Legal
Cookie Notice
This notice explains the cookies, local-storage entries, and similar technologies Tibly uses on the marketing site and in the product, what each one does, how long it lasts, and how to turn off the ones you don't want.
Effective June 12, 2026
2. Categories we use
- Strictly necessary
- Required for the product to work — the sign-in session cookie and the Turnstile anti-abuse cookie on forms that collect your email. You can't turn these off without breaking the product.
- Functional
- Remember things across sessions — the marketing-attribution cookie that tells our team which paid campaign brought you in, and the theme preference local-storage entry.
- Analytics
- Help us understand which features are used, where the product breaks, and how visitors move through the site. We use Mixpanel (including session replay) and, when configured in production, Google Analytics. The specific entries each one sets are listed in section 3.
- Marketing
- Tibly does not currently use marketing or advertising cookies. If we ever do, this notice will be updated first and a consent banner will appear on this site.
3. Specific cookies and storage we set
The table below lists every cookie, local-storage entry, and session-storage entry Tibly sets directly. Third-party providers (Stripe, Cloudflare, Google) may set additional entries when their widgets load; we link to their notices in section 5.
| Name | Set by | Purpose | Type | Lifespan |
|---|---|---|---|---|
| session_token | Tibly | Keeps you signed in to the product. HttpOnly so JavaScript on the page cannot read it; SameSite=Lax; Secure so it is sent only over HTTPS in production. The value held in your browser is a random opaque string; the database stores only the SHA-256 hash, so a database leak alone cannot be used to impersonate you. | Cookie · HttpOnly · SameSite=Lax · Secure (HTTPS) | Until the server-side session expires (typically 30 days from sign-in) |
| tibly_attr | Tibly | Remembers the most recent paid touch (any landing with a utm_* query parameter) so the signup form can attribute the lead. Organic landings never overwrite an existing paid value. | Cookie · SameSite=Lax · Secure (on HTTPS) | 90 days |
| mp_<token>_mixpanel and related mp_* entries | Mixpanel | Anonymous distinct id, event queue, and session-replay buffer used to measure feature use and reconstruct page renders for product debugging. Only written after sign-in; marketing-site visitors do not have any mp_* entries set. | Local storage | Persistent until cleared |
| _ga, _ga_<measurement-id> | Google Analytics | Aggregate site-traffic reporting — only set when NEXT_PUBLIC_GA_MEASUREMENT_ID is configured in production. | Cookie | Up to 2 years |
| cf_chl_* and Turnstile widget state | Cloudflare Turnstile | Anti-abuse on the signup and hero email-capture forms — verifies you're a real person without showing a CAPTCHA puzzle. | Cookie / local storage | Session |
| __stripe_mid, __stripe_sid | Stripe | Fraud-detection identifiers set only when the Stripe checkout / billing-portal widgets load on /pricing or in-product upgrade flows. | Cookie | Up to 1 year |
4. Session replay and analytics
Tibly uses Mixpanel for product analytics, only after you sign in. Mixpanel is not initialised for marketing-site visitors — no SDK is loaded, no events are sent, and no session is recorded for an unauthenticated page view. For signed-in users, Mixpanel records a session replay (a video-like reconstruction of how the page rendered) for a 10% sample of sessions. Mixpanel's default masking hides text in fields marked as sensitive (passwords, credit-card inputs, fields with the input type "password"); other field values, including any free-text you type during a recorded session, are captured. Internal Tibly employee accounts (any email ending in @tibly.ai) are opted out at identify time and are never recorded.
You can ask us to delete your analytics history at any time by emailing privacy@tibly.ai. We honour the Global Privacy Control browser signal as an opt-out of analytics and session replay for your visit — see section 7.
5. Third-party providers and their notices
Some pages load widgets from the providers below. Each provider operates under its own privacy and cookie policies; we link to them so you can review what they set.
- Stripe — payment processing on /pricing and the in-product upgrade flow (stripe.com/privacy).
- Cloudflare — Turnstile anti-abuse widget on marketing forms (cloudflare.com/privacypolicy).
- Google — Maps Static API thumbnails on project cards, Google Analytics when configured, and OAuth sign-in if you choose Sign in with Google (policies.google.com/privacy).
- Mixpanel — product analytics and session replay (mixpanel.com/legal/privacy-policy).
6. How to control cookies
Browser controls let you block or clear cookies, configure exceptions, and clear local storage. Each major browser documents this in its settings; the specifics differ but all of them support per-site controls.
- Chrome: Settings → Privacy and security → Cookies and other site data.
- Safari: Preferences → Privacy → Manage Website Data.
- Firefox: Settings → Privacy & Security → Cookies and Site Data.
- Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data.
If you block strictly necessary cookies, the product will not work — you won't be able to sign in. Blocking analytics has no impact on functionality.
7. Global Privacy Control
Tibly honours the Global Privacy Control (GPC) signal as an opt-out of sale/share under CCPA and as an opt-out of analytics and session replay. If your browser sends GPC, we treat that as an instruction to disable analytics and session replay for your visit. Most major privacy-respecting browsers send GPC by default; in Chrome and Edge, an extension is required.
8. Changes to this notice
When we add or remove a cookie or storage entry, this notice is updated on the same change. The effective date in the header always reflects the most recent material update.