Cookie Policy
Last updated: 2026-05-09
This Cookie Policy explains how Lexborn uses cookies and similar technologies (collectively, "cookies") on lexborn.app. It supplements and should be read together with our Privacy Policy, which describes how we process personal data more generally. The provider of the Service is Bapusaheb Patil trading as Nuits, Y-tunnus 3584845-8 — see /imprint.
What is a cookie?
A cookie is a small text file that a website places on your device. We also use related browser-storage technologies (localStorage, sessionStorage) and server-set tokens; we treat all of these as "cookies" for the purposes of this policy and the EU ePrivacy Directive 2002/58/EC and its Finnish implementing law (Sähköisen viestinnän palveluista annettu laki 917/2014).
Categories of cookies we use
We use four categories. Only the Necessary category is set without your consent. Everything else is opt-in via the cookie banner shown on your first visit and re-shown on policy version bumps.
Necessary
These cookies are strictly necessary to provide the Service you have requested (account sign-in, session continuity, and anti-CSRF protection). They cannot be disabled because the Service cannot function without them, and they are exempt from consent under Article 5(3) of the ePrivacy Directive ("strictly necessary" carve-out).
Functional
These remember preferences such as your colour theme and your previous cookie-consent choice so we do not nag you every visit. We set them only when you opt in, except for the consent-record itself, which we set as soon as you make any choice (including "decline all") in order to honour that choice.
Analytics
Product-analytics events recorded through PostHog hosted on its EU instance (eu.i.posthog.com). Off by default. Off automatically when your browser sends a Global Privacy Control (GPC) signal. Opt-in only. Used to understand which features are broken or under-used so we can improve them.
Marketing
We do not use marketing or advertising cookies. We do not run third-party advertising on the Service and do not place advertising-network tags. If this changes, we will update this policy and ask for fresh consent before any marketing cookie is set.
Cookie table
| Name | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
| __clerk_db_jwt | Clerk (clerk.com) | Authenticated session JWT — keeps you signed in. | Necessary | Session (rotated) |
| __client_uat | Clerk | Tracks the timestamp of your last sign-in for session-validity checks. | Necessary | 1 year |
| __refresh_<id> | Clerk | Refresh token for renewing the session JWT without re-prompting for credentials. | Necessary | Up to 30 days |
| __session | Clerk | Short-lived session token used by Clerk's edge middleware. | Necessary | Session |
| csrf_token | Lexborn (lexborn.app) | Anti-cross-site-request-forgery token for state-changing requests. | Necessary | Session |
| theme (localStorage) | Lexborn | Stores your light/dark/system theme preference. | Functional | Until cleared |
| lexborn-cookie-consent-v1 (localStorage) | Lexborn | Stores your cookie-consent decision and the policy version it was given against. | Functional (consent-record) | 12 months, then re-prompt |
| ph_<project_id>_posthog | PostHog (eu.i.posthog.com) | Anonymous distinct-id, session-id, and feature-flag exposure for product analytics. | Analytics (opt-in) | 12 months |
| ph_<project_id>_window_id | PostHog | Tab/window identifier for session-stitching. | Analytics (opt-in) | Session |
We do not set any third-party advertising cookies and we do not participate in any cross-site tracking network.
How we use the consent record
When you make a choice in the cookie banner we record (i) the choice itself, (ii) the timestamp, (iii) the policy version in force at the time, (iv) the banner version, and (v) a hashed device identifier. This record is stored locally in lexborn-cookie-consent-v1 and mirrored to our Convex database under the consentLogs table, with an append-only audit trail. We do this to demonstrate compliance with Articles 5(2) and 7(1) of the GDPR.
Changing your choices
You can change your choices any time from Settings → Privacy in the app, which re-opens the cookie banner. Setting your browser to send a Global Privacy Control (GPC) signal will automatically force the analytics category off, regardless of any earlier opt-in.
Cookie banner mechanics
The banner offers three buttons: Accept all, Reject non-essential, and Manage preferences (per category). The banner is shown:
- on your first visit;
- whenever you clear browser storage or sign in from a new device;
- when the cookie-policy version changes (we re-prompt for consent on every version bump);
- 12 months after your last consent decision, to obtain a fresh choice.
There is no "implied consent" by continued browsing; the banner is non-blocking but the analytics category remains off until you actively opt in.
Do Not Sell or Share My Personal Information (California residents)
This section is for residents of California and is provided in compliance with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), codified at Cal. Civ. Code §§1798.100 et seq.
We do not "sell" personal information. We do not exchange your personal information for monetary or other valuable consideration with any third party.
We do not "share" personal information for cross-context behavioural advertising. We do not run targeted advertising and do not place advertising tags or "share" personal information with advertising networks for the purpose of building cross-site profiles.
We honour the Global Privacy Control (GPC) signal as a valid opt-out request for any future "selling" or "sharing" should our practices ever change. The GPC signal is also treated as an opt-out from analytics cookies under this policy.
We do not knowingly sell or share the personal information of consumers who are under 16 years of age.
If you would still like to formally exercise your CCPA/CPRA rights to opt out, to know, to delete, to correct, or to limit use of sensitive personal information, please email hi@lexborn.app with the subject line "California Privacy Rights" and the email address associated with your account. We will verify your identity through the email on file and respond within 45 days, extendable by a further 45 days where reasonably necessary.
You have the right to designate an authorised agent to make a request on your behalf. We will require a signed written authorisation and may ask you to verify your own identity directly.
You have the right to non-discrimination for exercising your CCPA/CPRA rights; we will not deny service, charge different prices, or provide a different level of quality because you exercised them.
Contact
For any questions about this Cookie Policy, to exercise your rights, or for general support, email hi@lexborn.app. Legal-entity details are at /imprint.