Morphee Cookie & Local Storage Policy
Status: DRAFT | Last updated: 2026-02-20
This document fulfils the ePrivacy Directive Art. 5(3) disclosure requirement for storage mechanisms used by Morphee.
Summary
Morphee does not use cookies for tracking, advertising, or analytics. We use only technically necessary local storage to keep the app working.
1. What We Use
1.1 HTTP Cookie
| Cookie | Purpose | Duration | HttpOnly | Secure |
|---|---|---|---|---|
refresh_token | Authentication — stores the session refresh token so you stay logged in between visits | Until logout or 30-day expiry | Yes (planned) | Yes (HTTPS only) |
Note: The
refresh_tokencookie is set by Supabase Auth (GoTrue).HttpOnlyenforcement is planned (pending cookie migration from localStorage — tracked as a security improvement).
1.2 Browser localStorage
These items are stored directly in your browser and never transmitted to any server:
| Key | Purpose | Duration |
|---|---|---|
access_token | Authentication session (JWT access token) | Until logout or 1-hour expiry |
theme | Your light/dark mode preference | Persistent until cleared |
feature_tour_completed | Whether you've seen the onboarding tour | Persistent until cleared |
conversation_last_seen_* | Per-conversation unread tracking (timestamp) | Persistent until cleared |
notification_preferences | Cached notification preferences (server is authoritative) | Persistent until cleared |
task_filter_* | Filter/sort state for the Tasks page (persisted via URL params) | Session / URL-driven |
1.3 What We Do NOT Use
- No tracking cookies — we do not set cookies to track you across sites
- No advertising cookies — we have no ad network relationships
- No analytics cookies — we do not use Google Analytics, Mixpanel, or similar services
- No fingerprinting — we do not derive device identifiers from browser attributes
- No third-party cookies — no third-party scripts set cookies in Morphee
2. Consent
Because all storage mechanisms listed above are strictly necessary for the application to function (authentication, preferences, session continuity), they do not require separate cookie consent under ePrivacy Art. 5(3). You are informed of their use through this policy and the Privacy Policy.
If we introduce any non-essential storage in the future, we will update this policy and present an appropriate consent mechanism.
3. Managing / Clearing Storage
You can clear all locally stored data at any time:
- Browser: Open DevTools → Application → Local Storage → Clear, or use your browser's "Clear site data" feature
- In-app: Logging out clears your authentication tokens
- Account deletion: Use Settings > Delete Account to remove all server-side data
Clearing localStorage will log you out of the application.
4. Self-Hosted Deployments
If you run Morphee on your own infrastructure, you control the storage environment entirely. The token domain, cookie flags (SameSite, Secure, HttpOnly), and localStorage namespacing all depend on your deployment configuration.
5. Contact
For questions about this policy:
- Email: privacy@morphee.app
- In-app: Settings > Privacy
For full details on data processing, see the Privacy Policy.