Legal
Cookie Policy.
Last updated: May 6, 2026
What this covers
This Cookie Policy explains the cookies and similar storage technologies AppMuse uses, who sets them, and how you can control them. "Cookies" here also covers browser localStorage and sessionStorage, which work similarly from a privacy perspective. For the broader picture of how we handle your data, see the Privacy Policy.
We deliberately keep this short because we run a small surface: no advertising trackers, no marketing analytics, no session replay, no fingerprinting.
Necessary cookies
These are required to run the service. They cannot be disabled in the cookie settings dialog without breaking authentication or losing access to the site entirely.
| Source | Name | Duration | Purpose |
|---|---|---|---|
| AppMuse | refreshToken | 30 days | Authentication session refresh. httpOnly, secure in production, sameSite=lax, scoped to /api/v1/auth. |
| Cloudflare | __cf_bm | 30 minutes | Bot management. Set at the edge by Cloudflare on essentially every request. Required for the site to be reachable. |
| Cloudflare | cf_clearance | ~1 year | Set after a visitor passes a security challenge. Required for the site to be reachable from networks Cloudflare flags as risky. |
| Sentry | sessionStorage breadcrumbs | Browser session | Buffers recent navigation, console, and network events so error reports include enough context to debug. No cookie is set; data lives only in your tab. |
Preferences (browser storage)
These entries live in your browser's localStorage. They are never transmitted to our servers as cookies. You can clear them at any time from your browser's site data settings.
| Source | Name | Duration | Purpose |
|---|---|---|---|
| AppMuse | cookie-consent | Until cleared | Remembers the choices you made in this Cookie Settings dialog. |
| AppMuse | theme | Until cleared | Stores your light or dark mode preference. |
| AppMuse | user | Until cleared | Caches a copy of your account profile so the app can render your name and avatar instantly on reload. Cleared on sign out. |
| AppMuse | layout-store | Until cleared | Remembers which workspace panels (chat, preview, files) are open and how you sized them. |
| AppMuse | preferred-companion | Until cleared | Remembers which companion device (emulator or phone) you last used for live preview. |
| AppMuse | tour-completed, celebration-shown:*, companion-connect-banner-dismissed:*, credit-warning-dismissed:*, support-guide-last-tab | Until cleared | Small UI flags so we do not re-show the product tour, celebration overlays, banners, or guide tabs you have already dismissed. |
Analytics & performance
When the deployment is configured with a Sentry DSN, the app initializes the Sentry browser SDK to capture error stack traces, a 10% sample of performance traces, and Core Web Vitals (LCP, INP, CLS, FCP, TTFB). This tells us when something is broken or slow for real users. No marketing identifiers are attached, no Session Replay is loaded, and the collected data is governed by Sentry's privacy policy.
We do not use Google Analytics, Google Tag Manager, PostHog, Mixpanel, Hotjar, FullStory, HubSpot, Meta Pixel, TikTok pixel, Reddit Ads, RudderStack, Segment, or any other marketing or advertising analytics service.
Marketing cookies
We do not currently set any marketing cookies.
Why Sentry sits under Necessary
We treat error and performance monitoring as a legitimate interest under GDPR Article 6(1)(f) — necessary for service security, reliability, and the protection of your data. No advertising IDs are attached to Sentry events, and retention follows Sentry's default data policy. This is the standard approach for SaaS error monitoring; if we ever add Session Replay, marketing analytics, or anything user-identifying for non-essential purposes, we will move those behind explicit consent in the Cookie Settings dialog.
Managing cookies
You can review and change your choices at any time using our cookie settings. . Necessary cookies (including Cloudflare's edge cookies) cannot be disabled — turning them off would prevent the site from loading or signing you in.
Your browser also lets you delete or block cookies directly:
Cookie settings are device- and browser-specific, so you may need to set them again on each device.
Third-party services
AppMuse relies on the following third-party services. Some set cookies on our domain (see Necessary cookies above), some only at their own domain, and some are server-to-server only.
| Service | Purpose | In your browser | Privacy policy |
|---|---|---|---|
| Cloudflare | CDN, DDoS protection, bot mitigation | Cookies set at the edge (see Necessary cookies above) | www.cloudflare.com/privacypolicy |
| Sentry | Error monitoring, performance traces, Core Web Vitals | In-browser SDK; uses sessionStorage, no cookies | sentry.io/privacy |
| Google Fonts | Web font delivery (Inter and Instrument Serif) | No cookies set on appmuse.dev. Your IP is visible to Google when fonts are fetched. | policies.google.com/privacy |
| Stripe | Payment processing | You are redirected to Stripe Checkout. Stripe sets its own cookies on stripe.com, not on appmuse.dev. | stripe.com/privacy |
| Anthropic | AI model provider (Claude) for code generation | Server-to-server only. No in-browser script and no cookies. | www.anthropic.com/legal/privacy |
| OpenAI | AI model provider (GPT) for code generation | Server-to-server only. No in-browser script and no cookies. | openai.com/policies/privacy-policy |
| Google AI (Gemini) | AI model provider (Gemini) for code generation | Server-to-server only. No in-browser script and no cookies. | policies.google.com/privacy |
Contact
Questions about cookies or the rest of our privacy practices? Email privacy@appmuse.dev.