Legal
Cookie Policy
Last updated: May 28, 2026
1. What this is
This Cookie Policy explains how Rufus (operated by ExpoSQL AI Labs) uses cookies and similar storage technologies — including browser localStorage — on rufus.exposql.com. Read it alongside our Privacy Policy, which covers the full picture of how we handle personal data.
2. Categories we use
- Strictly necessary. Required to deliver the service — authentication, security, remembering your cookie choice. Always on; you cannot turn them off without breaking core functionality.
- Analytics. Aggregate, anonymised usage metrics so we can tell what works. Off by default. Currently not active in production — this category exists so the consent infrastructure is ready when we add Google Analytics 4.
- Marketing. Cross-site advertising and personalisation. Off by default.Not currently active. We don't sell personal information for behavioural advertising (see Do Not Sell or Share).
3. The cookies and storage we set
| Name | Provider | Category | Lifetime | Purpose |
|---|---|---|---|---|
| next-auth.session-token | Rufus (first-party) | Strictly necessary | Session / up to 30 days | Keeps you signed in. Signed JWT, set after Google sign-in. |
| next-auth.csrf-token | Rufus (first-party) | Strictly necessary | Session | CSRF protection for the sign-in flow. |
| next-auth.callback-url | Rufus (first-party) | Strictly necessary | Session | Remembers where to send you after sign-in. |
| rufus.consent.v1 | Rufus (localStorage) | Strictly necessary | Until cleared | Stores your cookie preferences. We need it to remember that you said no. |
| rufus.app.v1 | Rufus (localStorage) | Strictly necessary | Until cleared | Caches your workspace data client-side for snappier loads. Replaceable by a server fetch — clearing it logs you out of the app cache only. |
| _ga, _ga_* | Google Analytics (when enabled) | Analytics | 2 years | Aggregate page-view + feature-use counts. Not active today; will only load if you accept Analytics and we set NEXT_PUBLIC_GA4_ID. |
| __stripe_mid, __stripe_sid | Stripe | Strictly necessary | 30 minutes – 1 year | Set by Stripe Checkout to prevent fraud during a purchase. Only set during a checkout session. |
4. Third-party cookies
Some pages — sign-in, billing — embed third-party services that set their own cookies on your device. We don't control those cookies; the providers do.
- Google (sign-in only) — sets authentication cookies on accounts.google.com when you complete the OAuth flow. See Google's cookies page.
- Stripe (checkout only) — sets fraud-prevention cookies during a checkout session. See Stripe's cookie settings.
- Vercel (hosting) — may set short-lived cookies to route traffic and detect abuse. See Vercel's cookie policy.
5. How to manage your choices
- Use the cookie banner on your first visit, or re-open it at any time with the Cookie preferences link in the footer or the button below.
- We honour the Global Privacy Control browser signal. If your browser sends it, we treat non-essential cookies as denied and skip the banner entirely.
- Your browser's privacy settings can also block or delete cookies. Doing so may sign you out of Rufus or cause minor display glitches; necessary cookies will be reset on your next visit.
6. Changes to this policy
We'll update this page when our cookie use changes. The “Last updated” date at the top of this page reflects the current version. Material changes — for example, adding a new analytics provider — will trigger the consent banner again so you can review and re-confirm.
7. Contact
Questions: hello@exposql.com.