Legal
Cookie Policy
Last updated: 19 May 2026
We use the bare minimum of cookies — only those that are strictly necessary to make the service work. We do not use analytics cookies, marketing cookies or third-party tracking cookies. That’s why you don’t see a cookie banner.
What cookies we use
| Cookie | Purpose | Lifetime |
|---|---|---|
| sb-*-auth-token | Keeps you signed in across page loads. Set by Supabase, our authentication provider. | Up to 1 year, refreshed on use |
| sb-*-auth-token-code-verifier | Used during email-confirmation sign-in to complete the OAuth PKCE handshake. Set by Supabase. | Short-lived (minutes) |
These cookies are classified as strictly necessary under the UK Privacy and Electronic Communications Regulations (PECR) — without them, you cannot sign in or stay signed in. They do not require consent.
What we deliberately do NOT use
- Analytics cookies — no Google Analytics, Plausible, Mixpanel, etc.
- Marketing or advertising cookies — none.
- Social media trackers — none.
- Session replay tools — none.
- Third-party iframes on the marketing pages — none.
If we ever add any of the above, this page will be updated before the new cookies are set, and we will introduce a consent banner that meets PECR requirements (informed, specific, freely-given consent that you can withdraw as easily as you gave it).
Server-side request data
Separately from cookies, our rate-limiting layer (powered by Upstash) stores your user ID and request timestamps in memory for up to 24 hours. This is not a cookie; it is a server-side counter. It exists to stop a single account accidentally running up large AI bills. See our Privacy Policy for full detail.
How to clear cookies
You can clear GrantSpark cookies at any time from your browser’s settings. Clearing them will sign you out; everything else continues to work.
Questions
Email hello@grantspark.co.uk if you’d like clarification.
See also our Terms of Service, Privacy Policy and AI Disclaimer.