This Cookie Policy explains how Serena Labs ("we," "us") uses cookies and similar technologies on serenalabs.io and the authenticated application at serenalabs.io/app.
1. What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They make websites work, improve performance, and provide information to operators.
2. Cookies We Use
Essential (always active)
| Cookie | Purpose | Duration |
|---|---|---|
| sb-vaipjewujamwmlddbzfb-auth-token | Supabase Auth session — keeps you signed in across serenalabs.io and companion.serenalabs.io | 10 days |
| sb-vaipjewujamwmlddbzfb-auth-token-code-verifier | PKCE code verifier used during OAuth (LinkedIn) and email-OTP sign-in | Session |
| serena_cookie_consent | Stores your cookie preferences | 12 months |
Functional (with consent)
| Cookie | Purpose | Duration |
|---|---|---|
| NEXT_LOCALE | Stores language preference (EN/ES) | 12 months |
Analytics (only with consent)
| Cookie | Provider | Duration |
|---|---|---|
| ph_* | PostHog (EU) — anonymized product analytics | 12 months |
| _ga, _ga_* | Google Analytics 4 — anonymized site analytics | 24 months |
Before you accept, both PostHog and Google Analytics run in cookieless / "denied" mode and do not store identifiers in your browser. We do not use advertising or marketing cookies.
3. Managing Cookies
Through our cookie banner on first visit, by clicking "Cookie Settings" in the footer, or via your browser's cookie settings. You can also clear the Supabase Auth session at any time by signing out from /app.
4. Third Parties
Third-party services that may set or read cookies on your behalf:
- Supabase (essential) — manages the authenticated session shared between serenalabs.io and the Companion subdomain.
- PostHog (only with consent) — anonymized product analytics in the EU.
- Google Analytics 4 (only with consent) — anonymized site analytics. Loads with Consent Mode v2 set to "denied" by default; identifiers are only set after you accept. International transfers are protected by Standard Contractual Clauses under Google's standard DPA.
- LinkedIn — when you choose to sign in with LinkedIn, LinkedIn may set its own cookies on
linkedin.comduring the OAuth handshake. We do not control or read those cookies; they are governed by LinkedIn's own cookie policy.
5. Changes
We may update this Cookie Policy. Material changes are reflected by updating the "Last updated" date.
6. Contact
For questions about cookies on our site, contact hello@serenalabs.io.