Brevva by SFZ Labs

Cookie Policy

Last updated: May 10, 2026

This Cookie Policy explains the cookies and similar browser-storage mechanisms Brevva uses, why we use them, and how you can control them. It supplements our Privacy Policy.

1. What is a cookie?

A cookie is a small text file a site can store in your browser. Cookies let a site recognise you across requests and pages. Browsers also offer related storage — localStorage, sessionStorage, and IndexedDB — which we treat together with cookies for the purposes of this policy.

2. Cookies we set

Strictly necessary — required for the service to work

  • refresh_token — an httpOnly, Secure, SameSite cookie scoped to /brevva/api/auth. Used to mint a fresh short-lived access token without re-prompting your credentials. Set by our backend on login; deleted on logout. Lifetime: up to seven days from last login (a new cookie is issued each time you refresh). Why we use it: the only practical way to keep you signed in across browser tabs and reloads while keeping the token unreachable to JavaScript (and therefore unreachable to a hypothetical XSS attacker).

Functional — uploaded only when errors occur

  • Sentry session replay. When the frontend captures an error, Sentry uploads a short replay (a DOM-mutation log) of the surrounding interaction. Form inputs are masked by default — your email, password, and provider API keys are not part of the replay. Replay retention is governed by Sentry’s standard schedule (currently 90 days).

Closed-beta waitlist form

  • The closed-beta waitlist on /brevva posts your email address to Formspree. The submission flow does not set tracking cookies; Formspree may set its own session cookie on their domain (formspree.io) governed by their own privacy policy. Brevva itself does not receive Formspree cookies.

3. Local storage

Brevva does not store authentication tokens in localStorage or sessionStorage. Access tokens live only in memory inside the open browser tab and are scrubbed on sign-out, account deletion, or any time a refresh fails. The frontend also actively scrubs any legacy access_token / refresh_token entries that an older build may have written, on every app boot.

4. Third-party cookies

When you upgrade or manage billing, we redirect you to Stripe Checkout or the Stripe Billing Portal. While you are on those pages, Stripe sets its own cookies on its domain (stripe.com, checkout.stripe.com). Those cookies are governed by Stripe’s privacy policy and we do not control them. They are returned automatically when you come back to Brevva and have no cross-site tracking effect on us.

Brevva does not use advertising, analytics, or social-network cookies (no Google Analytics, no Facebook Pixel, no cross-context targeting cookies). The only third party that sets a cookie within Brevva itself is Sentry, described above.

5. How to manage cookies

You can clear or block cookies via your browser settings. Note that:

  • Clearing the refresh_token cookie will sign you out — it is required for the authenticated session.
  • Blocking Sentry replay storage will not affect your ability to use Brevva; we will simply have less context if an error happens to you.

On most browsers you can find these controls under Settings → Privacy and security → Cookies.

6. Do Not Track

Brevva does not use cross-site tracking, so there is nothing for Do Not Track signals to alter. We honour them by virtue of the fact that we never set targeting cookies in the first place.

7. Changes to this Policy

We will update this page if our cookie usage changes — for example, if we add a new third-party service that sets a cookie. The “Last updated” date at the top reflects the most recent change.

8. Contact

Cookie or privacy questions: support@sfzlabs.com