Skip to content
|--k>
Documentation Dashboard

Cookie Policy

Cookie Policy

Section titled “Cookie Policy”

Last updated: May 8, 2026

What Are Cookies?

Section titled “What Are Cookies?”

Cookies are small text files stored on your device when you visit a website. They help us provide a better user experience and understand how you use our service.

Cookies We Use

Section titled “Cookies We Use”

1. Essential Cookies (Required)

Section titled “1. Essential Cookies (Required)”

These cookies are necessary for the service to function. You cannot opt out.

Cookie NamePurposeDurationProvider
sb-*Supabase authentication sessionSession/persistentSupabase
__cf_bmCloudflare bot management30 minutesCloudflare
__Secure-csrfCSRF protectionSessionKopai

Why these are essential:

  • Authentication cookies (sb-*): Required for secure login and session management. Without these, you cannot access your account.
  • Security cookies (__cf_bm, __Secure-csrf): Protect against malicious attacks (DDoS, cross-site request forgery). Critical for platform security.

2. Analytics Storage (Optional - Requires Consent)

Section titled “2. Analytics Storage (Optional - Requires Consent)”

To understand how visitors interact with our marketing site we run a self-hosted OpenTelemetry Real User Monitoring (RUM) SDK in the browser. The SDK stays inactive until you click Accept All in the cookie banner. While analytics is enabled we use two browser-storage entries — these are technically localStorage / sessionStorage rather than HTTP cookies, but the ePrivacy Directive treats them the same way and they are listed here for transparency.

Storage keyStorage typePurposeDurationProvider
kopai-cookie-consentlocalStorageRecords your cookie banner choice (essential / analytics) so we don’t ask again on every pageUntil you withdraw consent or until the policy version is bumpedKopai
kopai-otel-sessionsessionStorageTab-scoped random UUID v4 (session.id) that lets us tell whether two analytics events came from the same browsing sessionDeleted automatically when you close the tabKopai

What session.id is and what it isn’t:

  • It is a random UUID generated in your browser (e.g. b6422eeb-e604-f625-ee90-3b1bc654d808). It contains no personal data.
  • It is tab-scoped: opening the site in two tabs creates two independent IDs. Closing the tab destroys the ID — there is no way for us to recognise you on a return visit.
  • It is not synced across devices, browsers, or to any account.

Data captured by the analytics SDK while consent is granted:

  • Page paths visited and the order you visited them (e.g. /, /blog/, /quickstart/)
  • Referrer page within kopai.app
  • Click events on the Sign up and Demo call-to-action buttons (button identifier and destination URL — not the surrounding text you typed)
  • Page-load performance (Web Vitals: LCP, FCP, CLS, INP, TTFB) and a list of static resources the page fetched
  • Browser metadata reported by your browser: user-agent string, preferred language, platform name, mobile flag
  • Display metadata: screen size, viewport size, device pixel ratio
  • Network class reported by your browser: effective connection type (e.g. 4g, 3g)
  • The session.id described above

What we do not capture:

  • We do not capture your IP address in the telemetry payload (Cloudflare necessarily sees it as part of any HTTP request, but it is not stored as a span attribute).
  • We do not capture form contents, search queries, keystrokes, mouse movements, or scroll positions.
  • We do not run third-party analytics (no Google Analytics, Plausible, Segment, etc.).
  • We do not capture JavaScript errors or stack traces from the marketing site.

Withdrawing consent mid-session:

You can withdraw analytics consent at any time via the Reject analytics button in the footer of every page (single click — no reload). The button flips the analytics flag in kopai-cookie-consent from true to false, the OTel SDK shuts down immediately, the kopai-otel-session entry is deleted from sessionStorage, and no further analytics events leave your browser until you re-grant consent. Re-granting consent in the same tab generates a new session.id — the old one is gone.

If you want to revisit your full cookie preferences (essential vs. analytics) instead of just opting out of analytics, the Cookie Settings button in the same footer resets the banner so you can choose again.

What we may capture about your network location:

If you visit Kopai through Cloudflare (the default for our production sites), your browser sends our analytics pipeline two coarse network attributes derived by Cloudflare from your IP address — never the IP itself:

AttributeSourceExamplePurpose
cloud.regionCloudflare cf-ipcountry response headerHR, DE, USCountry-level traffic distribution for capacity planning. ISO 3166-1 alpha-2 country code only — no city or coordinates.
cloudflare.coloCloudflare cf-ray response headerZAG, FRA, IADIdentifies which Cloudflare data centre served the request, used for performance debugging. Three-letter airport-style code.

Both are derived server-side by Cloudflare and forwarded to us via standard response headers; we read them in the browser and tag them on the same telemetry that the session.id is attached to. They are gated by the same analytics consent — when you reject analytics, neither is collected.

Legal basis: Your consent (GDPR Art. 6(1)(a); ePrivacy Directive Art. 5(3))

Managing Cookies

Section titled “Managing Cookies”
Section titled “Consent Management”

When you first visit Kopai, you’ll see a cookie consent banner. You can:

  • Accept all: Enable analytics cookies
  • Essential only: Only use required cookies
  • Manage preferences: Choose which cookies to enable

You can change your preferences anytime by clicking “Cookie Settings” in the footer.

Browser Settings

Section titled “Browser Settings”

You can also control cookies via your browser settings:

Chrome:

  1. Settings > Privacy and security > Cookies and other site data
  2. Choose “Block third-party cookies” or “Block all cookies”

Firefox:

  1. Settings > Privacy & Security > Cookies and Site Data
  2. Choose “Delete cookies and site data when Firefox is closed”

Safari:

  1. Preferences > Privacy > Cookies and website data
  2. Choose “Block all cookies”

Edge:

  1. Settings > Privacy, search, and services > Cookies
  2. Choose “Block third-party cookies”

Note: Blocking essential cookies will prevent you from logging in to your Kopai account.

Section titled “Cookie Duration”
  • Session cookies: Deleted when you close your browser
  • Persistent cookies: Stored for a specific period (see table above)
  • Revocation: You can delete all cookies anytime via browser settings

Third-Party Cookies

Section titled “Third-Party Cookies”

We use the following third-party services that may set cookies:

Supabase (Authentication)

Section titled “Supabase (Authentication)”
  • Purpose: User authentication and session management
  • Data collected: Email, user ID, session tokens
  • Privacy policy: Supabase Privacy Policy
  • Cookie control: Essential - cannot be disabled without losing login functionality

Cloudflare (CDN & Security)

Section titled “Cloudflare (CDN & Security)”
  • Purpose: Content delivery, DDoS protection, TLS termination
  • Data collected: IP address, user agent, request patterns
  • Privacy policy: Cloudflare Privacy Policy
  • Cookie control: Essential - required for site security and performance

Your Rights Under GDPR

Section titled “Your Rights Under GDPR”

You have the right to:

  • Withdraw consent: Change your cookie preferences at any time
  • Access information: Request details about cookies we use
  • Data portability: Receive your data in machine-readable format
  • Lodge a complaint: Contact the Croatian DPA (AZOP) at https://azop.hr

For cookie-related questions or to exercise your rights, contact: hello@kopai.app

Changes to This Policy

Section titled “Changes to This Policy”

We may update this Cookie Policy to reflect:

  • Changes in cookie usage
  • New features or analytics tools
  • Legal or regulatory requirements
  • User feedback and improvements

Notification:

  • Material changes: Email notification 30 days in advance
  • Minor changes: Updated “Last updated” date only

Children’s Privacy

Section titled “Children’s Privacy”

Kopai does not knowingly collect data from individuals under 16 years of age. If you are under 16, please do not use our service without parental consent.

Contact

Section titled “Contact”

For questions about our cookie usage or to exercise your privacy rights:

Email: hello@kopai.app

Data Protection Authority: Croatian Personal Data Protection Agency (AZOP) Selska cesta 136, HR-10 000 Zagreb Website: https://azop.hr

This cookie policy complies with the EU Cookie Directive (ePrivacy Directive 2002/58/EC), GDPR, and Croatian data protection law.