Cookie Policy

Effective Date: November 22, 2025

Last Updated: November 21, 2025

Privacy-First Storage

Lekkalu uses browser storage technologies (localStorage, sessionStorage, IndexedDB, and minimal cookies) to provide a secure, offline-first experience. All financial data is encrypted on your device before storage using AES-256-CBC encryption. We use these technologies only for essential functionality—not for tracking or advertising.

Multi-Jurisdiction Compliance

This Cookie Policy complies with:

  • EU ePrivacy Directive (Article 5(3)): "Strictly necessary" exception for essential cookies
  • GDPR Article 5: Transparency and lawfulness of processing
  • UK PECR (Privacy and Electronic Communications Regulations): Post-Brexit cookie rules
  • CCPA/CPRA (California): No "sale" or "sharing" of personal information via cookies
  • Canada PIPEDA: Meaningful consent for non-essential cookies

PWA App: All storage is strictly necessary (no consent banner required). Landing page: Plausible Analytics (privacy-friendly, cookie-free, self-hosted in Canada) - no consent required.

1. What Are Cookies and Storage Technologies?

Cookies are small text files stored on your device by websites you visit. Browser storage technologies (localStorage, sessionStorage, IndexedDB) are similar mechanisms that allow web applications to store data locally for functionality, performance, and user experience.

Lekkalu is a Progressive Web App (PWA) that works offline and stores all your financial data locally on your device. We use these technologies to:

  • Authenticate you securely (remember your login session)
  • Encrypt and store your financial data (transactions, accounts, investments)
  • Cache application state (settings, preferences, UI state)
  • Enable offline functionality (work without internet connection)
  • Improve performance (reduce server requests, instant loading)

2. Storage Technologies We Use

Lekkalu uses four types of browser storage technologies. All are strictly necessary for core functionality:

Technology Purpose Duration Strictly Necessary?
localStorage Authentication state, Zustand stores (settings, subscriptions, investments) Until manually cleared or logout ✅ Yes
sessionStorage Temporary session data, onboarding state Until browser tab closed ✅ Yes
IndexedDB Encrypted financial data (21 tables: transactions, accounts, investments, goals, etc.) Until manually deleted or logout ✅ Yes
Cookies Supabase authentication (session management) Session or persistent (configurable) ✅ Yes

✅ No Consent Banner Required

Under the ePrivacy Directive (Article 5(3)), cookies and storage technologies that are "strictly necessary" for core functionality do NOT require consent. Since Lekkalu cannot function without these storage mechanisms (authentication, data storage, offline capability), we rely on this exception. We do NOT use cookies or storage for tracking, advertising, or analytics within the PWA.

3. localStorage (Persistent Data)

localStorage allows us to store data persistently across browser sessions. We use localStorage for:

3.1 Authentication State

  • Purpose: Remember your login session so you don't have to re-authenticate every time
  • Data stored: Session tokens, user ID (UUID), email verification status
  • Encryption: Session tokens encrypted by Supabase (our auth provider)
  • Duration: Until you log out or manually clear browser data
  • Key prefix: sb-<project-ref>-auth-token

3.2 Zustand Stores (Application State)

We use Zustand (state management library) with localStorage persistence for 12 stores:

  • investmentStore: Cached investment aggregates (portfolio value, unrealized gains)
  • accountStore: Account metadata (names, types, colors - NOT balances)
  • categoryStore: Category definitions and preferences
  • creditCardStore: Credit card metadata (NOT card numbers or CVV)
  • gamificationStore: Achievement progress and stats
  • subscriptionStore: Subscription status cache (Pro vs Free tier)
  • userSettingsStore: App preferences (currency, theme, privacy mode)

Note: Sensitive financial data (balances, transactions, investments) is NOT stored in localStorage. It is encrypted and stored in IndexedDB (see Section 5).

3.3 Other localStorage Keys

  • onboarding-completed: Whether you've completed the initial onboarding flow
  • theme-preference: Light/dark mode setting
  • last-sync-timestamp: When data was last synced from server (for caching)

4. sessionStorage (Temporary Data)

sessionStorage stores data only for the duration of the browser session (until you close the tab). We use it for:

  • Onboarding state: Current step in the onboarding wizard (Steps 1-5)
  • Temporary form data: Multi-step forms to preserve data between steps
  • Navigation state: Return URLs after authentication flows
  • Error messages: Temporary alerts or notifications

Automatic deletion: All sessionStorage data is automatically deleted when you close the browser tab.

5. IndexedDB (Encrypted Database)

IndexedDB is a large-scale, structured database built into your browser. This is where all your financial data is stored, fully encrypted using AES-256-CBC encryption.

5.1 Zero-Knowledge Encryption

🔒 End-to-End Encryption

Before any financial data is written to IndexedDB, it is encrypted on your device using:

  • Algorithm: AES-256-CBC (industry-standard encryption)
  • Key derivation: PBKDF2 with 100,000 iterations (SHA-256)
  • Key source: Your password + user ID (never sent to server)
  • Result: We cannot decrypt your data even if we wanted to

5.2 What's Stored in IndexedDB (21 Tables)

All data is stored in a database named LekkakuDB-v45-[userId] (version 45, per-user isolation):

Table Name Data Stored Encrypted?
transactions Recent 6 months of transactions (income, expenses, transfers) ✅ Yes
archivedTransactions Older transactions (loaded on-demand) ✅ Yes
accounts Bank accounts, credit cards, investment accounts (balances, types) ✅ Yes
categories Spending categories (groceries, rent, entertainment, etc.) ✅ Yes
goals Financial goals (target amounts, deadlines, progress) ✅ Yes
investmentEntries Stock/fund holdings (symbols, quantities, cost basis) ✅ Yes
reminders Recurring transaction reminders (rent, subscriptions) ✅ Yes
notifications System notifications (overdue reminders, achievements) ✅ Yes
achievements Gamification achievements and progress ✅ Yes
nudges Financial tips and suggestions ✅ Yes
cachedAggregates Pre-calculated totals (net worth, total income, total expenses) ✅ Yes
periodAggregates Daily/weekly/monthly/yearly summaries ✅ Yes
goalAggregates Goal progress calculations ✅ Yes
categoryAggregates Category spending breakdowns ✅ Yes
investmentAggregates Portfolio values and unrealized gains ✅ Yes
userSettings Preferences (currency, theme, privacy mode) ✅ Yes
encryptionMetadata Encryption salt and initialization vectors ⚠️ Partial
auditLogs Security audit trail (login attempts, data exports) ✅ Yes
firedNotificationLogs Notification delivery history ✅ Yes

Total storage: Typically 5-50 MB depending on usage (transactions, investments, etc.). All data remains on your device.

6. Cookies (Minimal Usage)

Lekkalu uses minimal cookies, primarily for authentication. All cookies are first-party (set by Lekkalu or Supabase on our behalf) and strictly necessary.

6.1 Authentication Cookies (Supabase)

  • Cookie name: sb-<project-ref>-auth-token
  • Purpose: Maintain your login session securely
  • Type: HttpOnly, Secure, SameSite=Lax (prevents CSRF attacks)
  • Duration: Session or persistent (configurable, default: 7 days)
  • Domain: .lekkalu.app (first-party)
  • Strictly necessary: Yes (cannot function without authentication)

6.2 No Tracking or Advertising Cookies

✅ Privacy Guarantee

We do NOT use cookies for:

  • Tracking your browsing behavior
  • Advertising or remarketing
  • Analytics within the PWA (landing page uses Plausible, which is cookie-free)
  • Cross-site tracking or fingerprinting
  • Third-party marketing or data sharing

7. Third-Party Cookies & Storage

Third-party services we use may set their own cookies or storage. We use only privacy-respecting services:

7.1 Plausible Analytics (Landing Page Only)

  • What it is: Privacy-friendly web analytics (self-hosted in Canada)
  • Cookies: None (Plausible is 100% cookie-free)
  • Data collected: Page views, referrers, country (NOT personal data, no IP addresses stored)
  • Scope: Landing page only (lekkalu.app) - NOT the PWA app (app.lekkalu.app)
  • Compliance: GDPR, PECR, CCPA, PIPEDA compliant - no consent required
  • Privacy Policy: plausible.io/privacy
  • Open source: Plausible is open-source and auditable (GitHub)

✅ Why No Consent Banner?

Plausible Analytics does NOT:

  • Use cookies or persistent identifiers
  • Track users across websites
  • Collect personal data (name, email, IP address)
  • Create user profiles or fingerprints
  • Sell or share data with third parties

Under GDPR and PECR, consent is NOT required for privacy-respecting analytics that don't use cookies or process personal data. This is why we don't show a cookie banner on the landing page.

7.2 Supabase (Auth & Database)

  • Cookies: Authentication tokens (first-party, HttpOnly)
  • localStorage: Session refresh tokens
  • Purpose: User authentication and session management
  • Privacy policy: supabase.com/privacy

7.3 Cloudflare (Hosting & CDN)

  • Cookies: __cflb (load balancing), __cf_bm (bot management)
  • Purpose: Security (DDoS protection), performance (CDN caching)
  • Duration: Session or 30 minutes
  • Strictly necessary: Yes (essential for security and availability)
  • Privacy policy: cloudflare.com/privacypolicy

7.4 No Third-Party Tracking

We do NOT use: Google Analytics, Facebook Pixel, advertising networks, or any third-party tracking tools within the PWA.

8. Why We Don't Need Consent (Strictly Necessary)

Under the ePrivacy Directive (Article 5(3)) and GDPR, cookies and storage technologies that are "strictly necessary" for core functionality do NOT require user consent.

8.1 Legal Definition of "Strictly Necessary"

Storage is considered strictly necessary if:

  • It is essential for providing the requested service
  • The service cannot function without it
  • It is not used for secondary purposes (tracking, advertising)

8.2 Why Lekkalu's Storage Qualifies

✅ All Storage is Strictly Necessary

Lekkalu is a personal finance management app. Without browser storage, we cannot:

  • Authenticate users: Cannot identify who you are (cookies, localStorage)
  • Store financial data: Cannot save transactions, accounts, investments (IndexedDB)
  • Work offline: Cannot function without internet (service worker + storage)
  • Encrypt data: Cannot secure your data without local encryption keys (PBKDF2 + storage)
  • Remember preferences: Cannot recall currency, theme, or settings (localStorage)

Conclusion: 100% of our storage usage is strictly necessary. We do NOT need a consent banner under EU law.

8.3 Transparency Over Consent

While we don't legally require consent, we believe in transparency. This Cookie Policy explains exactly what we store, why, and how you can control it. You always have the right to:

  • Clear your browser storage (removes all local data)
  • Export your data (download encrypted backup)
  • Delete your account (removes server-side data)

9. Your Control & Rights

You have full control over the data stored in your browser:

9.0 California Cookie Opt-Out Rights (CCPA/CPRA)

California Residents

Under CCPA and CPRA, California residents have the right to opt-out of the "sale" or "sharing" of personal information via cookies and tracking technologies.

Good news: Lekkalu does NOT sell or share personal information via cookies. We do NOT use:

  • Advertising cookies (Google Ads, Facebook Pixel, etc.)
  • Cross-site tracking cookies
  • Retargeting or remarketing pixels
  • Third-party analytics with personal data sharing (Google Analytics)
  • Data broker integrations

Therefore, no opt-out is required. You do NOT need to use browser extensions like "Do Not Sell My Personal Information" buttons or Global Privacy Control (GPC) signals—though we respect GPC if you choose to enable it.

9.1 Clear Storage via Browser Settings

You can manually clear all storage at any time:

  • Chrome: Settings → Privacy and security → Clear browsing data → Cookies and site data, Cached files
  • Firefox: Settings → Privacy & Security → Cookies and Site Data → Clear Data
  • Safari: Preferences → Privacy → Manage Website Data → Remove All
  • Edge: Settings → Privacy, search, and services → Clear browsing data

Warning: Clearing storage will log you out and delete all local financial data. Make sure to export a backup first (Settings → Backup & Restore).

9.2 Clear Storage via Lekkalu App

  • Logout: Settings → Logout (clears authentication tokens and Zustand stores)
  • Delete account: Settings → Account → Delete Account (removes all data from IndexedDB and server)

9.3 Export Your Data (Portability)

  • Encrypted backup: Settings → Backup & Restore → Export Encrypted Backup (ZIP file with all IndexedDB data)
  • CSV exports: Transactions → Export CSV, Accounts → Export CSV (human-readable format)
  • Decrypted JSON: Settings → Data Portability → Download All Data (requires password)

9.4 Block Cookies (Not Recommended)

You can block cookies in your browser settings, but Lekkalu will not function without authentication cookies. Blocking cookies will prevent login and access to your financial data.

10. Storage Duration & Retention

Storage Type Retention Period Deletion Method
localStorage (auth) Until logout or manual clear Automatic on logout
localStorage (Zustand) Until logout or manual clear Automatic on logout
sessionStorage Until browser tab closed Automatic on tab close
IndexedDB Until account deletion or manual clear Settings → Delete Account
Cookies (auth) 7 days (default) or session Automatic on logout or expiry

Note: Deleting your account removes all server-side data (email, user ID) within 30 days. Local data (IndexedDB) is deleted immediately but may remain in browser cache until you clear it manually.

11. Security Measures

We implement multiple layers of security to protect data stored in your browser:

11.1 Encryption (AES-256-CBC)

  • All financial data encrypted before storage in IndexedDB
  • Key derivation: PBKDF2 with 100,000 iterations (prevents brute-force attacks)
  • Unique keys per user: Password + user ID (never shared across accounts)

11.2 HttpOnly Cookies (CSRF Protection)

  • HttpOnly flag: Prevents JavaScript access to cookies (XSS protection)
  • Secure flag: Cookies only sent over HTTPS (prevents interception)
  • SameSite=Lax: Prevents cross-site request forgery (CSRF)

11.3 Per-User Database Isolation

  • Separate IndexedDB per user: LekkakuDB-v45-[userId]
  • No cross-user access: Cannot read other users' data even on shared device
  • Automatic cleanup: Old databases deleted on logout

11.4 Input Sanitization (XSS Prevention)

  • All user inputs sanitized before storage (DOMPurify)
  • Script tags blocked: Prevents stored XSS attacks
  • Content Security Policy: Restricts inline scripts and external resources

11.5 Browser Sandbox Protections

Browser storage technologies (localStorage, IndexedDB, cookies) are subject to browser security policies:

  • Same-Origin Policy: Other websites CANNOT access Lekkalu's storage (enforced by browser)
  • Secure contexts (HTTPS): Cookies and storage only accessible over encrypted connections
  • Private browsing mode: Storage is automatically cleared when you close the browser
  • Incognito mode: Storage is session-only and never persisted to disk
  • Browser isolation: Each browser profile has separate storage (Chrome Profile 1 vs. Profile 2)

11.6 Third-Party Cookie Blocking

Modern browsers (Safari, Firefox, Brave) block third-party cookies by default. Lekkalu only uses first-party cookies (set by lekkalu.app domain), so we are NOT affected by third-party cookie blocking.

Upcoming changes (2025-2026): Google Chrome will phase out third-party cookies entirely. This does NOT affect Lekkalu as we don't use them.

12. Changes to This Policy

We may update this Cookie Policy from time to time to reflect changes in our practices, legal requirements, or new features. When we make changes:

  • Notice: We will update the "Last Updated" date at the top of this page
  • Material changes: We will notify you via email or in-app notification
  • Review: We encourage you to review this policy periodically
  • Continued use: Using Lekkalu after changes constitutes acceptance

Version history: Previous versions of this Cookie Policy are available upon request (see Contact Us below).

13. Contact Us

If you have questions about this Cookie Policy, browser storage, or your data rights, please contact us:

Response Time: We aim to respond to all privacy inquiries within 30 days (GDPR/PIPEDA requirement).

Your Rights: Under PIPEDA and GDPR, you have the right to access, correct, delete, or port your data. Contact us to exercise these rights. See our Privacy Policy for details.