Skip to content

Legal

Cookie Policy

Last updated: April 2026

Cavale (operated by Nothing Is Permanent Ltd) uses the smallest set of cookies that lets the site work. We don’t set any cookies for advertising, retargeting, or third-party tracking.

Strictly necessary cookies

These are required for the site to function. They don’t need consent under GDPR.

  • sb-<project>-auth-token (and chunked variants .0, .1 when the token is large) — set by Supabase Auth when you sign in. Required for the server to recognise you on every request. Stored as an HTTP cookie so it’s available to API routes; expires after the refresh token lifetime (~1 year unless you sign out).
  • NEXT_LOCALE — set by next-intl to remember your selected language (en / fr / lb) across requests. Persistent.

Payment cookies (only on checkout)

Stripe Checkout sets its own cookies during the payment flow for fraud prevention and session continuity. These are third-party cookies set by Stripe (PCI DSS Level 1 certified) and only loaded when you reach a checkout page. See Stripe’s cookie notice for the full list.

Browser local storage (not cookies)

We use your browser’s local storage for a few small preferences. This data stays on your device and is never sent to our servers as a cookie.

  • cookie_consent — your saved consent preferences (so we don’t ask you twice).
  • cavale-currency — your selected display currency.
  • Supabase Auth shadow — a copy of the auth token the supabase-js client reads from on the page. Mirrors the cookie above; cleared on sign-out.
  • UI dismissal flags (welcome banner, onboarding checklist) — small one-time keys to remember things you’ve dismissed.

Analytics — cookieless

We use PostHog for product analytics on EU servers (eu.i.posthog.com). PostHog is configured with persistence: ‘memory’ and autocapture: false — meaning it doesn’t set cookies, it doesn’t write to local storage, and it only fires the explicit events we’ve defined (page views and a small set of product actions). The in-memory state is discarded when you close the tab.

What we don’t use

  • No advertising or retargeting cookies
  • No third-party tracking pixels
  • No Facebook Pixel, Google Analytics, or similar
  • No fingerprinting
  • No cookies set by embedded social-media widgets

Your choices

The strictly necessary cookies above can’t be turned off without breaking the site (you wouldn’t be able to sign in, or the site would forget your language).

For analytics, you can use the “Manage cookie preferences” button on the privacy page to opt out at any time. Because PostHog runs cookieless, opting out simply stops the event capture — there’s nothing for us to delete.

You can also clear cookies and local storage at any time from your browser’s settings.

Questions?

Email hello@cavale.travel.