Cookie policy
Last reviewed 2026-05-18
What are cookies
Cookies are small text files your browser stores on your device. Similar technologies include localStorage, sessionStorage, pixel tags, and mobile SDKs. This policy refers to all of these as "cookies".
Categories we use
We group cookies into three consent categories. Essential cookies and essential app storage are always on because they are needed for sign-in, security, and requested product workflows. Analytics and marketing require your consent, which you can change any time in the banner or at /cookies.
1. Essential (always on)
Required to deliver the service. Disabling these breaks core functionality.
| Cookie | Purpose | Duration |
|---|---|---|
__Secure-next-auth.session-token / next-auth.session-token | Authenticate your session | Up to 7 days (customer) / 12 hours (admin) |
__Host-next-auth.csrf-token / __Secure-next-auth.csrf-token | CSRF protection | Session |
__Secure-next-auth.pkce.code_verifier | OAuth PKCE flow | Session |
cookie_consent | Remembers your cookie preferences | 12 months |
2. Essential app storage (always on)
Remember preferences and preserve requested workflows. No third-party tracking.
| Cookie | Purpose | Duration |
|---|---|---|
theme | Light / dark / system theme preference | 12 months |
onboarding_step | Where you are in onboarding | 30 days |
3. Analytics (consent required)
Help us understand which features are used and where users get stuck. Data is processed by:
- Vercel Analytics: site-level traffic and performance telemetry
- Amplitude: product analytics
- Mixpanel: product analytics
- Hotjar: session replays with input masking; no passwords or form contents captured
- Google Analytics / Google Tag Manager (GTM): web analytics; IP anonymization on
- PostHog: product analytics (event capture, funnels). Distinct ID is the Firebase UID when signed-in; email is attached only after analytics consent.
These tools are initialized only after analytics consent. The PostHog client SDK loads in opted-out-by-default mode and only begins capturing events after analytics consent is granted; revocation immediately stops capture and clears the PostHog distinct ID. Google Tag Manager is injected only after analytics or marketing consent, and Google Consent Mode is set to denied by default before any Google tag can run.
4. Marketing (consent required)
Measure campaign effectiveness and show relevant ads on partner platforms.
- Meta Pixel (Facebook): conversion measurement via Conversions API with hashed identifiers only
- Google Ads / Google Tag Manager (GTM) marketing tags: conversion tracking
Your choices
- Banner: on your first visit (and again when you clear cookies), you can accept all, reject all, or choose per-category.
- Account settings:
/settings/privacy: change any time. - Browser controls: you can block cookies at the browser level. Blocking essentials may prevent signin.
- Do Not Track: we honor Global Privacy Control (GPC) signals as a "do not sell / do not share" opt-out under CPRA.
Withdrawing consent takes effect immediately; we won't block your access to the site.
How we record your consent
When you make a choice in the cookie banner, we record:
- Which consent categories you accepted (analytics, marketing, or essential-only)
- The version of the consent notice you saw
- The timestamp of your choice
If you are signed in, this record is persisted to your account so your choice follows you across devices. If you are not signed in, it is stored locally in your browser.
Consent change events are also appended to the application audit log and retained for 2 years per the data retention policy as evidence of your decision.
If we make a material change to the categories of cookies or the trackers we use (for example, adding a new analytics provider), we increment the consent-notice version and re-prompt you. Your prior consent then applies only to the previous version; you choose afresh for the new one.
Sub-processor links
| Provider | Privacy policy |
|---|---|
policies.google.com/privacy | |
| Amplitude | amplitude.com/privacy |
| Mixpanel | mixpanel.com/legal/privacy-policy |
| Hotjar | hotjar.com/legal/policies/privacy |
| Meta | facebook.com/privacy/policy |
| PostHog | posthog.com/privacy |
| Sentry | sentry.io/privacy |
| Vercel | vercel.com/legal/privacy-policy |
See hiringcoach.ai/sub-processors for our full list.
Changes
We review this policy annually and update it when we add or remove trackers. Material changes are communicated through the banner re-opening and, where required, by email.
Contact
Questions: [email protected]