)

  • kairo.theme — your light / dark / system preference.
  • kairo.locale — your preferred language. Currently English / US only.
  • kairo.profile, kairo.events, kairo.tasks, kairo.notes, kairo.workspaces, kairo.preferences and related — the local copy of your own data. The whole point of local-first.
  • kairo.notif_settings — which notification types you want (reminders, leave-by, mentions, system).
  • kairo.ai_quota— the dashboard's display mirror of your monthly AI usage. Server-side counters in your account are the authoritative source.
  • kairo.onboarding_seeded — flag so the sample-data seed only runs once.
  • kairo:intro:session — session-storage flag that marks the welcome animation as seen for the current sign-in.

Analytics (opt-in only)

First-party, pseudonymized usage telemetry so we can fix what is broken and prioritize features. Off by default. We do not send analytics data to advertising platforms.

  • PostHog distinct ID — a random, non-identifying ID used to de-duplicate events. Only created when you grant consent in the cookie-preferences dialog or in Settings → Privacy & AI. Cleared on sign-out.

3. What we do not set

  • No third-party advertising cookies.
  • No cross-site tracking pixels.
  • No marketing or fingerprinting scripts.
  • No social-network share-button cookies (our share buttons are link-only).

4. Managing your preferences

You can change your cookie preferences at any time:

  • From the Cookie preferences link in the footer of every page.
  • From Settings → Privacy & AI once signed in.
  • From your browser's cookie controls. Disabling strictly-necessary cookies will sign you out and block sign-in.

5. Do Not Track and Global Privacy Control

We honor the Global Privacy Control (GPC) signal as a valid opt-out of analytics cookies and as a Do-Not-Sell-or-Share request under California law. We do not respond to legacy DNT headers because the specification was never finalized.

6. Changes

If we add or remove a cookie, we update this page and bump the dates at the top. For material changes that would set a new category, we will surface a renewed consent prompt.

7. Contact

Questions: privacy@heykairo.io.