LEGAL
Cookie Policy
What cookies and similar technologies we use, what we never use, and how to manage them.
Last updated: 23 March 2026
xNord Ltd · Registered in England and Wales · legal@xnord.co.uk
Who this applies to
This Cookie Policy applies to visitors and signed-in users of xnord.co.uk and our web application. It should be read together with our Privacy Policy, which explains how we process personal data more broadly.
Cookies and similar technologies
Cookies are small text files stored on your device when you visit a site. They often contain an identifier, an expiry time, and sometimes payload data the site needs to recognise your browser across pages or visits.
We also use browser local storage for a few first-party preferences that are not HTTP cookies but behave similarly from a privacy perspective (they persist on your device until removed). We list those keys separately below.
Cookies may be session (removed when you close the browser, depending on browser settings) or persistent (kept until they expire or you delete them).
How we obtain your consent
When you first visit xnord.co.uk, a banner may ask you to choose between Essential only and Accept all (the second option appears only where product analytics is configured for the site).
- Essential only: we run the site and authentication; we do not load optional analytics that use extra cookies or analytics local storage from PostHog.
- Accept all: we may initialise PostHog product analytics, which can set its own first-party cookies and/or use local storage as described in the analytics section below.
- Continue (where analytics is not configured): records an essential-only choice so the banner does not repeat on every visit.
Your choice is stored in browser local storage under the key xnord_cookie_consent_v1 (values essential or all). Clearing site data for xnord.co.uk will reset this and the banner may appear again.
Essential cookies (always)
These cookies are strictly necessary to operate sign-in and secure access. They are set by our stack (Next.js and Supabase Auth via @supabase/ssr). We do not use them for advertising.
| Name (pattern) | Provider | Purpose | Typical duration |
|---|---|---|---|
| sb-<project-ref>-auth-tokenOptional split cookies: same name with suffixes such as .0, .1 when the session payload is large. | Supabase (first-party) | Stores your authenticated session with xNord (session payload managed by Supabase Auth; cookie attributes such as Secure and SameSite follow Supabase and browser defaults). Required to keep you logged in, refresh the session, and protect routes. | Persistent; default session length is governed by Supabase project auth settings (often up to several weeks with refresh). Expires or is cleared when you sign out or cookies are deleted. |
<project-ref> is a short identifier derived from your Supabase project URL — it appears in the cookie name on your device. We do not control the exact cookie attribute names if Supabase updates their client library; the pattern above reflects current @supabase/ssr behaviour.
Optional analytics cookies and storage (after “Accept all”)
If you choose Accept all and analytics is enabled for the deployment, we load PostHog (PostHog Inc. or your configured region host). PostHog's browser SDK may:
- Set first-party cookies whose names typically relate to your project key (often prefixed with
ph_). Exact names can change with PostHog versions. - Use local storage alongside or instead of cookies for persistence, per our configuration (
localStorage+cookiepersistence mode). - Send event data (for example page views and in-app events) to PostHog's servers. Session replay is disabled in our integration.
| Technology | Provider | Purpose | Duration |
|---|---|---|---|
| PostHog cookies / local storage (identifiers) | PostHog | Distinguish visitors, associate events with a pseudonymous ID, and maintain SDK state. Used only for product analytics, not for third-party advertising. | As set by PostHog (often persistent for months unless you clear site data). Removed from our perspective when you clear xnord.co.uk storage or withdraw consent by clearing the consent key and reloading (analytics will not re-initialise until you accept again). |
PostHog's own documentation and privacy materials describe their processing in detail: see posthog.com/privacy.
Local storage (first-party, not cookies)
These keys are set by our site JavaScript in your browser. They are not sent automatically with every HTTP request like cookies, but we list them here for transparency.
| Key | Purpose | Typical duration |
|---|---|---|
| xnord_cookie_consent_v1 | Remembers your cookie banner choice (essential or all). | Until you clear site data |
| xnord-banner-v4 | Remembers dismissal of the top announcement banner on the marketing site. | Until you clear site data |
| xnord-roadmap-interests | Stores which roadmap items you have marked as interested (JSON object of feature IDs). | Until you clear site data |
Third-party sites and payment flows
When you use Stripe Checkout or the Stripe customer portal, Stripe may set cookies on stripe.com or related domains to process payments and prevent fraud. Those cookies are controlled by Stripe under their policies, not by this table. We do not run Stripe's scripts for card data on our own origin beyond what our integration requires.
What we do not use
We do not use:
- Advertising or behavioural targeting cookies on xnord.co.uk
- Google Analytics on our site
- Facebook Pixel or other social advertising pixels
- Third-party marketing networks that track you across unrelated sites
Optional PostHog analytics is first-party product analytics only, and only loads after you opt in via Accept all where that button is shown.
Legal bases (UK / EEA)
Essential cookies are used on the basis that they are strictly necessary to provide a service you request (sign-in and security). Where UK PECR / ePrivacy rules require consent for non-essential storage, we rely on your choice in the cookie banner for optional analytics. For more on legal bases and rights, see our Privacy Policy.
How to manage cookies and storage
You can control cookies and site data through your browser. Common paths:
- Chrome: Settings → Privacy and security → Third-party cookies / Site settings
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Settings → Privacy → Manage Website Data
- Edge: Settings → Cookies and site permissions
Blocking or deleting essential authentication cookies will break sign-in: you may be logged out immediately or unable to stay signed in. Blocking only optional analytics is achieved by choosing Essential only in our banner (or never choosing Accept all).
Changes to this policy
We update this Cookie Policy when we change technologies, vendors, or legal requirements. The current version is always published at xnord.co.uk/cookies with the "Last updated" date in the page header.
Contact
Questions about cookies or this policy: legal@xnord.co.uk