Cookie Policy

This policy explains the cookies and similar local‑storage technologies pomela uses, why we use them, and how you control them. It supplements the Privacy Policy.

Effective 2026‑06‑01

1 · What these technologies are

A cookie is a small text file a site stores in your browser. We also use localStorage and IndexedDB: browser stores that keep data on your device and are never sent automatically to a server. We group all of these as “cookies” below for simplicity.

2 · How we use them

We keep this deliberately small. pomela uses strictly‑necessary storage to work at all, and a thin layer of anonymous, aggregate analytics. We do not use advertising cookies, cross‑site trackers, or third‑party marketing pixels.

3 · The cookies we set

Name / keyTypePurposeLifespan
vs_sessionStrictly necessaryYour signed‑in session (HttpOnly, first‑party). Without it you cannot stay logged in.~30 days
vs_deviceStrictly necessaryA device credential that ties your locally‑built apps to this browser before you sign in, and that powers abuse rate‑limits.~1 year
pomela:* / vs:creator:* (localStorage)Strictly necessaryYour consent choice, theme, language, onboarding state, and the list of apps you’ve built on this device.Until cleared
Anonymous usage eventsAnalytics (optional)Aggregate counts (apps generated, sign‑ins, crashes) keyed to a random device id, never your name, email, or app content. Used only to keep the product reliable.Rolling

On your first visit we show a consent banner. Strictly‑necessary storage is always on (the product cannot function without it, and it is exempt from consent under the ePrivacy rules). The optional analytics layer is enabled only if you accept; choosing “Essential only” keeps it off.

5 · Third parties

A few infrastructure providers may set their own strictly‑necessary cookies when you use pomela: Cloudflare (edge delivery and bot protection) and Supabase (authentication and storage). Apps you build may load their own resources; you control what your app includes. We do not embed advertising or social‑media trackers. See our Sub‑processors list.

6 · Apps you build

Apps generated with pomela store their end‑users’ data under per‑user isolation (see the Data Processing Agreement). If your app sets its own cookies or storage, you are the controller for that and are responsible for your app’s own cookie disclosure.

7 · Changes

If we add or change a cookie we’ll update this page and, where the change is material, re‑surface the consent banner. Questions: [email protected].

A lawyer should confirm the consent model and cookie inventory against the ePrivacy Directive / GDPR (EU), the UK PECR, and any launch‑jurisdiction rules, and align the “strictly necessary” classifications with current guidance.