Cookies & local storage
Last updated: 2026-04-21
This policy explains how Reversal Labs uses cookies and browser local storage, and applies to all visitors of reversallabs.com and its subdomains. [COMPANY LEGAL NAME] is the data controller, within the meaning of Article 4(7) of the GDPR, with regard to any personal data derived from cookies used on this website. For broader details on our processing of personal data see our Privacy Policy.
What are cookies and local storage?
A cookie is a small text file that a website asks your browser to save on your device. Cookies are used to make a site work, to remember your preferences, or to analyse usage. Local storage is a similar browser mechanism that stores key–value data on your device without sending it back to the server on every request.
Cookies can be first-party (set by the website you visit) or third-party (set by another service loaded by the site). They can also be session cookies (deleted when you close the browser) or persistent cookies (stored until they expire or you delete them).
What we use
We deliberately keep our footprint minimal. Reversal Labs uses only strictly necessary cookies and a small amount of functional local storage. No analytics, advertising, session-replay or cross-site tracking cookies are set.
Strictly necessary cookies
These are required for the Service to function — for example, to keep you signed in. They are exempt from consent requirements under the ePrivacy Directive Article 5(3) and GDPR Recital 49, because the Service cannot be provided without them.
| Name | Provider | Expiration | Purpose |
|---|---|---|---|
__session |
Clerk, Inc. (clerk.com) | Session | Short-lived session token (JWT). Keeps you signed in while you are active on the Site. Cleared when the browser tab is closed or when you sign out. |
__client_uat |
Clerk, Inc. (clerk.com) | ~1 year | Stores the timestamp of your last client-side authentication update. Used by Clerk to coordinate session state across browser tabs. |
__client_uat_<instance> |
Clerk, Inc. (clerk.com) | ~1 year | Per-instance variant of __client_uat. Used when multiple Clerk environments share the same browser. |
Data transferred to Clerk: Clerk is our authentication processor. When these cookies are set, the browser sends them to Clerk's servers as part of the login/session flow. See clerk.com/privacy for their notice.
Functional local storage
Local storage values are stored by the browser on your device and are not transmitted to our servers. We use a small number of keys to remember your preferences.
| Key | Provider | Lifetime | Purpose |
|---|---|---|---|
rl-theme |
Reversal Labs (first party) | Until you clear browser data | Remembers your light/dark theme preference. |
__clerk_* |
Clerk, Inc. (clerk.com) | Session / until sign-out | Clerk client-state keys used internally by the authentication library to coordinate session status within the browser. |
Privacy-first analytics — Umami (self-hosted)
We run Umami on our own infrastructure at analytics.reversallabs.com to understand how many visitors we get and which pages are popular. Umami is cookieless by design:
- No cookies set — visitor sessions are identified by an in-memory hash of IP + user-agent + date, discarded at midnight.
- No cross-site tracking — the script is loaded from our own subdomain, not a third party.
- No personal data stored — IP addresses are hashed and never persisted; only aggregate pageview counts, referrer, country, device type.
- No data leaves our servers — analytics data is stored in the same PostgreSQL instance as the rest of the application.
Under the ePrivacy Directive and GDPR Recital 26, analytics that does not process personal data or store identifiers on the user's device does not require consent. This is why Umami does not require a cookie banner.
What we deliberately do not use
To make our position explicit, the following categories are not used anywhere on the Service:
- Third-party analytics — no Google Analytics, no Mixpanel, no Amplitude, no Rudderstack, no Segment. We run our own privacy-first Umami instead (see above).
- Session-replay / heatmap cookies — no Hotjar, no FullStory, no LogRocket.
- Advertising and retargeting cookies — no Facebook Pixel, no Google Ads, no LinkedIn Insight Tag, no Twitter/X pixel, no TikTok pixel.
- CDN-provider cookies — we run our own nginx on a single cloud provider, with no Cloudflare or similar CDN in front, so no
__cf_bmor equivalent is set. - Third-party font tracking — we self-host fonts via
@fontsourceinstead of using Google Fonts. - Cookie consent platform — no CMP such as Cookie-Script, OneTrust or Cookiebot is loaded, because every cookie above is strictly necessary and does not require consent.
Why no consent banner?
Under the ePrivacy Directive Article 5(3) and GDPR Recital 49, consent is only required for cookies that are not strictly necessary for the service the user has requested. Every cookie we set falls under the "strictly necessary" exemption. Showing a consent banner for cookies you cannot meaningfully opt out of would be theatre — we have chosen to keep our footprint small enough that the banner is not needed.
If we add a cookie category in the future that would require consent (for example, product analytics), we will introduce a proper consent banner and update this policy before doing so.
Manage your cookies
You have several ways to control cookies:
- Sign out — clears the active Clerk session cookie immediately.
- Clear site data in your browser — removes all cookies and local storage for
reversallabs.com. Settings menu in your browser → Privacy & Security → Clear browsing data → Cookies and site data. - Block cookies in your browser — disables all cookies for our Site. Note: blocking the Clerk session cookie will prevent you from signing in. Public pages (homepage, How it works, Cookies, Terms, Privacy) remain accessible.
Browser-level instructions are available from your browser vendor:
Changes to this policy
We may update this policy from time to time. The most recent version is always available on this page, with the "Last updated" date at the top.
Contact
Questions about this policy can be sent to [EMAIL].