Cookies
Cookie Notice
Effective: 7 May 2026
What this notice covers
This notice explains how BrainLoot uses cookies and similar technologies (localStorage, sessionStorage, IndexedDB, and pixel tags) on the BrainLoot website and app. It is provided in line with the UK Privacy and Electronic Communications Regulations (PECR) and UK GDPR. For the wider data-processing context, read the Privacy Notice.
How we ask for consent
On your first visit we show a consent banner. Strictly necessary storage runs without consent because it is essential to deliver the service you have asked for. Functional and analytics storage runs only when you opt in. You can change or withdraw consent at any time from the cookie preferences page or the “Manage cookies” link in the site footer.
Strictly necessary
These run without consent because they are essential to authentication, security, billing, and recording your preferences.
| Name | Provider | Purpose | Duration |
|---|---|---|---|
| Authentication ID token / refresh token | Google Cloud — first party storage | Keeps you signed in. Without it, the app cannot authenticate requests. | Session and up to 1 year (refresh token rotated server-side) |
| App Check / reCAPTCHA Enterprise attestation | Google Cloud App Check / reCAPTCHA Enterprise | Confirms requests come from the legitimate BrainLoot web app to block abuse and bots. | Session |
| Stripe checkout / customer portal cookies (e.g. __stripe_mid, __stripe_sid) | Stripe Payments Europe Ltd. | Required to complete checkout, prevent payment fraud, and operate the customer billing portal. | Session up to 1 year |
| brainloot-consent-v1 (localStorage) | BrainLoot — first party | Records your cookie preferences so we don’t re-prompt every visit. | Up to 12 months |
Functional
These remember preferences (theme, default workspace, favourite decks) so the app loads in the state you expect. Off by default — you can opt in.
| Name | Provider | Purpose | Duration |
|---|---|---|---|
| brainloot-default-workspace, brainloot-favorite-decks-v1-* (localStorage) | BrainLoot — first party | Remembers your starred workspace and favourited decks so the app loads where you left off. | Until cleared by you |
| Theme and UI preferences (localStorage) | BrainLoot — first party | Remembers theme, sidebar state, and display preferences. | Until cleared by you |
Analytics
We use Google Analytics 4 to understand reliability and feature adoption in aggregate. We do not use it for behavioural advertising or to build cross-site profiles. Off by default — you can opt in.
| Name | Provider | Purpose | Duration |
|---|---|---|---|
| _ga, _ga_* (Google Analytics 4) | Google LLC | Aggregate usage measurement: page views, navigation, feature adoption. Enabled only with your consent. | Up to 2 years |
Third-party services you choose to use
Stripe sets its own cookies during checkout and the customer portal — these are essential to billing and fraud prevention; if you block them, payments will not work. Atlassian (Trello) sets its own cookies only when you initiate a Trello board import. Each provider operates under its own cookie notice.
Browser controls
You can also clear or block cookies and storage in your browser settings. Blocking strictly necessary storage will prevent BrainLoot from working. Where you have opted out of analytics, we do not load the analytics scripts at all.
Contact
Cookie or privacy questions: privacy@brainloot.app.