Cookie and Data Collection Policy
Effective Date: April 15, 2026 · Last Updated: April 15, 2026
This Cookie and Data Collection Policy explains how Lisle.ai ("Lisle," "we," "us," or "our") uses cookies, local storage, and server-side data collection on our website and application at lisle.ai. It covers what data we collect, why we collect it, how long we keep it, and how you can control it.
This policy should be read alongside our Privacy Policy and Terms of Service.
1. What Are Cookies
Cookies are small text files that a website stores on your device when you visit. They help the site remember information about your visit, like your login session or display preferences. Some cookies are set by us directly (first-party cookies), while others may be set by services we use (third-party cookies).
We also use local storage, a similar browser technology that stores small amounts of data on your device. Local storage works like cookies but does not expire automatically and is not sent to our servers with every request. We mention local storage alongside cookies throughout this policy because it serves similar purposes and you have similar controls over it.
2. Types of Cookies and Local Storage We Use
2.1 Strictly Necessary Cookies
These cookies are essential for the application to function. They cannot be disabled without breaking core features like logging in or maintaining your session. Under GDPR and the ePrivacy Directive, strictly necessary cookies do not require consent.
Supabase Authentication Cookies
We use Supabase for user authentication. When you log in, Supabase sets one or more cookies that follow the sb-* naming pattern. These cookies contain your encrypted session token and are required to keep you logged in as you navigate between pages. They are HttpOnly, Secure, and use the SameSite=Lax attribute to protect against cross-site request forgery.
Cookie Consent Acknowledgment
We store your acknowledgment of our cookie notice in browser local storage under the key lisle:cookie-consent. This records that you have seen and dismissed the informational banner.
Global Privacy Control (GPC) Acknowledgment
If your browser sends a GPC signal (the Sec-GPC: 1 header), our middleware sets a gpc_honored cookie to record that we received and are honoring your privacy preference. This cookie is readable by client-side code so we can reflect your opt-out status in the user interface.
2.2 Functional Cookies and Local Storage
Functional cookies and local storage items remember your preferences and improve your experience. They do not track you across websites.
- Theme Preference — We store your light or dark mode preference in browser local storage under the key
lisle:theme. - Trial Banner Dismissal — If you dismiss the free trial countdown banner, we store that dismissal in local storage so the banner does not reappear during the same trial period.
- First Login of Day — We store the date of your last daily login check in local storage under
lisle:first-login-date. This is used to trigger daily personalized insights and does not leave your device.
2.3 Analytics and Performance Cookies
Sentry Error Monitoring
We use Sentry to detect, diagnose, and fix software errors. Sentry may set cookies or use local storage to correlate error reports across page loads within a single session. Sentry collects JavaScript error details (stack traces, error messages), browser type and operating system, the URL where the error occurred, and performance timing data.
Sentry Session Replay — Currently Disabled
Sentry Session Replay (which records a reconstruction of your browsing session) is currently disabled on Lisle.ai. We disabled it prior to launch because financial screens may contain nonpublic personal information (NPI) that should not be captured without explicit consent mechanisms. We will not re-enable session replay until we have implemented appropriate text masking, media blocking, and a proper consent flow for financial screens.
2.4 Third-Party Cookies
We do not use advertising cookies, social media tracking pixels, or any cross-site tracking technology. We do not use Google Analytics, Facebook Pixel, or any third-party behavioral advertising network.
However, two third-party services may set their own cookies during specific user interactions:
Stripe (Payment Processing)
When you subscribe or update your payment method, Stripe may set cookies on its own domain to prevent fraud and manage your payment session. These cookies are governed by Stripe's privacy policy, not ours. Stripe cookies are only active during the payment flow.
Plaid (Bank Account Linking)
When you connect a bank account through Plaid Link, Plaid may set cookies within its interface on its own domain to manage the bank linking session and prevent fraud. These cookies are governed by Plaid's privacy policy. Plaid cookies are only active during the bank-linking flow.
3. Server-Side Data Collection
In addition to cookies and local storage, we collect certain data on our servers. This data is not stored on your device but is relevant to your privacy.
3.1 Behavioral Event Tracking
We collect behavioral events to understand how people use Lisle and to improve the product. These events are stored in our database (Supabase Postgres), not in cookies. Events include page views, feature usage, session duration, and device type (derived from screen width, not device fingerprinting). We do not sell this data or share it with third parties for advertising.
3.2 Audit Logs
For compliance with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, we maintain audit logs that record IP address, user agent, action performed, and timestamp for sensitive actions or when administrative staff accesses your account data. These logs are retained for 7 years and are accessible only to authorized personnel.
3.3 Rate Limiting
We use Upstash Redis to enforce rate limits on API requests. Rate limiting uses server-side counters keyed to your authenticated user ID. No cookies are set on your device for rate limiting purposes.
3.4 Background Jobs
We use QStash for scheduling background jobs such as nightly financial data synchronization and embedding refreshes. These jobs run entirely on our servers and do not set cookies or collect data from your device.
4. Cookie Reference Table
| Cookie / Key | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
sb-<ref>-auth-token | Supabase | Authentication session token. Keeps you logged in. | Strictly Necessary | Session (expires on logout) |
sb-<ref>-auth-token-code-verifier | Supabase | PKCE code verifier for secure OAuth flows. | Strictly Necessary | Temporary (cleared after OAuth callback) |
gpc_honored | Lisle.ai | Records that your GPC signal was detected and honored. | Strictly Necessary | 1 year |
lisle:cookie-consent | Lisle.ai | Records that you acknowledged the cookie notice banner. | Strictly Necessary | Persistent (local storage) |
lisle:theme | Lisle.ai | Stores your light/dark mode preference. | Functional | Persistent (local storage) |
lisle:first-login-date | Lisle.ai | Stores the date of your last daily login for insight triggers. | Functional | Persistent (local storage) |
| Sentry cookies (various) | Sentry | Error monitoring session correlation. Session Replay is currently disabled. | Analytics | Up to 1 year |
| Stripe cookies (various) | Stripe | Fraud prevention and payment session management during checkout only. | Third-Party | Varies (see Stripe's policy) |
| Plaid cookies (various) | Plaid | Bank linking session management and fraud prevention during linking only. | Third-Party | Varies (see Plaid's policy) |
5. How to Control Cookies
5.1 Browser Settings
Most web browsers allow you to view, delete, and block cookies through their settings. Be aware that blocking strictly necessary cookies (the sb-* authentication cookies) will prevent you from logging into Lisle.
- Chrome: Settings > Privacy and Security > Cookies and other site data
- Firefox: Settings > Privacy & Security > Cookies and Site Data
- Safari: Settings > Privacy > Manage Website Data
- Edge: Settings > Cookies and site permissions > Manage and delete cookies
5.2 Our Cookie Notice Banner
When you first visit Lisle, we display an informational banner letting you know we use essential cookies only for authentication. You can dismiss this banner by clicking "Got it." Because Lisle uses only strictly necessary cookies for its core functions, we do not present a multi-tier consent mechanism. If we add non-essential cookies in the future, we will implement a full consent management interface before activating them.
5.3 Global Privacy Control (GPC)
The most effective way to signal your privacy preferences is through Global Privacy Control. See Section 6 below for details.
6. Global Privacy Control (GPC)
6.1 What Is GPC
Global Privacy Control is a browser-level signal (sent via the Sec-GPC: 1 HTTP header) that tells websites you do not want your personal data sold or shared and that you want to limit data collection to what is strictly necessary. GPC is recognized under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) as a valid opt-out signal.
6.2 How We Detect GPC
Our server middleware checks every incoming request for the Sec-GPC: 1 header. When detected, we set the gpc_honored cookie on your device with a one-year expiration so our client-side code can reflect your preference across page loads.
6.3 What Happens When GPC Is Detected
- We honor it as a valid opt-out under CCPA/CPRA — equivalent to a "Do Not Sell or Share My Personal Information" request.
- We minimize non-essential data collection, including reducing the scope of behavioral analytics where technically feasible.
- We do not override your signal. We will never ask you to disable GPC or present a pop-up requesting you to change your preference.
6.4 How to Enable GPC
- Firefox: Settings > Privacy & Security > "Tell websites not to sell or share my data"
- Brave: Enabled by default
- DuckDuckGo browser: Enabled by default
- Privacy Badger extension: Supports GPC
- OptMeowt extension: Dedicated GPC extension for Chrome, Firefox, and Edge
You can verify your GPC setting is active at globalprivacycontrol.org.
7. Do Not Track (DNT)
Do Not Track is an older browser signal that predates GPC. There is no legal standard requiring websites to honor DNT, and major browsers have been deprecating it. We do not currently take specific action based on the DNT header alone. We recommend using GPC instead of DNT because GPC has legal force under California law and is actively supported by privacy-focused browsers.
8. Third-Party Privacy Policies
| Service | Role | Privacy Policy |
|---|---|---|
| Supabase | Authentication, database, and backend infrastructure | supabase.com/privacy |
| Stripe | Payment processing and subscription billing | stripe.com/privacy |
| Plaid | Bank account linking and financial data aggregation | plaid.com/legal |
| Sentry | Error monitoring (Session Replay currently disabled) | sentry.io/privacy |
| Vercel | Website hosting and content delivery | vercel.com/legal/privacy-policy |
| Upstash | Rate limiting (server-side only, no cookies) | upstash.com/trust/privacy |
| Anthropic | AI assistant (server-side API calls only, no cookies) | anthropic.com/privacy |
9. Cookie Retention Periods
| Cookie / Storage Item | Retention Period |
|---|---|
sb-*-auth-token | Session-based; refreshed on each authenticated request. Cleared on logout. |
sb-*-auth-token-code-verifier | Temporary — automatically cleared after OAuth or magic-link callback completes. |
gpc_honored | 1 year (365 days). Refreshed on each visit if GPC signal is still active. |
lisle:cookie-consent | Indefinite (local storage). Persists until you manually clear browser local storage. |
lisle:theme | Indefinite (local storage). Persists until you clear browser data or change the setting. |
lisle:first-login-date | Indefinite (local storage). Stores only a date string. |
| Sentry cookies | Up to 1 year. Session Replay is currently disabled. |
| Stripe cookies | Set only during active checkout. Refer to Stripe's cookie policy. |
| Plaid cookies | Set only during active bank linking. Refer to Plaid's privacy policy. |
10. California Residents: Your CCPA/CPRA Rights
If you are a California resident, the CCPA and CPRA provide you with specific rights regarding your personal information:
- Right to know: You can request what personal information we collect and how we use it.
- Right to delete: You can request deletion of your personal information, subject to certain exceptions.
- Right to opt out of sale or sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Sending a GPC signal is an effective way to assert this right.
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
- Right to correct: You can request correction of inaccurate personal information.
- Right to limit use of sensitive personal information: We use sensitive personal information (financial data) only to provide the services you requested.
To exercise any of these rights, contact us at privacy@lisle.ai or use the account deletion feature in your Lisle.ai account settings.
11. Updates to This Policy
We may update this Cookie and Data Collection Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the "Last Updated" date at the top of this page. For significant changes (such as adding new categories of cookies), we will notify you through an in-app notice or email before the changes take effect. We will never retroactively reduce your privacy protections without your consent.
12. Contact Information
If you have questions about this Cookie and Data Collection Policy, our use of cookies, or your privacy rights, please contact us:
- Email: privacy@lisle.ai
- Subject line: Cookie Policy Inquiry
We aim to respond to all privacy-related inquiries within 10 business days. For CCPA/CPRA rights requests, we will respond within 45 calendar days as required by law.
This policy applies to the Lisle.ai web application hosted at lisle.ai and does not cover third-party websites or services linked from our application. We are not responsible for the privacy practices of those third parties.