Cookies Policy

Viper Web uses cookies and similar storage mechanisms (localStorage, sessionStorage). This explains what we store and why.

1. Cookies we use

Necessary

• sb-access-token — Supabase Auth session token. Without it you can't stay signed in. HttpOnly, Secure, SameSite=Lax.
• sb-refresh-token — refresh token to renew the session without prompting you to sign in again.

Functional

• viper-theme — theme preference (dark by default).
• viper-locale — chosen language (default: en).

Analytics

We use PostHog for product analytics:

• ph_<api_key>_posthog — entry in localStorage. Technically not a cookie, but it serves the same function: a PostHog session identifier tied to your Supabase UUID.
• Possible PostHog cookies set via the reverse-proxy on the vipersquad.app domain.
• For more detail, see § Analytics and telemetry in the privacy policy.

2. Local storage

We use localStorage to store non-sensitive UI preferences (panel collapse states, scroll positions). We never store passwords or tokens in browser localStorage.

3. Sub-processors and third-party cookies

If you open the app from a mobile device, OAuth providers (Discord, Google) may set their own cookies on their domains during login. Those cookies live on the provider's domain, not on vipersquad.app, and are governed by their respective policies. PostHog Inc. receives events via our reverse-proxy (it does not inject cross-domain scripts).

4. How to disable them

Necessary cookies can't be disabled — without them you can't use the app. Functional ones you can clear from your browser settings; the app will use defaults. To opt out of analytics, write to us (see § Analytics in the privacy policy).

5. Contact

Questions: privacy@vipersquad.app.