Cookies & privacy

One essential cookie keeps you signed in — no third-party cookies, no ads. We use privacy-first analytics to improve the app; it carries no personal data and you can turn it off any time. Learn more

Cookie Policy

Version 1.4 — last updated 5 July 2026

1. Introduction

This Cookie Policy explains how Stead uses cookies and similar tracking technologies when you access and use our application. We are committed to transparency about our data practices.

Key principle: We use a single essential cookie and no third-party cookies. We do use privacy-first product analytics to improve the app, but it stores its data in your browser's local storage (not cookies), carries no personal information, and can be switched off. We never use advertising or cross-site tracking. Our approach prioritises privacy and security.

2. What Are Cookies?

Cookies are small text files stored on your device (computer, phone, or tablet) when you visit a website or use an application. They are typically used to store information about your preferences, login status, or browsing history.

Other similar technologies include:

  • Local storage: Browser-based storage for UI preferences, more persistent than cookies.
  • Session storage: Temporary storage cleared when the browser session ends.
  • Web beacons: Invisible pixels used to track user behaviour (we do not use these).

3. Cookies We Use

3.1 Authentication Cookie (Essential)

Cookie Name:authjs.session-token
Purpose:Stores your JSON Web Token (JWT) to keep you logged in across page reloads and sessions.
Type:HttpOnly, Secure, SameSite=Lax
Expiry:24 hours. You will be asked to log in again after this time.
Scope:First-party (set by Stead only).
Essential:Yes. This cookie is required to use the Service. It cannot be disabled.

3.2 Security Details

  • HttpOnly: The cookie is inaccessible to JavaScript, preventing cross-site scripting (XSS) attacks from stealing your token.
  • Secure: The cookie is only transmitted over HTTPS connections, never over unencrypted HTTP.
  • SameSite=Lax: The cookie is not sent with cross-site requests (with limited exceptions for safe navigation), mitigating cross-site request forgery (CSRF) attacks.

4. Local Storage

We may use browser local storage to store non-sensitive user preferences:

  • Dark Mode Preference: If you toggle dark mode, your preference is saved locally so the app renders in your chosen theme on your next visit.
  • UI State: Some UI state (e.g. sidebar expanded/collapsed) may be stored locally for convenience.
  • Analytics identifier: Our product analytics (PostHog) stores a random, non-identifying analytics id in local storage instead of a cookie, so your usage can be understood across visits without cross-site tracking. It contains no personal information and is removed if you turn analytics off in Settings → Privacy.

Important: Your preference local storage (dark mode, UI state) stays on your device and is never sent to us. The analytics identifier is shared only with our analytics processor (PostHog, EU) as part of anonymised usage events, and only while analytics is enabled. You can clear local storage at any time via your browser settings without affecting the Service.

5. Third-Party Cookies and Tracking

We do NOT use:

  • Advertising, retargeting, or cross-site tracking pixels.
  • Facebook Pixel or any ad-network tags.
  • Third-party marketing or data-broker cookies.
  • Third-party cookies of any kind (our only cookie is the first-party authentication cookie described above).

We do use privacy-first product analytics (PostHog) to understand how the app is used and improve it. This is not advertising: it stores a random, non-identifying id in your browser's local storage (not a cookie), carries no personal information, and can be turned off at Settings → Privacy — and we honour your browser's “Do Not Track” signal. See Section 6 for details.

We do not sell, trade, or share your data with advertisers or data brokers. Your financial data stays private and is not used for profiling or marketing.

6. Error Monitoring & Product Analytics

We use Sentry to collect error reports and crash data. In our configuration Sentry does not set cookies — error reports are sent only when the application encounters an error. This data is:

  • Limited to technical error diagnostics, not user behaviour tracking.
  • Configured to exclude sensitive data (passwords, tokens, email addresses).
  • Governed by Sentry's privacy policy: https://sentry.io/privacy/

We use PostHog (hosted in the European Union) for privacy-first product analytics — understanding which features are used and where people get stuck, so we can improve the app. It is configured to be as private as possible:

  • No cookies — it stores a random, non-identifying id in your browser's local storage.
  • No personal information in events — never your name, email, transactions, or amounts; page addresses are stripped of identifiers before recording.
  • Session recording and automatic page-content capture are switched off.
  • Analytics requests are sent to our own subdomain (e.steadapp.com.au) instead of directly to PostHog, so privacy/ad-blocking tools don't silently drop them. This is transport only — it collects nothing extra; in transit the requests pass through Cloudflare (PostHog's content-delivery network) before reaching PostHog in the EU.
  • You can opt out at any time at Settings → Privacy, and we honour your browser's “Do Not Track” signal — both stop analytics entirely, before anything is sent to that subdomain.
  • Governed by PostHog's privacy policy: https://posthog.com/privacy

7. How to Manage Cookies

Browser Settings: You can control cookies via your browser settings. Most browsers allow you to:

  • Block all cookies (note: this will prevent you from logging into Stead).
  • Delete existing cookies.
  • Block cookies from specific sites.
  • Set privacy preferences (e.g. block third-party cookies only).

See your browser's help section for instructions. Browsers commonly include options for Chrome, Firefox, Safari, Edge, and others.

Important: The authentication cookie is essential to the Service. If you disable it, you will not be able to log in or use Stead.

8. Cookie Consent and GDPR Compliance

EU Users: Under the General Data Protection Regulation (GDPR) and the ePrivacy rules, consent is generally required before storing non-essential information on your device. Our only cookie is the essential authentication cookie, which is set without consent as it is strictly necessary to provide the Service.

Our product analytics does not use cookies — it stores a random, non-identifying id in local storage. We operate it on a privacy-first, opt-out basis: it is limited to anonymised product-improvement data with no personal information, you can turn it off at any time at Settings → Privacy, and we honour your browser's “Do Not Track” signal (which disables it automatically). We do not use it for advertising or any third-party purpose.

If you are an EU resident and have concerns about cookies or data processing, see our Privacy Policy for information on your rights and our contact details.

9. Data Retention

Cookies: The authentication cookie expires after 24 hours. When you log out, the cookie is deleted immediately.

Local Storage: Local storage persists until you manually clear it via browser settings or until you uninstall the app (on mobile).

10. Changes to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in our technology or practices. We will update the "last updated" date at the top of this policy. Significant changes will be communicated via email or a prominent notice on the Service.

11. Contact

If you have questions about our cookie practices or wish to exercise your privacy rights, please contact us:

Email: support@steadapp.com.au

Version 1.4 — last updated 5 July 2026

Related: Privacy Policy · Terms of Service