Few cookies. All boring.

Small text files a site stores in your browser. Some are strictly necessary for the site to work, some help us understand aggregate usage. We do not use any for advertising or cross-site profiling. AIR-Tools runs across two domains: the marketing site (air-tools.nl) and the product (app.air-tools.nl). The list below covers both.

On the marketing site (air-tools.nl): no application cookies are set. The locale (English or Dutch) is encoded in the URL path, not in a cookie. On the product (app.air-tools.nl): Supabase Auth session cookies (sb-* family — access token and refresh token, HTTP-only, SameSite=Lax, refreshed on activity) — without these you cannot stay logged in. Both domains receive a small set of routing cookies set by the underlying hosting platform (Vercel). Strictly-necessary cookies do not require consent under ePrivacy.

We do not currently set any non-essential functional cookies. If we add any (for example, a UI-preference cookie like a remembered side-panel state, or a locale cookie for cross-session preference), we will list them here and add a consent prompt where required.

We run no client-side analytics product of our own on either domain. The one exception sits on the marketing site: the demo-request form on /contact is a HubSpot embed, and when that page loads HubSpot may set its own analytics cookies (__hstc, __hssc, __hssrc) to attribute a submission. Vercel infrastructure logs anonymised request metadata (IP, user agent, response code) to operate the platform; this is processing necessary for service delivery, not behavioural analytics, and is purged on Vercel's standard rolling window.

We run no advertising or retargeting cookies on either domain. The one exception is the HubSpot demo-request form on /contact: HubSpot is our CRM, and its form embed sets a visitor cookie (hubspotutk) so a demo request ties to the right contact record. We use it for that — not for cross-site ad targeting.

Stripe Checkout (loaded only on the product when you reach the billing page) sets fraud-prevention cookies (m, __stripe_mid, __stripe_sid) for the duration of the checkout flow. The marketing site embeds no Stripe scripts. Sentry's session-replay cookie is currently disabled. On the marketing site, the only third-party embed is the HubSpot demo-request form on the /contact page (HubSpot runs in its EU data region, eu1, for us). When that page loads, the HubSpot embed script runs and sets HubSpot's form/analytics cookies (hubspotutk, and __hstc, __hssc, __hssrc where HubSpot tracking applies). No other marketing-site page loads third-party scripts.

Browser settings let you delete or block cookies per site. Blocking strictly-necessary cookies on the product will log you out; the marketing site continues to work either way. Most browsers offer a Global Privacy Control / "do not track" signal — we honour it by default for any future analytics features.

Questions: privacy@air-tools.nl.