Cookies Policy

Cookies are small text files a website stores on your device. They let the site remember you between page loads, keep you signed in, and measure how it gets used. Some cookies are strictly necessary for the site to function. Others are optional and require your consent under the EU ePrivacy Directive and GDPR.

ARA also uses similar technologies (browser localStorage and IndexedDB caches used by the Firebase SDK) that perform the same role. For brevity this policy refers to all of them as "cookies".

Strictly necessary

Required for ARA to function. These do not require consent under the ePrivacy Directive. They include Firebase Authentication tokens (so you stay signed in), the cookie consent record itself, your theme preference (Cream or Moss), and short-lived Firebase SDK heartbeats. Blocking them will break sign-in.

Analytics, consent-gated

ARA uses Google Analytics 4 to understand which features get used and where the app breaks. These cookies are only placed if you tap "Accept All" or enable Analytics in the preferences panel. If you decline, no GA script is loaded and no analytics data leaves your browser.

Error tracking, consent-gated

ARA uses Sentry to capture crashes and failed requests so we can fix them quickly. Sentry is also consent-gated: nothing loads until you toggle Error Tracking on. Sentry's session replay feature, which records richer diagnostic context, is only activated if you have also accepted Analytics.

Every cookie or storage entry ARA places, what category it falls into, and how long it lasts. Cookies set by third parties (Stripe Checkout, Google Fonts) are listed only where ARA's UI triggers them; their own policies apply once you reach their domain.

Some Firebase SDK state uses IndexedDB rather than traditional cookies. Listed here under the same heading because the consent rules treat them identically.

Some pages link to or embed third-party services. Those services set their own cookies, governed by their own policies. The ones ARA triggers:

• Stripe Checkout places its own session and fraud-detection cookies on its own domain when you start a subscription. ARA never sees those values. See Stripe's cookie policy.
• Google Fonts and Material Symbols load typefaces and icons from Google's CDN. Loading exposes your IP address to Google but does not place persistent cookies.
• Google Sign-In uses Google's own auth cookies on accounts.google.com during the SSO popup. ARA receives only the ID token Google returns at the end.

Full subprocessor list and what data each one sees lives in Privacy Policy §5.

You can review or change your cookie choices at any time. The fastest way:

You can also:

• Use the "Cookies" link in the site footer (it opens the same panel).
• Once signed in, go to Settings → Account & Privacy → Cookie Preferences → Manage. Resetting re-displays the banner.
• Block or delete cookies through your browser's Privacy or Site Data settings.
• Install Google's opt-out browser add-on for Analytics: tools.google.com/dlpage/gaoptout.

ARA honours the Global Privacy Control (GPC) signal. If your browser or extension sends a Sec-GPC: 1 header or sets navigator.globalPrivacyControl totrue, we treat it as an opt-out of any sale or sharing of personal data, and as a directional opt-out of analytics tracking that we have not yet bound to a separate consent choice.

Note that ARA does not currently sell or share personal data with advertisers (see Privacy Policy), so GPC mostly serves as a stronger consent signal than the banner alone. The older "Do Not Track" header is honoured where reasonably possible, but the W3C DNT specification has been discontinued and is no longer maintained.

When you choose a cookie option we store the choice locally under ara_cookie_consent_detail together with:

• Which categories you accepted or rejected (analytics, error tracking).
• A timestamp.
• The version of the Privacy Policy in effect at the time.

For signed-in users, an additional copy is written to your account under users/{uid}/consent_records as an immutable audit trail. These records are kept so we can demonstrate compliance under GDPR Article 5(2). They are not used for anything else and are accessible to you via your data export.

Consent expires after 12 months. At that point the banner re-displays so you can confirm or change your choice. If we change the policy in a way that affects what we ask consent for, we bump the policy version, which also re-prompts.

We may update this Cookies Policy when we add, remove, or change a cookie. Material changes will be announced through the cookie banner before they take effect. The "Last Updated" date at the top of this page indicates when the policy was last revised.

If you have questions about cookies on ARA, write to us: