Cookie Policy

Last updated: pending launch · Applies to getbullseye.app and the desktop app's local browser windows.

The short version

We use a small number of cookies and browser-storage entries to keep you signed in, complete a Stripe checkout, and (optionally) measure traffic. We do not use advertising cookies. We do not sell any of this data. You can clear all of it from your browser settings without breaking anything except your active sign-in.

What we mean by "cookie"

"Cookie" here is shorthand for any small piece of data a website stores in your browser between visits — actual HTTP cookies, localStorage, and sessionStorage all count. We list them all below regardless of category.

Cookies we set

Strictly necessary (you can't disable these without breaking sign-in)

Name	Set by	Purpose	Lifetime
`sb-*-auth-token`	Supabase (auth provider)	Keeps you signed in across page loads. Without it, every page would ask you to sign in again.	1 hour (access) + 30 days (refresh)
`bullseye_pending_plan`	Bullseye (sessionStorage)	If you start a Pro checkout but get bounced through Google sign-in first, this remembers which plan you wanted so the flow resumes.	Until tab closes
`bullseye_pending_ref`	Bullseye (localStorage)	If you visited a referral link before signing in, this stores the code so it can be applied right after sign-up.	Until applied or 30 days

Functional (Stripe checkout)

Name	Set by	Purpose	Lifetime
`__stripe_*`, `m`, `cid`	Stripe (payment processor)	Set on Stripe Checkout pages and the Customer Portal for fraud detection and to remember your card on file. We never see card numbers.	Up to 1 year

Stripe's own cookie policy: stripe.com/cookie-settings.

Analytics (only if we've installed an analytics tag)

Name	Set by	Purpose	Lifetime
Plausible: none	Plausible Analytics	If we use Plausible, it does not set any cookies. It records anonymous page-view counts only — no individual tracking.	—
SimpleAnalytics: none	SimpleAnalytics	If we use SimpleAnalytics instead, same story — anonymous, no cookies, no fingerprinting.	—

We deliberately picked privacy-first analytics providers so this section stays short. We do not use Google Analytics, Meta Pixel, or any ad-network tracker.

Cookies we do NOT use

No advertising or remarketing cookies
No third-party social-share trackers
No cross-site fingerprinting
No A/B testing tools that store user IDs

The desktop app

The Bullseye desktop app uses a built-in browser window (Microsoft WebView2 on Windows). Inside that window, the same browser-storage rules apply as on the website. The app additionally stores authentication tokens in your operating system's keychain (Windows Credential Manager) and a fallback at %APPDATA%\Bullseye\tokens.json. Neither of these is a cookie in the technical sense, but they serve the same purpose.

Clearing cookies

Browser: Settings → Privacy → Clear browsing data. This signs you out and clears any pending-checkout state.
Desktop app: Settings → Account → Sign out clears the keychain entry and the local fallback file. Or delete the %APPDATA%\Bullseye folder entirely.
Stripe-set cookies: manage via stripe.com/cookie-settings.

Your rights

Under GDPR (EU/UK), CCPA (California), and PIPEDA (Canada) you have the right to know what's stored, request deletion, and opt out of sale of personal information. We don't sell anything, so the third right is moot, but the first two work via the steps above. For anything more, email hello@getbullseye.app.

Changes to this policy

If we add a new cookie or analytics provider, we'll update this page and bump the "Last updated" date. We'll never quietly add advertising trackers — that would be a meaningful change and we'd say so plainly.