Cookie Policy
Last updated: 2026-05-15
This page discloses every cookie and browser-stored identifier written by Rapoport Studio’s marketing site and workspace. Identifier names, retention values, and lawful-basis labels are in English as required by GDPR Art. 13(1)(e).
Marketing site · rapoport.studio
One first-party cookie is set — a locale-preference cookie injected by the routing middleware when a visitor lands on the bare root path. It does not track behaviour, does not leave this domain, and is strictly necessary for multi-locale URL routing to function.
| Identifier | Type | Vendor | Purpose | Retention | Lawful basis |
|---|---|---|---|---|---|
| NEXT_LOCALE | Cookie (HTTP; not HttpOnly; SameSite=Lax; Path=/) | First-party (next-intl framework) | Persists the visitor's language-locale choice so that repeat visits to bare paths (`/`) redirect to the correct locale URL (`/en/`, `/ru/`, `/ro/`) | Session — no `Expires` or `max-age`; deleted when the browser closes | Strictly necessary — enables consistent language routing as requested via URL locale-prefix navigation; set only on redirect, not on every page load |
| rs-funnel-session | sessionStorage | First-party | Per-tab anonymous UUID that links funnel events (intake step transitions, decision-router clicks, openspec archive downloads) within a single browser tab. Cleared when the tab closes. No cross-session tracking, no PII, no advertising IDs. | Per-tab (sessionStorage semantics — cleared on tab close) | Functional (anonymous server-side funnel measurement; no client analytics SDK) |
Workspace · app.rapoport.studio
The workspace is an authenticated SaaS application. It uses strictly-necessary session cookies managed by Supabase and functional browser-local state. No marketing or analytics identifiers are written to the device.
| Identifier | Type | Vendor | Purpose | Retention | Lawful basis |
|---|---|---|---|---|---|
| sb-nifagnmgwoqkplegsicy-auth-token | Cookie (HTTP; HttpOnly; Secure; SameSite=Lax; domain=.rapoport.studio; Path=/) | Supabase | Holds the authenticated user's JWT and refresh token — required for every authenticated request to the workspace | Until sign-out or token expiry (Supabase default: access token 1 h; refresh token 30 days) | Strictly necessary (contract performance) — enables access to the contracted workspace service |
| sb-nifagnmgwoqkplegsicy-auth-token-code-verifier | Cookie (HTTP; HttpOnly; Secure; SameSite=Lax; domain=.rapoport.studio; Path=/) | Supabase | PKCE code verifier — temporary secret required to complete the magic-link / OAuth authentication handshake | ~5 minutes; deleted on successful code exchange | Strictly necessary (security) — required by the PKCE protocol to prevent authorization-code interception |
| sidebar_state | Cookie (JavaScript-set; not HttpOnly; SameSite=Lax; Path=/; max-age=604800) | First-party | Persists the workspace sidebar's open/collapsed state across page navigations | 7 days | Functional (user interface preference) — no data transmitted to any external party |
| canvas:mobile-banner-dismissed | localStorage | First-party | Records that the user dismissed the mobile-use warning banner in the canvas view, suppressing repeat display | Persistent until browser storage is cleared | Functional (user interface preference) |
| canvas-stage-transition:<canvasId>:<fromStage>:<toStage> | localStorage | First-party | Records that a stage-transition celebration animation has been shown for a specific canvas and transition pair, preventing repeat display on the same device | Persistent until browser storage is cleared | Functional (user experience — one-shot animation guard) |
| intake-draft:v1:<type>:<locale> | localStorage | First-party | Auto-saves intake form draft values so the user does not lose work-in-progress entries if they navigate away before submitting | 30 days (enforced by schema-expiry logic in the storage utility) | Functional (prevents user data loss during form completion) |
| cookie-notice-dismissed:v1 | localStorage | First-party | Records that the visitor dismissed the cookie transparency notice (v1), suppressing repeat display on the same device | Persistent until browser storage is cleared | Functional (user interface preference — one-shot dismissal guard) |
| anon-visitor-id | localStorage | First-party | Anonymous UUID identifying the device for consent-event logging — contains no PII and is not linked to any authenticated identity | Persistent until browser storage is cleared | Functional (anonymous telemetry — no PII linkage) |
Sub-processors
For a full list of third-party processors that may process personal data on our behalf, see our sub-processors page.
Future changes
If we add identifiers that require consent, this page will be updated before those identifiers are set and a consent mechanism will be displayed.
Contact
To raise a concern about our use of cookies or browser-stored identifiers, contact us at legal@rapoport.studio.