Cookie policy.
Essential cookies keep sign-in and checkout working. Analytics is optional. No advertising cookies today. Affiliate referrals use a ?ref= parameter, a cookie, and localStorage.
Essential cookies keep sign-in and checkout working. Analytics is optional. No advertising cookies today. Affiliate referrals use a ?ref= parameter, a cookie, and localStorage.
TL;DR
This policy is issued by Selr Group Pty Ltd, the operator of Loup. Three things worth knowing before the detail: essential cookies (sign-in sessions, Stripe’s fraud prevention at checkout, security controls) are always on because the platform breaks without them; analytics (PostHog) is optional and consent-gated where the law requires; and we use localStorage plus a ?ref= URL parameter, not just cookies, to credit affiliate referrals. We use no advertising cookies today.
What do we use them for?
- Keeping you signed in: your Supabase authentication session lives in cookies. Clear them and you are signed out.
- Keeping checkout safe: Stripe sets fraud-prevention cookies during payment so stolen-card attacks are harder.
- Security and rate limiting: identifiers that help us tell legitimate traffic from abuse.
- Remembering preferences: your cookie consent choice and in-app preferences, stored locally.
- Understanding product usage: PostHog analytics, where you have permitted it.
- Crediting referrals: recording which affiliate referred you so their commission can be paid if you buy.
Who sets them?
First-party storage is set on our own domain: the Supabase authentication cookies, the consent and preference keys, and the affiliate referral cookie and localStorage entry. Third-party cookies are set by another company’s domain. On Loup that means two named parties: Stripe, whose fraud-prevention cookies appear when you reach checkout and are governed by Stripe’s privacy policy, and PostHog, our analytics provider (US cloud), which only runs subject to your choices described below. No other third party sets cookies through Loup.
A clarification on Supabase, since the name appears in the table: Supabase provides our authentication layer, but its session cookies are set on our own domain and read only by us. They behave as first-party cookies in every way that matters, and Supabase does not use them to track you across other sites.
What categories do we use?
| Category | Examples | Approximate lifetime |
|---|---|---|
| Essential (always on) | Supabase auth session cookies; Stripe fraud-prevention cookies at checkout; security and rate-limit identifiers; your consent choice itself | Session cookies last while you stay signed in; the consent record persists for roughly a year; Stripe controls its own lifetimes |
| Functional and analytics (optional) | PostHog analytics identifiers (ph_*); in-app preference keys in localStorage | Analytics identifiers up to roughly a year; localStorage persists until cleared |
| Advertising | None today. The category is reserved: if we ever introduce advertising cookies, they will be off by default and used only with consent | Not applicable |
Essential storage carries no consent gate, deliberately. Blocking Stripe’s fraud cookies would break checkout, and blocking session cookies would break sign-in; a consent banner that pretends otherwise would be theatre.
Lifetimes are stated as approximations on purpose: providers tune them, browsers cap them (some cap script-set storage to days rather than months), and a precise number printed here would drift out of date faster than the page gets reviewed. The category and purpose are the stable facts; treat the durations as order-of-magnitude.
How does affiliate attribution work?
Affiliates earn commissions on sales they refer, and the plumbing is worth disclosing precisely. When you open a link containing a ?ref= parameter, we read the referral code from the URL and store it in a first-party cookie and in localStorage. The stored value is the affiliate’s code, not anything about you. If you later make a purchase while the code is still present, the sale is attributed to that affiliate and their commission is calculated from it. The affiliate sees aggregate referral statistics, not your identity. Clearing your cookies and localStorage removes the stored code, and with it the attribution.
What attribution is not: it is not an advertising profile, it does not follow you to other websites, and the stored code says nothing about you, only about who shared the link. We disclose it this thoroughly because URL parameters and localStorage sit outside what most cookie policies bother to mention, and we would rather over-explain than have you find it in your devtools unannounced.
What are your choices?
- The banner. On first visit the cookie banner asks for your choice, and its manage link reopens your settings at any time so you can change your mind. Declining analytics stops PostHog from running.
- Jurisdiction defaults. If you are in the EEA or UK, non-essential cookies stay off until you opt in: prior consent, as the law there requires. In Australia, the US, and elsewhere, we operate on notice and opt-out: analytics may run by default, and the banner and manage link let you switch it off.
- Your browser. Every browser can block or delete cookies and localStorage for our domain. Deleting them signs you out and resets your preferences, and the site keeps working otherwise.
What each choice actually changes: accepting analytics loads PostHog and its ph_* identifiers; declining or withdrawing stops PostHog from loading on future page views. Essential cookies are unaffected by any banner choice, for the checkout and sign-in reasons given above.
Changes and contact
If we add a cookie category or a new setter, this page changes first and the date at the top moves. Introducing advertising cookies would also trigger a fresh consent request rather than a quiet default. Questions about this policy go to support@selrgroup.com.au; the entity responsible is Selr Group Pty Ltd (ABN 41 662 328 056), Queensland, Australia. Related reading: the Privacy policy for what happens to data after collection.
Have questions about this policy?
Get in touch - we'd rather give you a straight answer than make you read between the lines.