1. What is a cookie?
A cookie is a small text file your browser stores on your device when you visit a website. We also use related technologies (localStorage, sessionStorage) for similar purposes; for brevity we refer to all of these as “cookies” below.
2. The cookies we set
We use only the cookies necessary to deliver the Service plus a small number of functional cookies for security and error monitoring. We do not use advertising cookies, and we do not embed third-party trackers.
2.1 Strictly necessary
- sb-<ref>-auth-token — the Supabase authentication session. Required to keep you signed in and to authorise every API call. First-party, HttpOnly, SameSite=Lax. Expires when the underlying refresh token expires.
- frameshot-sub — a 60-second HMAC-signed cookie that lets the edge middleware verify your subscription state without a database round-trip on every navigation. First-party, HttpOnly, SameSite=Strict.
- cf_clearance / __cf_bm — Cloudflare security cookies set during bot challenges. Set by Cloudflare, not by Frameshot. Required for the Service to be reachable.
2.2 Functional
- Sentry session-replay (when enabled) — error-monitoring identifiers used to correlate stack traces with the user-visible error. Personal data is scrubbed before transmission. Disabled in development; subject to our redaction layer in production.
- localStorage: zustand stores — UI state such as the current canvas view, recent prompts, and the timeline scrub position. Stays on your device; not transmitted to our servers.
2.3 What we do NOT use
Frameshot does not currently set advertising cookies, embed third-party social-network trackers, or use cross-site retargeting pixels. If we ever introduce optional analytics, we will surface a consent banner before any non-essential cookie is set.
3. How to control cookies
4. Updates
When we add or remove cookies, we update this page. The “Last updated” date at the top of the page reflects the most recent change.
5. Contact
Questions about cookies? privacy@frameshot.ai.