Home/Cookie Policy
Legal Document

Cookie Policy

Last Updated: July 2026

1. What this policy covers

This policy explains the cookies used across all three Capmatter surfaces - the Marketing Website (capmatter.com), the Financial OS (app.capmatter.com), and Founder Circle (community.capmatter.com) - which share a single sign-in session across one apex domain.

2. Cookies we use

Strictly necessary - authentication

We use Supabase Auth session and refresh-token cookies to keep you signed in. These are set on the shared apex domain so that signing in on one Capmatter app (for example, the Financial OS) keeps you signed in on the others (for example, Founder Circle) without signing in again.

  • Purpose: authenticate requests, maintain your signed-in state, protect against cross-site request forgery.
  • Attributes: SameSite=Lax, Secure in production, scoped to the shared Capmatter domain.
  • Lifetime: tied to your Supabase session and refresh-token lifetime - cleared on sign-out, and invalidated immediately if you delete your account or trigger a security-related session revocation.
  • Third party: no - set and read only by Capmatter's own servers via Supabase, our authentication infrastructure provider.

Strictly necessary - preferences

A small local preference (such as light/dark theme) may be stored in your browser to avoid a flash of the wrong theme on load. This never leaves your device and is not used for tracking.

What we do NOT use

  • No advertising or marketing cookies
  • No cross-site behavioral tracking
  • No third-party analytics trackers (Google Analytics, Meta Pixel, etc.)
  • No cookie-based fingerprinting

3. Why the authentication cookie isn't marked httpOnly

Founder Circle's interactive features (likes, comments, posts, follows) write directly from your browser to our database for responsiveness, which requires the session cookie to be readable by that client-side code. This is a deliberate, documented tradeoff, not an oversight - it is compensated by SameSite=Lax (which blocks the cross-site request patterns that tradeoff would otherwise expose you to), enforced HTTPS in production, and server-side authorization checks on every write that never trust the cookie's mere presence alone. See our Security Policy for more detail.

4. Do we need your consent?

Because every cookie Capmatter sets is strictly necessary for the platform to function (there is no cookie you could decline without breaking sign-in), we do not display a cookie-consent banner. You consent to their use by creating an account and signing in, as described in our Privacy Policy.

5. Managing cookies

You can clear or block cookies through your browser settings at any time. Doing so will sign you out of Capmatter and prevent you from staying signed in until you sign in again.

6. Changes to this policy

If we ever introduce a new category of cookie (for example, an optional analytics cookie), we will update this policy and, where required by law, request your consent before setting it.

7. Contact

Questions about this Cookie Policy: support@capmatter.com.

Important Notice

Capmatter does not use advertising or cross-site tracking cookies anywhere in the platform. Every cookie described below exists to keep you signed in and your session secure.