Cookie & Tracking Policy
Last updated: May 2026
What we don’t do
Loocero does not use:
- Tracking cookies.
- Analytics cookies (no Google Analytics, Plausible, Posthog, Mixpanel, or similar).
- Advertising pixels (no Meta, Google Ads, TikTok, Reddit, LinkedIn, or similar).
- Session-replay tools (no FullStory, Hotjar, Microsoft Clarity, or similar).
- Cross-site behavioral tracking of any kind.
- Third-party scripts on the public landing pages.
A continuous-integration check enforces this on the public marketing surfaces and breaks the build if a third-party tracking script is added. The same posture extends to the signed-in product.
What we do use
Loocero uses only the functional cookies required to keep the application working for signed-in users:
- Supabase Auth session cookie. A pair of HTTP-only, Secure, SameSite-Lax cookies set by Supabase Auth that hold your session token and refresh token after you sign in. Without these you would have to log in again on every page load. Removing or blocking them signs you out.
These cookies are necessary for the Service to function. Under the EU ePrivacy / cookie-consent regimes, strictly-necessary cookies do not require prior opt-in.
Local storage
Loocero does not write your financial data, AI chat history, or any tracking identifier to localStorage or IndexedDB. The signed-in application uses small UI-state values (such as the dark/light theme preference) in browser storage, and these never leave your device.
Third-party cookies set by external surfaces
Some Loocero features hand off to third-party iframes or hosted pages — most notably:
- Plaid Link. When you connect a bank, Plaid’s iframe runs in its own origin and may set Plaid-side cookies as part of its session. Those are governed by Plaid’s privacy policy.
- Stripe Checkout and Customer Portal. Subscription and billing pages are hosted by Stripe at
checkout.stripe.comandbilling.stripe.com. Stripe sets its own cookies on those domains. Those are governed by Stripe’s privacy policy.
We do not control cookies set on third-party domains. Refer to /privacy §3 for the full list of processors and what each one receives.
Changes
If this posture ever changes — for example, if we adopt a privacy-first analytics tool — we will update this page and the Privacy Policy before the change ships, and we will surface the change in the application.
Contact
Questions about cookies or tracking: [email protected].