Cookie Policy
Effective date: June 5, 2026
Overview
This policy covers cookies and similar technologies (local storage) across the xpntl
marketing site (xpntl.dev) and the application (app.xpntl.dev).
We keep tracking to a minimum: the only cookies we set ourselves are strictly necessary for the
app to work. Analytics is limited, privacy-respecting, and — on the marketing site — only runs
with your consent. We do not use advertising, remarketing, or cross-site tracking
cookies, and we never sell your data.
What We Use
| Name | Where | Purpose | Duration | Category |
|---|---|---|---|---|
xpntl_session |
App | Authentication session — identifies your signed-in session | Rolling; expires on idle timeout / sign-out | Strictly necessary |
xp-theme, xp-theme-mode |
Marketing site / App | Remembers your light/dark theme preference (local storage) | Until cleared | Preferences |
xp-consent |
Marketing site | Remembers your analytics consent choice so we don’t ask again (local storage) | Until cleared | Preferences |
_ga, _ga_08TTY2V014 |
Marketing site | Google Analytics 4 — aggregate, anonymous usage stats. Set only after you accept. | Up to 2 years | Analytics (consented) |
| none | App | Azure Application Insights — product & performance telemetry. Configured cookieless: it sets no cookies. | — | Analytics (cookieless) |
Analytics & Consent
On the marketing site, Google Analytics is governed by Google Consent Mode. Analytics storage is denied by default — no analytics cookies are set and no usage is recorded until you choose Accept on the cookie banner. Choosing Reject keeps it off. Advertising signals are always denied.
In the application, we use Azure Application Insights for product and performance telemetry (which pages and features are used, error rates, latency). It runs cookieless and is first-party operational telemetry covered by our Privacy Policy.
What We Don't Use
- No advertising, remarketing, or conversion-tracking cookies
- No social media tracking pixels
- No cross-site or cross-device tracking
- No sale or sharing of personal data for advertising
Third Parties
Our analytics processors are Google (Google Analytics 4, marketing site) and Microsoft Azure (Application Insights, app). When you sign in with SSO (Google, GitHub, Microsoft), those providers may set their own cookies during the authentication redirect, and Stripe may set cookies in the billing portal — refer to each provider’s policy (e.g. Stripe’s Privacy Policy). We don’t control third-party cookies.
Managing Your Choices
- Marketing-site analytics: use the cookie banner’s Accept / Reject. To change your choice later, clear this site’s storage in your browser and the banner returns.
- Strictly-necessary cookies can’t be turned off without breaking sign-in.
- You can clear or block cookies any time via your browser settings.