Last updated: 18 April 2026 · Effective: 18 April 2026
This Cookie Policy explains how Burooj uses cookies and similar technologies on burooj.ai. It supplements, and should be read together with, our Privacy Policy.
Under EU and UK law (Article 5(3) of the ePrivacy Directive 2002/58/EC, as implemented
locally), the rules on cookie consent apply not only to HTTP cookies but to any
storage of, or access to, information on your device. That includes cookies,
localStorage, sessionStorage, IndexedDB, cache
storage, ETag-based tracking, pixels, SDK identifiers, and device
fingerprints. This policy uses “cookie” as shorthand for all of those.
Reference: European Data Protection Board, Guidelines 2/2023 on Technical Scope of Art. 5(3) ePD (14 November 2023).
These items are required to deliver the parts of the Service you have explicitly asked for. They are exempt from consent under Art. 5(3) ePD because they are either strictly necessary to transmit a communication, or strictly necessary for a service the user has explicitly requested.
These items are set only if you affirmatively accept them in the cookie banner or in Settings → Privacy. Selecting “Reject” or “Essential only” prevents them from being set. You can withdraw consent at any time from Settings → Privacy; withdrawal is as easy as giving consent (GDPR Art. 7(3)).
| Name / key | Provider | Purpose | Type | Duration | Classification |
|---|---|---|---|---|---|
sb-*-auth-token |
Supabase | Maintain your authenticated session after sign-in | localStorage | Until sign-out or token expiry | Strictly necessary |
burooj-cookie-consent |
Burooj | Remember your cookie preference so we don't keep asking | localStorage | 12 months | Strictly necessary |
burooj-theme |
Burooj | Remember your dark/light mode preference | localStorage | 12 months | Strictly necessary |
__cf_bm |
Cloudflare | Bot management and abuse prevention on a site you chose to visit | HTTP cookie (HttpOnly) | 30 minutes | Strictly necessary (security; short-lived) |
cf_clearance |
Cloudflare | Record that a security challenge has been passed | HTTP cookie | Up to 1 year | Strictly necessary (security) |
| Paddle checkout session cookies | Paddle | Process the payment overlay you have opened | HTTP cookie | Checkout session | Strictly necessary (user-initiated payment) |
sentry-* / Sentry SDK state |
Sentry | Capture crash reports and performance diagnostics so we can fix bugs faster | HTTP cookie / localStorage | Session to 90 days | Consent required — off unless you accept error diagnostics |
The first time you visit the Service without a stored preference, we show a banner with two equally prominent options:
A third option, “Customise,” opens the same Settings panel you can reach at
any time under Settings → Privacy, where you can change your mind. Your choice is
stored in burooj-cookie-consent so we do not re-prompt you unnecessarily.
We do not use pre-ticked boxes, implicit consent through scrolling, or “continued use of the site” as consent signals (per CJEU Planet49, Case C-673/17, 1 Oct 2019).
We do not engage in cross-site tracking, so “Do Not Track” browser signals
have nothing to disable. We do honour the Global Privacy Control
(Sec-GPC: 1) signal as a universal opt-out of any activity that would
constitute “sale” or “sharing” under the CCPA/CPRA — we do
not engage in such activities either way, and the GPC signal reinforces that choice.
burooj-cookie-consent from your browser's storage to see the banner again.If we add a new cookie or change the classification of an existing one, we will update this page, re-surface the banner where required, and note the change in the “Last updated” date at the top.
Questions about this policy: privacy@burooj.ai.