Cookie Policy
This Cookie Policy explains exactly what cookies and similar technologies (local storage, session storage) we use on sysml.pro, what they do, and how you can control them. It complements our Privacy Policy.
Under GDPR, ePrivacy Directive, CCPA, and Chile's Ley 19.628 (as reformed by Ley 21.719), we are required to be transparent about every identifier we store on your device. This page is that transparency.
1. What are cookies and local storage?
"Cookies" are small text files stored by your browser on behalf of a website. "Local storage" and "session storage" are similar mechanisms that let a website persist data on your device across visits. We use all three sparingly, and only for the purposes listed below.
Important note: for technical simplicity, most of SysML Studio's identifiers live in localStorage rather than HTTP cookies. Legally, they are treated the same way under GDPR, ePrivacy, and CCPA — they are "similar technologies" that require the same level of transparency and consent as cookies.
2. Categories we use
We group identifiers into two categories:
- Strictly necessary — required for the Service to function (authentication, saving work, remembering essential UI state). These cannot be disabled and do not require consent under GDPR Art. 6(1)(b).
- Analytics & Session Replay — help us understand how the product is used and reproduce bugs. These are opt-in: off by default, only enabled if you click "Accept all" on the cookie banner or enable the category in your preferences.
We do not use cookies for advertising, profiling, cross-site tracking, or audience measurement for marketing purposes.
3. Complete list of identifiers
Below is every identifier we (or our subprocessors) may store on your device while you use SysML Studio.
3.1 Strictly necessary
| Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
sb-<project-ref>-auth-token |
Supabase | localStorage | Holds your authenticated session token. Required to stay signed in. Refreshed automatically by the Supabase SDK. | Until sign-out or token expiry (~1 hour, auto-refreshed) |
sysml-cookie-consent |
SysML Studio | localStorage | Records the choices you made in the cookie banner (accept/reject analytics). We need this so we don't re-prompt you on every visit. | Up to 12 months (re-prompted on policy version bump) |
sysml-studio-theme |
SysML Studio | localStorage | Your selected visual theme (carbon, dark, forest, etc.). Remembers preference across sessions. | Persistent until cleared |
sysml-studio-diagram-type |
SysML Studio | localStorage | Last-selected diagram type (BDD, REQ, IBD, etc.) so the app opens where you left off. | Persistent until cleared |
sysml-sidebar-collapsed |
SysML Studio | localStorage | Whether the left sidebar is collapsed or expanded. | Persistent until cleared |
sysml-unified-project |
SysML Studio | localStorage | Local cache of your current project (all diagrams in one structure). Lets you work offline briefly and reduces server load during auto-save. | Until sign-out (cleared on logout) |
sysml-lines-<hash> |
SysML Studio | localStorage | Custom orthogonal line routes you have dragged manually, keyed by diagram code hash so each diagram remembers its own routing. | Persistent per diagram until cleared |
__cf_bm |
Cloudflare | HTTP cookie | Bot management / DDoS protection. Set automatically by Cloudflare's network layer; we cannot disable it without losing DDoS protection. | 30 minutes |
3.2 Analytics & Session Replay (opt-in only)
| Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
sentryReplaySession |
Sentry | sessionStorage | Unique ID for the current Session Replay recording. Lets Sentry correlate related events. Only set if you accept analytics. | 1 hour (session) |
sentryReplayId |
Sentry | sessionStorage | Replay identifier used to link a crash event to the relevant replay buffer. | Per session |
3.3 Cookieless analytics (no consent required)
We use Cloudflare Web Analytics, which is cookieless: it does not set any cookies, does not use browser fingerprinting, and does not identify individual users. It counts aggregate page views, referrers, countries, and devices using short-lived ephemeral hashes at the edge. Because it is privacy-preserving by design, it runs without consent under GDPR guidance (ICO, CNIL) and does not appear in the banner. If you still prefer to opt out, you can block static.cloudflareinsights.com using browser-level content blockers.
4. Error reporting (legitimate interest, no consent)
Sentry's crash reporting (as opposed to Session Replay) runs under legitimate interest (GDPR Art. 6(1)(f)) because it is essential for operating a safe service. When the app throws an unhandled error, Sentry captures: the stack trace, browser and OS, approximate location from IP, your user ID (if signed in), and a limited set of breadcrumbs (recent actions). This happens regardless of your cookie banner choice. If you object to this processing, email privacy@sysml.pro and we will delete prior reports and stop recording future ones for your account (at the cost of degraded support for bugs you report).
5. How to manage your preferences
- In the app: click the "Manage my preferences" button at the top of this page, or the "Cookies" link in the footer. You can opt in or out of analytics at any time. Your choice takes effect immediately.
- In your browser: all major browsers let you view, block, or delete cookies and local storage. Consult your browser's help documentation for details.
- Global Privacy Control: if your browser or extension sends the GPC signal (
Sec-GPC: 1ornavigator.globalPrivacyControl = true), we automatically treat analytics as declined without showing the banner. - Do Not Track: the legacy DNT header is no longer a reliable signal and we do not rely on it. Use GPC or our cookie banner instead.
If you clear your browser's storage, we will re-prompt you on next visit because the sysml-cookie-consent key is gone.
6. Third-party cookies
We do not intentionally set third-party cookies for advertising or tracking. The only third-party cookie that may appear on our domain is Cloudflare's __cf_bm (see section 3.1), which is set at the network layer for bot management and is considered strictly necessary.
7. Updates to this policy
If we add or remove an identifier, or change its purpose in a material way, we will bump the version at the top of this page and re-prompt your consent for the affected category. Minor changes (typos, clarifications) do not reset your preferences.
8. Contact
Questions about cookies or preferences? Email privacy@sysml.pro.