Cookie Policy

• sb-access-token / sb-refresh-token, authenticate your session with Supabase. Httponly, Secure, SameSite=Lax. Expire on logout.
• henedo-sid, session identifier for authenticated API calls. Required for heartbeat and session validation.
• henedo-csrf, CSRF token, used to protect form submissions.

• No advertising cookies.
• No cross-site tracking or user fingerprinting.
• No third-party analytics by default (Plausible, which is cookie-less, is used for aggregate page-view counts only).
• No Facebook pixel, no Google Analytics, no LinkedIn Insight Tag.

Henedo uses browser IndexedDB to store your device-bound Account Secret Key (ASK), protected by WebAuthn PRF where available. This is not a cookie and is never sent to our servers. If you clear site data, you will need to re-activate your device via the recovery flow.

Questions: privacy@henedo.com.