Cookie Policy
Last updated · 2026-05-15
Kontra uses a small set of cookies and similar technologies to make the product work and to remember your preferences. This page lists every one, what it does, how long it lives, and whether it requires your consent under the ePrivacy Directive and the GDPR.
Plain-English summary: we use the minimum — a login cookie and a theme preference. We do not use marketing or cross-site tracking cookies. If we ever add analytics, the consent banner will ask first and you can decline.
1. Essential cookies (no consent needed)
These keep the service working. Under ePrivacy Article 5(3) they are exempt from consent because they are strictly necessary to provide a service you explicitly asked for (logging in to your dashboard).
| Name | Purpose | Provider | Expiry |
|---|---|---|---|
sb-access-tokensb-refresh-token | Keeps you signed in. Without these you cannot reach the dashboard. | Supabase (us, on usekontra.com) | Session + 30 days (refresh) |
kontra-theme | Remembers your light / dark theme choice so it does not flash wrong on next visit. | Kontra | 1 year |
kontra-consent | Records your cookie-banner choice (which non-essential categories you accepted) so we do not nag you on every visit. | Kontra | 6 months |
2. Functional cookies (consent required when used)
None today. If we add features that need them (for example, a saved Cmd-K palette recents list or a remembered table column layout), the consent banner will ask before they are set.
3. Analytics cookies (consent required when used)
None today. We do not run Google Analytics, Plausible, PostHog, or Vercel Analytics. If we add an analytics provider in the future we will:
- Disclose it here with the provider name, purpose, expiry, and where data is processed.
- Block it behind the consent banner. No script loads until you accept the analytics category.
- Configure it to never receive your invoice or contract contents.
4. Marketing cookies (consent required when used)
None today. We do not run retargeting pixels, conversion trackers, or third-party advertising tags. We do not plan to.
5. Sub-processor cookies on legal / public pages
The signing page /sign/[token] and the public invoice page /i/[token]are accessible without a Kontra account. They set no marketing or analytics cookies. The only third-party cookies that may appear come from Vercel's infrastructure layer (security: DDoS protection, request routing) and are exempt under ePrivacy 5(3) as strictly necessary for the service to be reachable.
6. Managing your choices
The consent banner appears on your first visit. You can also reopen it any time from the Cookies link in the footer to change your choices. Most browsers also let you block, allow, or delete individual cookies from their settings.
Rejecting essential cookies is not possible because the service cannot function without them. You can still reject every non-essential category and the app will work normally.
7. Contact
Questions? Email hello@usekontra.com. For complaints about cookies you can contact the Swedish Authority for Privacy Protection (IMY) at imy.se.