Legal

Cookie Policy

Last updated: July 10, 2026

1. The Short Version

PulsAPI uses only first-party, strictly-necessary cookies — the ones that keep you signed in — plus a few local-storage entries for preferences like your theme. We do not use advertising cookies, cross-site trackers, or third-party analytics. Because of this, nothing we store in your browser requires opt-in consent under the GDPR or the ePrivacy Directive; we still show a notice and record your choices for transparency and to gate anything we might add in the future.

2. What We Store, Exactly

NameTypePurposeDurationCategory
pb_accessCookie (httpOnly)Short-lived session token that keeps you signed in. Sent only to our API, never readable by JavaScript.15 minutesStrictly necessary
pb_refreshCookie (httpOnly)Long-lived token used to silently renew your session so you don't have to sign in every 15 minutes.45 daysStrictly necessary
pb_token / pb_userLocal storageFallback session token and cached profile for API clients and environments without cookie support. Cleared on sign-out.Until sign-outStrictly necessary
themeLocal storageRemembers your light/dark appearance preference.Until clearedFunctional
pb_consentLocal storageRecords the privacy choices you made in the consent notice, so we don't ask again and can honor them.Until clearedStrictly necessary

Auth cookies are httpOnly (JavaScript cannot read them), SameSite=Strict (they are never sent on cross-site requests), Secure in production, and scoped to our API path only.

3. What We Don't Use

  • No third-party advertising or retargeting cookies
  • No cross-site tracking or fingerprinting
  • No third-party analytics scripts (e.g., Google Analytics)
  • No social media pixels

If we ever introduce optional product analytics, it will stay off unless you explicitly enable it in Your Privacy Choices, and this policy will be updated first.

4. Third-Party Services That Set Their Own Cookies

Two flows hand off to third parties which may set cookies under their own policies:

  • Stripe — when you open the billing checkout, Stripe may set cookies for payment processing and fraud prevention (see Stripe's Privacy Policy).
  • Google / GitHub sign-in — if you authenticate with Google or GitHub, those providers use their own cookies during the OAuth flow.

5. Managing Cookies

You can review your choices anytime on Your Privacy Choices, and you can delete or block cookies through your browser settings. Blocking the strictly-necessary cookies will prevent you from staying signed in. We also honor the Global Privacy Control browser signal as an opt-out of any sale or sharing of personal information (we don't sell or share either way).

6. Contact

Questions about this policy? Email privacy@pulsapi.com or see our full Privacy Policy.

Cookie Policy – PulsAPI