Legal
Cookie Notice
This notice explains the cookies, local-storage entries, and similar technologies Tibly uses on the marketing site and in the product, what each one does, how long it lasts, and how to turn off the ones you don't want.
Effective June 24, 2026
2. Categories we use
- Strictly necessary
- Required for the product to work — the sign-in session cookie and the Turnstile anti-abuse cookie on forms that collect your email. You can't turn these off without breaking the product.
- Functional
- Remember things across sessions — the marketing-attribution cookie that tells our team which paid campaign brought you in, and the theme preference local-storage entry.
- Analytics
- Help us understand which features are used, where the product breaks, and how visitors move through the site. We use Mixpanel (including session replay) and, when configured in production, Google Analytics. The specific entries each one sets are listed in section 3.
- Support
- Power the live chat in the bottom-right corner of the marketing site so you can ask us a question without leaving the page. We use Intercom, which sets a small number of identifiers on your browser so a conversation you start now is still attributed to you when you return later. The specific entries are listed in section 3.
- Marketing
- Tibly does not currently use marketing or advertising cookies. If we ever do, this notice will be updated first and a consent banner will appear on this site.
3. Specific cookies and storage we set
The table below lists every cookie, local-storage entry, and session-storage entry Tibly sets directly. Third-party providers (Stripe, Cloudflare, Google) may set additional entries when their widgets load; we link to their notices in section 5.
| Name | Set by | Purpose | Type | Lifespan |
|---|---|---|---|---|
| session_token | Tibly | Keeps you signed in to the product. HttpOnly so JavaScript on the page cannot read it; SameSite=Lax; Secure so it is sent only over HTTPS in production. The value held in your browser is a random opaque string; the database stores only the SHA-256 hash, so a database leak alone cannot be used to impersonate you. | Cookie · HttpOnly · SameSite=Lax · Secure (HTTPS) | Until the server-side session expires (typically 30 days from sign-in) |
| tibly_attr | Tibly | Remembers the most recent paid touch (any landing with a utm_* query parameter) so the signup form can attribute the lead. Organic landings never overwrite an existing paid value. | Cookie · SameSite=Lax · Secure (on HTTPS) | 90 days |
| mp_<token>_mixpanel and related mp_* entries | Mixpanel | Anonymous distinct id, event queue, and session-replay buffer used to measure feature use, reconstruct page renders for product debugging, and stitch the acquisition funnel from first visit through sign-up. Set on first visit (including marketing-site visits) and persisted across sign-in. Not set when the browser sends Global Privacy Control. | Local storage | Persistent until cleared |
| intercom-id-<app_id>, intercom-session-<app_id>, intercom-device-id-<app_id> (plus matching local-storage entries) | Intercom | Identify your browser to Intercom's support chat (the bubble in the bottom-right of the marketing site) so a conversation you start on one visit is still attached to you on the next. Set on first marketing visit when the chat is enabled. Not set when the browser sends Global Privacy Control. | Cookie / local storage | Up to 9 months (cookies); local storage persistent until cleared |
| tibly_intercom_auto_open_v1 | Tibly | Remembers that the support-chat welcome popup has already been auto-opened for this browser so it does not re-open on every page load. | Local storage | Persistent until cleared |
| _ga, _ga_<measurement-id> | Google Analytics | Aggregate site-traffic reporting — only set when NEXT_PUBLIC_GA_MEASUREMENT_ID is configured in production. | Cookie | Up to 2 years |
| cf_chl_* and Turnstile widget state | Cloudflare Turnstile | Anti-abuse on the signup and hero email-capture forms — verifies you're a real person without showing a CAPTCHA puzzle. | Cookie / local storage | Session |
| __stripe_mid, __stripe_sid | Stripe | Fraud-detection identifiers set only when the Stripe checkout / billing-portal widgets load on /pricing or in-product upgrade flows. | Cookie | Up to 1 year |
4. Session replay and analytics
Tibly uses Mixpanel for product analytics on every visit, including marketing-site visits before sign-in. Marketing visits use an anonymous distinct id, which is merged into your user id when you sign in so the acquisition funnel reads as one journey. Mixpanel records a session replay (a video-like reconstruction of how the page rendered) for 100% of sessions. We have disabled Mixpanel's default text- and input-masking, so the replay captures both the text content rendered on the page and the values you type into form fields — including free-text inputs (research-column prompts, agent-chat messages, search queries) and keystrokes in the password fields on the sign-in, password-reset, and password-setup pages. Payment card numbers are not captured because Stripe Checkout is hosted on a Stripe domain, not on a Tibly page. Two categories of visit are excluded: browsers sending the Global Privacy Control signal (see section 7), and internal Tibly employee accounts (any email ending in @tibly.ai), which are opted out at identify time so the SDK stops sending events and recording replay for the rest of the session.
You can ask us to delete your analytics history at any time by emailing privacy@tibly.ai. We honour the Global Privacy Control browser signal as an opt-out of analytics and session replay for your visit — see section 7.
5. Third-party providers and their notices
Some pages load widgets from the providers below. Each provider operates under its own privacy and cookie policies; we link to them so you can review what they set.
- Stripe — payment processing on /pricing and the in-product upgrade flow (stripe.com/privacy).
- Cloudflare — Turnstile anti-abuse widget on marketing forms (cloudflare.com/privacypolicy).
- Google — Maps Static API thumbnails on project cards, Google Analytics when configured, and OAuth sign-in if you choose Sign in with Google (policies.google.com/privacy).
- Mixpanel — product analytics and session replay (mixpanel.com/legal/privacy-policy).
- Intercom — support chat on the marketing site (intercom.com/legal/privacy).
6. How to control cookies
Browser controls let you block or clear cookies, configure exceptions, and clear local storage. Each major browser documents this in its settings; the specifics differ but all of them support per-site controls.
- Chrome: Settings → Privacy and security → Cookies and other site data.
- Safari: Preferences → Privacy → Manage Website Data.
- Firefox: Settings → Privacy & Security → Cookies and Site Data.
- Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data.
If you block strictly necessary cookies, the product will not work — you won't be able to sign in. Blocking analytics has no impact on functionality.
7. Global Privacy Control
Tibly honours the Global Privacy Control (GPC) signal as an opt-out of sale/share under CCPA and as an opt-out of analytics, session replay, and the marketing-site support chat. If your browser sends GPC, neither the Mixpanel SDK nor the Intercom Messenger script is loaded for your visit — no analytics events are sent, no replay is captured, and no mp_* or intercom-* entries are written to your local storage. Most major privacy-respecting browsers send GPC by default; in Chrome and Edge, an extension is required.
8. Changes to this notice
When we add or remove a cookie or storage entry, this notice is updated on the same change. The effective date in the header always reflects the most recent material update.