Cookie Policy
Effective date: May 2, 2026. Last updated: May 2, 2026.
1. What Cookies and Similar Technologies Are
Cookies are small files stored on your device. Similar technologies include pixels, SDKs, local storage, session storage, tags, beacons, embedded content, scripts, and other tools that store information on, or access information from, your browser or device.
2. Why We Use These Technologies
Acubic uses strictly necessary technologies to provide login, guest-session quotas, security, billing, support, and portfolio-builder workflows. We do not currently deploy client-side advertising pixels, retargeting tags, session replay, social tracking pixels, or third-party product analytics scripts. Future non-essential scripts must be loaded through our consent manager.
3. Cookie Categories
- Strictly necessary: required for the website, account, security, payment, and requested app workflows.
- Functional: optional interface preferences, such as remembering UI state.
- Analytics/performance: non-essential measurement beyond necessary operational logs.
- Personalization: optional tailoring based on prior behavior.
- Advertising/targeting: retargeting, cross-context behavioral advertising, pixels, and ad measurement.
- Social media/embedded content: third-party embeds that may set their own tracking technologies.
- Security/fraud prevention: bot detection, abuse prevention, account protection, and payment security.
4. Detailed Inventory
| Name | Provider | Party | Category | Purpose | Data collected | Expiration | Region behavior | Consent required | Sale/share/targeted ads | Policy |
|---|---|---|---|---|---|---|---|---|---|---|
| refresh_token | Acubic | first-party | Strictly necessary | Maintains authenticated sessions and supports token refresh. | Opaque refresh token stored as an HttpOnly cookie; related server logs may include IP address and user agent for security. | Up to 7 days, based on REFRESH_TOKEN_EXPIRE_DAYS. | Allowed in all regions as strictly necessary for account login. | No, strictly necessary. | No. | View |
| acm_guest_sid | Acubic | first-party | Strictly necessary | Maintains guest portfolio-generation quota and transfers guest usage to an account after sign-in. | Opaque guest session token; server stores a token hash, IP address, user agent, creation time, and last-seen time. | Up to 30 days, based on GUEST_SESSION_EXPIRE_DAYS. | Allowed in all regions as service, abuse-prevention, and quota functionality. | No, treated as strictly necessary/security. | No. | View |
| sidebar:state | Acubic UI | first-party | Functional | Remembers whether an application sidebar is open or collapsed. | Boolean UI preference only. | 7 days. | EU/EEA/UK/unknown: load only after functional consent. US: user may opt out in Cookie Settings. | Yes in opt-in regions unless strictly necessary for a requested UI action; currently documented as functional. | No. | View |
| acm_cookie_consent | Acubic | first-party | Strictly necessary | Stores cookie and privacy choices, region mode, GPC status, timestamps, and policy/schema versions. | Consent ID, categories selected, region classification, GPC flag, source, and timestamps. No portfolio or payment data. | 180 days, or until policy/vendor/schema changes require a new choice. | Allowed in all regions to remember legally required privacy choices. | No, necessary to remember consent/opt-out choices. | No. | View |
| acm_auth_state / acm_user | Acubic | first-party | Strictly necessary | Keeps the logged-in UI state responsive after refresh. Access tokens remain in memory; the refresh token is in an HttpOnly cookie. | Minimal account display state in localStorage. | Until logout, browser clearing, or local app cleanup. | Allowed in all regions for authenticated account functionality. | No, tied to account service requested by the user. | No. | View |
| workflow/session keys | Acubic | first-party | Strictly necessary | Preserves portfolio-builder workflow state, optimization results, rate-limit UI state, and post-auth redirects during a browsing session. | Portfolio workflow inputs/results that the user entered or generated in the app. | Session storage, usually until the tab or browser session ends. | Allowed in all regions for requested portfolio-builder functionality. | No, required to provide requested app workflows. | No. | View |
| Cloudflare Turnstile scripts and tokens | Cloudflare | third-party | Security/fraud prevention | Bot detection on login/signup when Turnstile is enabled. | Challenge token, IP address sent server-side for verification when enabled, device/browser signals processed by Cloudflare. | Controlled by Cloudflare and challenge lifecycle. | Allowed where enabled as security/fraud prevention. Disclose as third-party security technology. | No when used only for security and fraud prevention; legal review should confirm deployment mode. | No, if configured only for security. | View |
| Stripe Checkout/Billing Portal cookies | Stripe | third-party | Strictly necessary | Processes subscriptions, checkout, fraud prevention, and customer portal sessions after a user chooses billing actions. | Billing customer identifiers, email, payment metadata, fraud-prevention and transaction data handled by Stripe. | Controlled by Stripe on Stripe-hosted pages. | Allowed when the user initiates payment or billing management. | No for payment/security functionality requested by the user. | No, based on current implementation. | View |
| Google OAuth/OIDC cookies | third-party | Strictly necessary | Authenticates users who choose Google sign-in or account linking. | OAuth authorization data and Google account profile claims returned after user authorization. | Controlled by Google on Google-hosted authentication pages. | Allowed only when the user initiates Google authentication. | No for user-requested authentication. | No, based on current implementation; legal review should validate Google configuration. | View | |
| Admin/usage analytics events | Acubic | first-party | Strictly necessary | Tracks account, billing, quota, support, security, and operational events in the backend for service administration. | Authenticated user ID or guest session ID, event type, source endpoint, timestamps, and limited event payloads. | Server retention period to be finalized by legal and operations. | Allowed when necessary for service operation, security, billing, quota enforcement, and support. | No for necessary operational/security logs; consent needed before adding product analytics beyond necessary operations. | No. | View |
5. Managing or Withdrawing Consent
You can open Cookie Settings from the footer at any time. In EU/EEA, UK, and unknown-region mode, non-essential technologies are off unless you opt in. “Reject all” and “Accept all” are presented with comparable access, and choices are granular by category. You can withdraw consent as easily as you gave it.
You can also use browser settings to block or delete cookies. Browser-level blocking may affect login, security, billing, guest quotas, and portfolio workflows that depend on strictly necessary cookies or session storage.
6. Regional Rights and GPC
EU/EEA and UK users have consent rights for non-essential storage/access technologies. California and other covered US state users may have rights to opt out of sale, sharing, targeted advertising, and certain sensitive-data uses. If your browser sends a Global Privacy Control signal, we treat it as an opt-out of sale/sharing and targeted advertising for applicable US jurisdictions and block those categories.
7. Policy Versions and Changes
Current versions: Cookie Policy 2026-05-02, Privacy Policy 2026-05-02, Terms 2026-05-02, Consent Schema 1.0.0. We will re-prompt when policy versions, vendors, purposes, or cookie categories materially change.
8. Contact
For privacy requests or questions, contact [email protected].
