How we use cookies.

A cookie is a small text file a site stores in your browser. We split cookies into four standard categories: strictly necessary (the app cannot function without them), functional (preferences that make the app nicer to use), analytics (aggregate usage measurement), and marketing (advertising and cross-site tracking). Today we set cookies in only two of those four buckets. The other two are listed for transparency.

The session cookie is HTTP-only, Secure, and SameSite=Lax. It is signed by better-auth and cannot be read by JavaScript on the page. The locale cookie holds the string en or ar — nothing else.

A few third-party domains are loaded by the app for specific, narrow reasons. None of them are used to build advertising profiles. The list:

• Google Fonts (fonts.gstatic.com) — serves the font files used across the marketing site and app. Google Fonts does not set cookies on requests for font assets and does not log IP addresses in identifiable form, per their documented policy. We use it for performance, not analytics.
• Stripe (only on /settings/billing inside the app) — loads the Stripe.js library to render the payment form. Stripe may set a __stripe_mid session cookie to detect fraud. This loads only when you visit the billing page, never on the marketing site.
• SendGrid — transactional emails we send (invoice receipt, notification, password reset) contain a 1x1 tracking pixel from SendGrid so we can see whether delivery succeeded. You can disable open-tracking pixels in your email preferences inside the app, or by using an email client that blocks remote images.

We do not embed YouTube, Twitter/X, LinkedIn, Facebook, TikTok, Intercom, Hotjar, FullStory, or any session-recording or heatmap tool. If we ever do, it goes in this list before it goes live.

Every modern browser lets you view, block, or delete cookies from any site, including ours. Chrome and Edge: Settings → Privacy and security → Cookies and other site data. Safari: Settings → Privacy. Firefox: Settings → Privacy & Security. If you block our strictly-necessary session cookie, you will not be able to stay logged in — the app will work for one page load and then bounce you back to the sign-in screen.

For everything beyond cookies — what data we collect, why, who we share it with, how long we keep it, and how to export or delete it — see our privacy policy. The two documents are designed to be read together.

If we materially change how we use cookies — adding an analytics provider, turning on a third-party script, or anything that expands what gets set in your browser — we’ll give you at least 30 days notice by email to the account admin and by an in-app banner, and the consent banner (Phase D) will go live at the same time. Non-material edits (typos, link fixes, clarifications) are made silently and reflected in the “Last updated” date at the top of this page.

Past versions of this policy are kept in an internal archive and available on request to privacy@bluewhalefincore.com.

Questions about cookies, the consent banner roadmap, or anything else in this document go to the same inbox as privacy questions:

Monitored by humans on UAE business days. Postal address — Ajman Free Zone (UAE entity, incorporation in progress).