Cookie Policy
Effective date: March 17, 2026
1. Introduction
This Cookie Policy explains how Ayliea ("we", "our", "us") uses cookies, local storage, and similar technologies on our marketing website (ayliea.com) and in the Ayliea mobile application (the "App"). This policy should be read alongside our Privacy Policy.
2. What Are Cookies and Similar Technologies
Cookies are small text files stored on your device by your web browser. They are widely used to make websites work efficiently and to provide information to site operators. Similar technologies include local storage (AsyncStorage), encrypted device storage (expo-secure-store), and device identifiers used by analytics services.
3. Cookies and Storage We Use
3.1 Strictly Necessary Cookies and Storage
These cookies and storage mechanisms are essential for the Service to function and cannot be switched off. They are set in response to actions you take, such as signing in or setting preferences.
| Cookie / Storage | Purpose | Duration |
|---|---|---|
| Supabase auth session | Maintains your authenticated session in the App. On native devices (iOS/Android), session tokens are stored in expo-secure-store (hardware-backed encrypted storage). On web, session tokens are stored in secure cookies. | Until sign-out or session expiry |
| expo-secure-store | Encrypted credential and token storage on native devices (iOS Keychain, Android EncryptedSharedPreferences). Used exclusively for authentication tokens. | Until sign-out or app uninstall |
| AsyncStorage | Persists user preferences in the App, including theme selection (light/dark mode), CTA dismissal state, and consulting CTA state. | Until cleared by user or app uninstall |
| Cal.com cookies | When you use our scheduling widget to book a scoping call, Cal.com may set cookies to manage the scheduling session. | Session |
| Theme preference (website) | Remembers your light/dark mode preference for the website. | Persistent |
| sb-access-token / sb-refresh-token | Supabase authentication tokens stored as cookies in the web application. Used to maintain your authenticated session across page loads and API requests. | Until sign-out or session expiry |
| Framework selection | Remembers your selected compliance framework in the assessment app to restore your context between sessions. | Session |
| Assessment progress | Tracks in-progress assessment state (current category, answered questions) to enable save-and-resume functionality. | Session |
3.2 Analytics
Ayliea uses two analytics services to understand how visitors use the site:
Umami (privacy-respecting analytics) — Umami is a privacy-respecting analytics platform that:
- Collects no personally identifiable information (PII)
- Sets no cookies on your device
- Does not use browser fingerprinting
- Does not track users across websites
- Is fully GDPR, CCPA, and PECR compliant
Umami collects only anonymous, aggregated usage data (page views, referrer URLs, browser type, device type, country). No individual user can be identified from this data. Umami may not be active on all deployments.
Google Analytics — We use Google Analytics 4 to measure website traffic and usage patterns. Google Analytics sets cookies on your device to distinguish unique users and sessions.
| Cookie | Purpose | Duration |
|---|---|---|
| _ga | Distinguishes unique visitors | 2 years |
| _ga_* | Maintains session state | 2 years |
Google Analytics collects data such as pages visited, session duration, referral source, browser type, device type, and approximate geographic location (city-level). This data is processed by Google under their Privacy Policy. We do not enable Google's advertising features, user-ID tracking, or data sharing with other Google products.
PostHog (Web & App analytics) — We use PostHog for product analytics on our website and mobile App. PostHog assigns a pseudonymous identifier to track usage events (e.g., page views, feature usage, assessment completion). On the website, PostHog stores this identifier in localStorage and may set a cookie. On the mobile App, it uses a device-level identifier stored in local storage.
| Storage | Purpose | Duration |
|---|---|---|
| ph_* (localStorage) | Pseudonymous identifier and session data for website analytics | Until cookies cleared |
| PostHog device ID | Pseudonymous identifier for aggregated App usage analytics | Until app uninstall or data cleared |
If session recording is enabled on the website, all text and inputs are masked. We do not enable personal data enrichment features. PostHog processes data under their Privacy Policy.
3.3 Advertising Cookies
We do not use advertising cookies or any form of cross-site tracking. We do not participate in ad networks or retargeting programs.
4. Third-Party Cookies and Storage
The following third parties may set cookies or use storage when you use our website or App:
- Google — Google Analytics sets cookies to measure website traffic (see section 3.2 above). Google Fonts may also set cookies in connection with font delivery. See Google's Privacy Policy for details.
- Supabase — Manages authentication session tokens for the App. On web, Supabase sets secure cookies for session management. See Supabase's Privacy Policy for details.
- PostHog — Stores a pseudonymous identifier in localStorage on the website and a device identifier in the App for product analytics (see section 3.2 above). See PostHog's Privacy Policy for details.
- Cal.com— Our scheduling widget may set cookies in connection with the scheduling service. See Cal.com's privacy policy for details.
5. Consent Records
When you accept, reject, or customize your cookie preferences using the consent banner, we log the following information server-side to demonstrate valid consent as required by GDPR Article 7:
- The action you took (e.g., accept all, reject all, or save custom preferences)
- Your selected preference for each cookie category
- The consent version number (so we can correlate with policy changes)
- The date and time of your action
These logs do not contain your IP address or any other personally identifiable information. They cannot be used to identify you as an individual.
6. Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to:
- View what cookies are stored and delete them individually
- Block third-party cookies
- Block cookies from specific sites
- Block all cookies
- Delete all cookies when you close your browser
Please note that blocking strictly necessary cookies may prevent some website features from functioning properly.
7. Do Not Track
We respect your privacy preferences. Our Umami analytics does not set cookies or track individual users regardless of your DNT setting. PostHog respects the Do Not Track browser signal — when DNT is enabled, PostHog will not capture analytics events. Google Analytics does not currently respond to DNT signals; however, you can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, or by blocking cookies from googletagmanager.com in your browser settings.
8. Changes to This Policy
We will update this Cookie Policy when we add or change cookie usage. The effective date at the top of this page indicates when the policy was last revised.
9. Contact
If you have questions about our use of cookies, contact us at privacy@ayliea.com.