This Cookie Policy explains how Proyecta Labs, Inc. ("Proyecta," "we," "us," or "our") uses cookies and similar tracking technologies on our websites, applications, and the services they make available (collectively, the "Services"). It supplements our Privacy Policy, which describes how we handle personal data more broadly, and our Subprocessors list, which identifies the third parties involved in operating the Services.
By selecting "Accept all" in our cookie banner — or by enabling specific categories under "Manage preferences" — you consent to the use of the corresponding cookies as described below. In regions that require opt-in consent, no analytics or marketing cookies are set until you make that choice, and refusing is as easy as accepting ("Reject all" sits alongside "Accept all"). You can withdraw or change your choice at any time — see Section 6.
1. What Cookies and Similar Technologies Are
Cookies are small text files placed on your device by your browser when you visit a website. They are commonly used to remember you between visits, keep you signed in, remember your preferences, measure how the site is used, and personalize content.
Similar technologies we also use include:
- Browser storage —
localStorageandsessionStorage, which let a site store small amounts of data in your browser without sending it on every request. - Pixel tags and SDKs — small scripts loaded by your browser that collect information about how you interact with a page (page views, clicks, scroll depth, performance).
Where this policy uses the word "cookies," we generally mean cookies and the similar technologies above, unless we say otherwise.
1.1 First-Party vs. Third-Party
- First-party cookies are set directly by Proyecta on domains we operate (e.g.,
proyecta.dev,app.proyecta.dev,auth.proyecta.dev). - Third-party cookies are set by other companies that provide services on our behalf — for example, our analytics, support chat, and payment vendors. Those third parties act as our processors (see Subprocessors).
1.2 Session vs. Persistent
- Session cookies are deleted when you close your browser.
- Persistent cookies remain on your device until they expire (the durations are listed in the tables below) or until you delete them through your browser.
2. How We Use Cookies
We group the cookies we use into three categories. The two non-essential categories — Analytics and Marketing & Advertising — are independently controllable: you can enable one without the other under "Manage preferences."
2.1 Essential Cookies (always on)
These are required to deliver the Services and cannot be disabled through our cookie banner. They handle authentication, session management, security, fraud prevention, your stored consent choices, and the language you have chosen. Without them the site will not work — for example, you would not be able to stay signed in or have your language preference remembered. We rely on these cookies as strictly necessary under the ePrivacy Directive (no consent required) and to perform our contract with you under GDPR Article 6(1)(b).
2.2 Analytics & Product-Improvement Cookies (consent-gated)
These cookies and similar technologies are product analytics that help us understand how the Services are used so we can improve them — which pages users visit, where they drop off, session replays (with form inputs masked), feature-flag delivery — and the in-app support widget, which carries an identifier. They do not include advertising pixels (those are the separate category below).
In the European Economic Area, the United Kingdom, Switzerland, and other jurisdictions that require opt-in consent (including Quebec), these cookies are loaded only after you enable the Analytics category in our cookie banner. Where you do not, our primary analytics provider continues to operate in a cookieless mode that produces aggregated, non-identifying statistics only. Our legal basis where consent applies is GDPR Article 6(1)(a); elsewhere we rely on legitimate interests under Article 6(1)(f), with an opt-out available at any time.
2.3 Marketing & Advertising Cookies (consent-gated)
These are the advertising and measurement technologies loaded by our marketing tag manager (for example, Meta, Google Ads, LinkedIn, TikTok, and Reddit measurement pixels) used to attribute signups to the ad campaigns that brought you to us and to measure how well our advertising performs. They are described in detail in Section 4.4.
In jurisdictions that require opt-in consent, these pixels are not loaded at all until you enable the Marketing & Advertising category — enabling Analytics alone does not turn them on. Where consent applies, our legal basis is GDPR Article 6(1)(a); elsewhere we rely on legitimate interests under Article 6(1)(f), with an opt-out available at any time. We do not sell your personal information.
3. First-Party Cookies We Set
The table below lists the cookies we set directly. Names ending in * represent a family of cookies whose suffix is generated per session or installation.
| Name | Category | Domain Scope | Purpose | Typical Duration |
|---|---|---|---|---|
x-session-token | Essential | Authenticated subdomain (e.g., app.proyecta.dev) | Authenticated session token (HttpOnly, Secure, SameSite=Lax). Required to stay signed in. | Up to 30 days (set at sign-in; not extended by activity; your session may end sooner) |
proyecta_logged_in | Essential | Registrable apex (e.g., .proyecta.dev) | Public indicator that you have an active session. Carries no credentials and grants no access; used only to switch the marketing site's "Sign in" call-to-action to "Open app." | 30 days |
proyecta_cookie_consent | Essential | Registrable apex (e.g., .proyecta.dev) | Records which cookie categories you allowed (Analytics and/or Marketing & Advertising) and the consent version, so the choice carries across our subdomains. | 180 days |
proyecta-locale | Essential | Registrable apex (e.g., .proyecta.dev) | Remembers the language you selected (for example, en, es). | 365 days |
x-client-country | Essential | Registrable apex (e.g., .proyecta.dev) | Country code derived from your IP address by our load balancer and mirrored to a cookie. Used to determine whether the cookie banner needs to be shown and to localize regional content. | 1 hour |
x-client-region | Essential | Registrable apex (e.g., .proyecta.dev) | Region/state code derived from your IP address by our load balancer and mirrored to a cookie, used together with the country code for localization (including the EU/Quebec consent decision). | 1 hour |
_cat_attr_first, _cat_attr_last | Marketing & Advertising | Registrable apex (e.g., .proyecta.dev) | First-touch and last-touch marketing-attribution cookies storing the campaign parameters (UTMs) and ad click identifiers (e.g., gclid, fbclid) from the link you arrived through, so we can attribute your signup to the campaign that referred you. Set only where you have allowed Marketing & Advertising cookies — never where you have declined or sent a Global Privacy Control signal. | Up to 365 days |
The only first-party marketing cookies we set are the attribution cookies listed above, and only where you have allowed the Marketing & Advertising category. We do not set first-party cross-site tracking cookies.
4. Third-Party Cookies
The cookies below are set by third-party vendors that process data on our behalf. Vendors may update the names and durations of their cookies from time to time; for the authoritative current list, consult the vendor's own cookie documentation linked in Section 6.4. Many of the third parties identified here are listed on our Subprocessors page; the advertising and measurement vendors in Section 4.4 generally act as independent controllers for ad measurement rather than as our subprocessors.
4.1 Product Analytics
| Vendor | Cookies / Storage | Purpose | Typical Duration |
|---|---|---|---|
| PostHog (EU region) | ph_proyecta cookie (distinct ID, session ID), plus related localStorage entries (feature-flag and replay state) | Product analytics, feature usage, session replay (with form inputs masked), feature-flag delivery. Where consent is declined, PostHog runs in a cookieless mode that produces aggregate data only. | Up to 1 year |
For network-level efficiency and resilience to content blockers, we proxy PostHog traffic through a first-party path on our own domain (/ph-api). The data still flows to the vendor identified above; the proxy does not change the purpose or the vendor.
4.2 Customer Support
| Vendor | Cookies / Storage | Purpose | Typical Duration |
|---|---|---|---|
| Intercom | intercom-* cookies and storage | In-app messaging and support widget on the authenticated app. Maintains your conversation history with our team. | Up to 9 months |
Inside our authenticated app (app.proyecta.dev), the widget loads only after you enable Analytics cookies, because it carries your account identifier. On our public marketing site (proyecta.dev) the widget is not loaded on page load; it loads only if you open the support chat yourself (for example, by clicking a "chat with us" control), starting an anonymous support conversation that carries no account identifier. Declining or withdrawing Analytics consent shuts the widget down.
4.3 Error Monitoring
| Vendor | Cookies / Storage | Purpose | Typical Duration |
|---|---|---|---|
| Sentry | localStorage and sessionStorage entries (no third-party cookies under normal operation) | Captures unhandled errors and diagnostic context so we can fix bugs. Sentry does not set tracking cookies. | Session |
We treat error monitoring as essential to operating the Services reliably; it is initialized regardless of your analytics choice because, as configured, it captures only error and diagnostic telemetry — not session recordings or behavioral analytics.
4.4 Advertising and Marketing Measurement
We deploy marketing measurement tags through Google Tag Manager. These tags only load after you enable the Marketing & Advertising category (enabling Analytics alone does not load them), and we use them to measure how well our ads convert into signups so we can spend our marketing budget responsibly.
| Vendor | Cookies (typical) | Purpose | Typical Duration |
|---|---|---|---|
| Google (Google Tag Manager, Google Ads, GA4) | _ga, _gid, _gat, _gcl_* | Tag delivery, Google Analytics measurement, Google Ads conversion attribution. | Up to 2 years |
| Meta (Facebook) | _fbp, _fbc | Conversion measurement and attribution for Meta ad campaigns. Used together with Meta's server-side Conversions API. | Up to 90 days |
| TikTok | _ttp | Conversion measurement and attribution for TikTok ad campaigns. | Up to 13 months |
li_fat_id, bcookie, lidc | Conversion measurement and attribution for LinkedIn ad campaigns. | Up to 6 months | |
_rdt_uuid | Conversion measurement and attribution for Reddit ad campaigns. | Up to 90 days |
We use Google Consent Mode v2 and signal your Analytics and Marketing choices independently: enabling Analytics sets analytics_storage to granted, while enabling Marketing & Advertising sets ad_storage, ad_user_data, and ad_personalization to granted. When a category is off, the corresponding Google tags switch to a non-personalized, cookieless mode that does not write identifying cookies. Where you enable Marketing & Advertising, the relevant identifiers (such as Meta's _fbp and the click IDs in the URL at signup time) may be transmitted server-side to the respective ad platform's conversion API to attribute your signup to the campaign that brought you to us. This is used only to measure our marketing — we do not sell your personal information.
4.5 Payments
| Vendor | Cookies (typical) | Purpose | Typical Duration |
|---|---|---|---|
| Stripe | Set by Stripe's Connect.js (e.g. __stripe_mid, __stripe_sid) | Set when you open the Commerce panel in the builder to set up or manage your own storefront's payments (Stripe Connect onboarding, account management, balances, payouts). Stripe processes the storefronts you build — not your Proyecta subscription, which is billed through Lemon Squeezy. | Up to 1 year |
| Lemon Squeezy | Set by Lemon Squeezy checkout (lemon.js) when it is initialized | Merchant-of-record checkout, payment session, and fraud prevention. Lemon Squeezy is the merchant of record for all subscription billing. | Up to 1 year |
These payment cookies load only when you initiate a purchase (Lemon Squeezy) or open the Commerce panel to manage your storefront's payments (Stripe Connect). They are treated as strictly necessary for the transaction or account-management action you have asked us to perform, and are not used for cross-site advertising.
5. Browser Storage
In addition to cookies, we (and some of the third parties listed above) use localStorage and sessionStorage. The principal items are listed below; we also store small amounts of functional interface state (such as your active workspace, favorites, draft messages, panel/table layout, and onboarding/quest progress), and — when you arrive via a referral link — briefly store the referral code so it can be attached to your signup. This list is not exhaustive.
| Key | Purpose |
|---|---|
proyecta:cookieConsent | Which cookie categories you allowed (Analytics and/or Marketing & Advertising) and the version of the prompt you saw (mirror of the consent cookie). |
proyecta-locale | Your language preference (mirror of the locale cookie, as a fallback). |
proyecta:ipinfo | A cache (up to 30 days) of your approximate IP-based country and region, so we don't re-query it on every page load. |
proyecta_remember_me | Records that you chose to stay signed in (set when you check "Remember me" at sign-in; cleared on sign-out). |
pending_remember_me | Remembers your "stay signed in" choice across the sign-in redirect. |
Browser storage is not transmitted on every request the way cookies are, but it persists across visits to the same site and can be cleared through your browser's site-data settings.
6. Your Choices
6.1 Cookie Banner and Preferences
The first time you visit our public website from a jurisdiction that requires opt-in consent, you will see a cookie banner offering Accept all, Reject all, and Manage preferences. "Reject all" is presented with the same prominence as "Accept all," so declining is as easy as accepting. Under "Manage preferences" you can enable the Analytics and Marketing & Advertising categories independently (Essential is always on and cannot be switched off). You can reopen these preferences at any time to change your choices.
Your choices are remembered for 180 days (in the proyecta_cookie_consent apex cookie and in localStorage). After that, we will ask again. We will also ask again sooner if we materially update this policy or the categories of cookies in use, by incrementing an internal consent version — which is why, having separated Marketing & Advertising into its own category, we re-prompted previously consenting visitors.
If you do not enable a category, we will not load that category's cookies — declining Analytics holds back product-analytics and support-chat cookies, and declining Marketing & Advertising holds back the ad-measurement pixels. Essential cookies remain in place because the site cannot function without them.
6.2 Global Privacy Control
We honor the Global Privacy Control (navigator.globalPrivacyControl) browser signal. If your browser sends GPC, we treat it as a request to opt out of the sale and sharing of personal information under California law, and we apply the same effect as a Reject all decision in our banner — both the Analytics and the Marketing & Advertising categories are denied for the cookies described in Section 4.
6.3 Browser Controls
Most browsers let you view, restrict, or delete cookies through their settings. You can usually find these under Settings → Privacy and security. Blocking all cookies, especially essential ones, will prevent you from signing in or using significant portions of the Services. The browser vendors publish guides:
You can also opt out of cross-site tracking using browser features such as Safari's Intelligent Tracking Prevention or Firefox's Enhanced Tracking Protection.
6.4 Vendor Opt-Outs
You can opt out of specific third-party tracking directly with the vendor:
- Google Analytics: install the Google Analytics opt-out browser add-on.
- Google Ads personalization: manage at adssettings.google.com.
- Meta (Facebook) ads personalization: manage in your Meta Ads Preferences.
- TikTok ads personalization: manage in your TikTok privacy settings.
- LinkedIn ads personalization: manage in your LinkedIn ad settings.
- Reddit ads personalization: manage in your Reddit ad personalization settings.
- Industry-wide opt-outs: Your Online Choices (EU), Digital Advertising Alliance (US), and the Network Advertising Initiative (US).
7. Do Not Track
There is no industry consensus on how to respond to a browser "Do Not Track" (DNT) header, and the W3C has discontinued work on the standard. We therefore do not respond to DNT headers, but we do honor Global Privacy Control as described in Section 6.2 and the explicit choice you make in our cookie banner.
8. International Transfers
Some of the cookies described in this policy are set by vendors located outside the European Economic Area, the United Kingdom, or Switzerland. Where those transfers occur, we rely on the same safeguards described in Privacy Policy §9 — primarily the EU-US Data Privacy Framework (for certified recipients) and the European Commission's Standard Contractual Clauses, supplemented by the technical and organizational measures each vendor maintains.
9. Changes to This Policy
We may update this Cookie Policy from time to time — for example, when we add or remove a vendor, change a cookie's purpose, or adjust durations. The "Last updated" date shown at the top of this page reflects the most recent change. For material changes, we will re-prompt you for consent through the cookie banner before resuming use of the affected cookies.
10. Contact
If you have questions about this Cookie Policy or how to exercise your choices:
- Privacy inquiries: privacy@proyecta.dev
- Legal inquiries: legal@proyecta.dev
- General support: support@proyecta.dev
Residents of the EU/EEA may also submit privacy requests through our appointed EU representative's portal at https://app.prighter.com/portal/proyecta. See Privacy Policy §10 for representative details.
Proyecta Labs, Inc. 2803 Philadelphia Pike, Suite B 1708, Claymont, DE 19703, United States