Skip to content
Legal · Cookie Policy

Cookie Policy.

We keep cookies to a minimum. The ones we set are intended to do three things: keep you signed in, tell us which pages render too slowly, and remember your preferences so we don't ask you the same question twice. Advertising-cookie commitments are controlled by the maintained cookie list and preference surface.

v2 · effective 2026-03-10 last updated 2026-03-05 applies to airheart.com, studio.airheart.com

1. What cookies we use

A cookie is a small text file set on your device by a website. Some cookies last only for the current session; others persist for a defined period. The Service also uses similar technologies — local storage, session storage, and server-set tokens — that perform the same function. This policy treats all of them as "cookies" for readability.

1.1The cookie table in §4 is the current route disclosure. The maintained implementation and consent surface remain authoritative for active cookies.

1.2We publish this policy alongside the Privacy Policy. They're designed to be read together — the Privacy Policy explains what we do with personal information in general; this one explains the specific role cookies play.

2. Categories

We group cookies into three route categories: strictly necessary, analytics, and preferences. Advertising-cookie claims should match the maintained cookie inventory.

01 · Strictly necessary

Keep you signed in and the Service working.

Session tokens, CSRF tokens, and load-balancer routing cookies. Without these, sign-in, checkout, and most of the product fail. Can't be turned off, because the Service won't work without them.

ON · always · required
02 · Analytics

Tell us which pages render too slowly.

Pseudonymous page-view metrics, navigation timing, and interaction counts. Used only in aggregate to find performance regressions and dead features. Opt-in only. No cross-site tracking, no device fingerprinting.

OFF by default · opt-in in the banner
03 · Preferences

Remember what you already told us.

UI settings — locale, theme, currency, the rails you've dismissed, whether you've seen the onboarding modal. Scoped to your browser. If you disable these, you'll see the same prompts you've already closed.

ON by default · opt-out in the banner

2.1What this route does not independently claim. Advertising-cookie, cross-site tracking, resale, and social-widget commitments must match the maintained cookie inventory and consent implementation.

2.2This policy is narrower than the law requires. That's intentional; we'd rather leave capacity for cookies on the table than set ones we don't need.

3. How to manage preferences

You're in charge of the optional categories. Strictly necessary cookies can't be disabled from within Airheart — but you can disable all cookies in your browser settings, with the caveat that the Service will mostly stop working if you do.

3.1In-product control. Change your preferences at any time at Settings → Privacy. Changes apply immediately and persist across devices when you're signed in.

3.2The banner. The first time you visit, a plain banner at the bottom of the screen asks you to accept or reject the optional categories. Reject is as easy as accept — same button size, same visual weight, no dark patterns.

3.3Global Privacy Control. We honor the Global Privacy Control signal. If your browser sends GPC, analytics cookies stay off without you needing to click anything.

3.4Browser controls. All modern browsers let you view, block, or delete cookies. The exact steps depend on your browser — search "manage cookies" in its help docs.

4. Third-party cookies

Some cookies on Airheart may be set by service providers for authentication, payments, or error tracking. Provider status and purpose should match the maintained Sub-processor List.

NameCategoryPurposeSet byRetention
ah_sessionStrictly necessarySigned session token. Keeps you signed in across page loads.Airheart (first-party)Implementation-controlled
ah_csrfStrictly necessaryCSRF protection token for form submissions and agent actions.Airheart (first-party)Session
ah_lbStrictly necessaryLoad-balancer affinity so your requests land on the same backend during a session.Airheart (first-party)Session
ah_consentStrictly necessaryRecords your cookie-banner decision so we don't re-prompt on every load.Airheart (first-party)Implementation-controlled
ah_prefsPreferencesUI preferences — locale, currency, theme, dismissed rails.Airheart (first-party)Implementation-controlled
_pl_visitorAnalyticsPseudonymous visitor ID for first-party analytics (page-view counts and performance metrics only).Plausible AnalyticsImplementation-controlled
sentryReplaySessionAnalyticsError-tracking session ID. Only set if you've opted in to analytics; drops request bodies and auth tokens.SentrySession
__stripe_midStrictly necessaryFraud prevention on checkout. Set only on pages that load the payment provider SDK.Stripe12 months
__cf_bmStrictly necessaryBot-management token for our CDN. Prevents automated abuse of the Service.Cloudflare30 minutes

4.1Third-party cookies are bound by the third party's own policies in addition to ours. For the ones listed above: Stripe's and Cloudflare's cookies are "strictly necessary" for the services they provide and run regardless of opt-in; Plausible and Sentry run only with analytics consent.

4.2If we add or remove a cookie, this table is updated as part of the change. The effective date at the top reflects the most recent edit.

5. Updates

5.1This policy is versioned.

5.2Material changes — new categories, new third-party cookies, or changes to retention — follow the maintained policy and consent-notice process. You should get a fresh opportunity to review optional preferences when the consent surface changes.

5.3Non-material changes (typo fixes, reformatting, new cookie variants of an existing purpose) take effect on publication.

Questions about cookies

If something in the table above looks wrong, or a cookie is being set that shouldn't be, let us know. Cookie reports are routed to the privacy review flow.

privacy@airheart.com

Postal address

Airheart Inc.
Attn: Data Protection Officer
Austin, TX 78701
United States

See also: Privacy Policy and Sub-processor List.