Cookie Policy
Effective 2026-06-17
This page lists the cookies and similar storage that Brightroom sets on https://bright-room.com, what each one does, the legal basis we rely on, and how long it lasts. It also describes our first-party usage analytics, which runs server-side rather than from a cookie. Read it together with our Privacy Policy, which explains the broader picture of how we handle personal data.
1. What this policy covers
Cookies are small text files a website stores in your browser. We also use related technologies that work the same way for legal purposes: browser localStorage, sessionStorage, and a server-side event log. Where this policy says “cookie” it means any of these unless stated otherwise.
We sort everything we set into two groups: strictly necessary (needed to deliver a service you asked for, or to keep the site secure — these load without consent) and consent-required (analytics and marketing — these load only after you opt in). The table in section 3 marks which group each item belongs to.
2. A note on analytics — what we actually do
We run our own first-party usage analytics, in-house. We do not embed Google Analytics, advertising pixels, or any third-party tracking network. Our analytics does not set a tracking cookie in your browser; instead, when you have given consent, the app sends usage events to our own server (the /api/track endpoint), where they are stored in our database. Those events record:
- page views and the path you visited;
- in-app interactions and timing (for example, how long a lesson was on screen, scroll depth, and which controls you used);
- your browser’s user-agent string (truncated); and
- a salted, truncated SHA-256 hash of your IP address, not the IP itself.
The IP hash is pseudonymous, not anonymous: it cannot be read back to your IP address by an ordinary observer, but because it is derived from your IP it remains personal data under the GDPR and the Swiss FADP, and we treat it as such. We use these events to understand how the product is used, fix bugs, and improve the learning experience. We do not sell them, share them with advertisers, or use them to build cross-site advertising profiles. The legal basis is your consent (Art. 6(1)(a) GDPR; Art. 6(6) revFADP), the same basis stated in our Privacy Policy.
A small number of operational records — for example, sign-in, sign-up, and security events needed to run your account and protect it — are written regardless of your analytics choice, on the basis of contract performance and our legitimate interest in account security (Art. 6(1)(b) and 6(1)(f) GDPR). These are described in the Privacy Policy and are not used for usage analytics.
We also use Sentry for error and performance monitoring so we can detect and fix faults. Diagnostic data is scrubbed of personal data before it is sent, and session replay is disabled. Sentry is listed in our Subprocessors register and described in the Privacy Policy.
3. Cookies and storage we set
The table below is the complete inventory of what we and our infrastructure providers store on your device. Durations are the maximum lifetime of each item; you can clear any of them at any time (see section 5).
| Name | Set by | Purpose | Category & legal basis | Duration |
|---|---|---|---|---|
sb-*-auth-token | Brightroom (via Supabase) | Keeps you signed in to your account. | Strictly necessary. Contract performance — Art. 6(1)(b) GDPR; exempt from consent under Art. 5(3) ePrivacy. | Up to 1 year |
br-consent | Brightroom | Records your cookie-consent choices so we do not ask again on every visit and so we can prove what you agreed to. | Strictly necessary. Legal obligation / legitimate interest — Art. 6(1)(c) and 6(1)(f) GDPR; exempt from consent under Art. 5(3) ePrivacy. | 180 days |
br_sid | Brightroom | Enforces single-session sign-in (security): if your account is used elsewhere, the older session is signed out. | Strictly necessary. Legitimate interest in account security — Art. 6(1)(f) GDPR; exempt from consent under Art. 5(3) ePrivacy. | Up to 30 days |
bright-theme | Brightroom | Remembers your light/dark appearance choice and prevents a flash of the wrong theme when a page loads. | Strictly necessary (functional preference set at your request) — Art. 6(1)(f) GDPR; exempt from consent under Art. 5(3) ePrivacy. | 1 year |
br_ref | Brightroom | Affiliate attribution. Set only when you actively follow a referral link (https://bright-room.com/r/<code>) so that, if you later subscribe, your friend’s discount applies and the referrer earns their reward. | Marketing / attribution. Set on your request when you follow a referral link; where consent is required it is treated as consent-based (Art. 6(1)(a) GDPR) and is honoured for Global Privacy Control signals (see section 6). | 30 days |
brightroom.register.v1 (sessionStorage) | Brightroom | Holds your registration draft (the details you typed, excluding your password) so you do not lose progress if you reload during sign-up. | Strictly necessary (functional, set at your request) — exempt from consent under Art. 5(3) ePrivacy. | Until the tab is closed |
__stripe_mid, __stripe_sid | Stripe (payment processor) | Fraud prevention and payment security. Stripe.js loads — and these cookies are set — only on our payment surfaces (registration, checkout, the paywall, and billing pages), not while you browse the rest of the site. | Strictly necessary for secure payment processing — Art. 6(1)(b) and 6(1)(f) GDPR. | __stripe_mid up to 1 year; __stripe_sid 30 minutes |
| Server-side usage events | Brightroom (first-party) | First-party usage analytics described in section 2 — page views, in-app interactions, timing, truncated user-agent, and a salted IP hash. Stored on our server, not in a browser cookie. | Consent-required (analytics) — Art. 6(1)(a) GDPR / Art. 6(6) revFADP. Not collected for analytics until you opt in. | Up to 13 months, then deleted |
We currently set no third-party advertising or retargeting cookies. The only third-party cookies are the Stripe payment cookies listed above, which load solely on our payment pages. If we ever add a new analytics or marketing technology, we will update this page and ask for your consent before it loads.
4. Retention
Strictly necessary cookies last only as long as needed for their purpose, up to the durations shown above. First-party analytics events are retained for up to 13 months and are then deleted. When you delete your account, the events tied to it are removed as part of that deletion. You can export or erase your account data at any time from your account settings.
5. Changing your choices
When you first visit, a consent banner offers three equally weighted options: Accept all, Reject all, and Customise. Analytics and marketing are off until you turn them on. Withdrawing consent is as easy as giving it — you can change your mind at any time, and it takes effect immediately:
- open the Cookie preferences control in the site footer to re-open the banner and change any category; or
- clear the
br-consentcookie in your browser, which makes the banner appear again on your next visit.
Withdrawing consent does not affect the lawfulness of processing carried out before you withdrew it. Most browsers (Chrome, Safari, Firefox, Edge) also let you block or delete cookies entirely; blocking strictly necessary cookies will stop you from signing in.
For security, the br-consent cookie is sent with the Secure attribute so it is only transmitted over HTTPS.
6. Global Privacy Control and Do Not Track
We honour the Global Privacy Control (GPC) signal. When your browser or extension sends GPC, we treat it as a valid opt-out of the analytics and marketing categories: we do not collect first-party usage analytics and do not set the br_refattribution cookie for marketing purposes for that visit. This also serves as a “Do Not Sell or Share My Personal Information” request under California law; see Your Privacy Choices.
We do not respond to the legacy Do Not Track (DNT) browser header, which has been deprecated and is no longer maintained as a standard. GPC is the operative signal we act on.
7. Changes to this policy
We review this policy at least once every 12 months and update it whenever our cookies or analytics change. If we add a new analytics or marketing technology, we will update the inventory above and re-prompt you for consent before it loads. The “Effective” date at the top reflects the current version.
Questions about cookies or your data can go to privacy@bright-room.com.