Legal
Cookie Policy
Last updated: May 25, 2026
The short version
WorkReceipt only uses cookies that are strictly necessary to keep you logged in. We do not use advertising cookies, tracking pixels, or analytics cookies. No data is shared with third-party ad networks.
What are cookies?
Cookies are small text files stored on your device when you visit a website. They are widely used to make websites work, remember your preferences, and in some cases to track your activity across sites for advertising purposes.
Not all cookies are the same. This policy explains exactly which cookies WorkReceipt uses — and why we use only the minimum necessary.
What cookies we use
WorkReceipt uses one category of cookies only: authentication cookies. These are set by Supabase (our authentication provider) when you sign in and are required for the service to function.
| Cookie | Purpose | Duration |
|---|---|---|
| sb-access-token | Keeps you signed in to your WorkReceipt account | 1 hour (auto-refreshed) |
| sb-refresh-token | Allows your session to be refreshed without re-entering your password | Up to 7 days |
Both cookies are httpOnly and Secure — they cannot be read by JavaScript running on the page, which protects against cross-site scripting attacks.
What we do not use
- ✓Analytics or usage tracking cookies (Google Analytics, Mixpanel, Hotjar, etc.)
- ✓Advertising or retargeting cookies (Meta Pixel, Google Ads, etc.)
- ✓Third-party social media tracking cookies
- ✓Fingerprinting or device identification scripts
- ✓Any cookie that persists after you close your browser (except the refresh token)
Public report pages
WorkReceipt report links (at workreceipt.app/r/[token]) are publicly accessible and do not require a login. No authentication cookies are set when a customer views a shared report. No tracking of any kind is applied to public report viewers.
Third-party services
WorkReceipt uses a small number of third-party services to operate:
- Supabase — our database and authentication provider. Auth tokens are managed via httpOnly cookies. Supabase's privacy policy is at supabase.com/privacy.
- Stripe — payment processing. Stripe may set its own cookies during checkout flows. These are strictly necessary for payment processing and are governed by Stripe's privacy policy at stripe.com/privacy.
- Netlify — our hosting provider. May set session cookies for edge-function routing. These contain no personal data.
Your choices
Because we only use strictly necessary cookies, there is no cookie consent banner on WorkReceipt — there is nothing optional to consent to. If you delete your browser cookies, you will be signed out of your account and will need to sign in again.
You can configure your browser to block all cookies, but this will prevent you from logging in to WorkReceipt. Public report pages will continue to work without cookies.
Changes to this policy
If we ever introduce new cookies — for example, if we add an analytics tool in the future — we will update this page and notify logged-in users by email before the change takes effect. We will always explain what is being added and why.
Contact
Questions about cookies or your privacy? Email us at support@workreceipt.app.