Cookie Policy

Last updated: 2026-05-14 · These terms are reviewed by Astra periodically and effective on the Last updated date above.

This Cookie Policy explains how the Astra platform uses cookies, local storage, session storage, and similar technologies (collectively, "cookies"). It supplements our Privacy Policy.

We use only strictly necessary cookies by default. Functional, analytics, and any future advertising cookies are set only after you consent via the cookie banner that appears on your first visit. You may change your choice at any time via Settings → Privacy → Cookies.

A cookie is a small text file stored by your browser on your device. It can hold a session identifier, a preference, or — in trackers — a fingerprint. First-party cookies are set by tryastra.space; third-party cookies are set by other domains (e.g. a payment processor on its own checkout iframe).

2. Strictly necessary cookies (always on)

These are required to run the Platform. They cannot be disabled without breaking core features and we do not ask for consent for them under GDPR (Art. 5(3) ePrivacy "strictly necessary" exemption).

Name	Purpose	Lifetime
`sb-access-token`	Supabase auth session, signs you in	Session (24h)
`sb-refresh-token`	Supabase refresh-token rotation	7 days
`astra.csrf`	Cross-site request forgery protection	Session
`NEXT_LOCALE`	Server-side locale (en, zh-CN, zh-TW, es, fr, ja, ko, vi)	1 year
`astra.consent`	Stores your cookie-banner choice	1 year

All session cookies are set HttpOnly, Secure, SameSite=Lax and served over HTTPS only.

3. Functional cookies and local storage (opt-in)

Enabled if you choose "Accept all" or "Customise → Functional" in the banner:

Key	Purpose	Storage
`astra.theme`	Remembers cosmic / dawn / oriental theme	localStorage
`astra.voice.persona`	Last selected AI voice persona	localStorage
`astra.voice.trialMs`	Anonymous 2-minute voice-trial counter	localStorage
`astra.cosmos.tier`	Sky-Wall age-attestation tier	localStorage
`astra.cosmos.seed`	Star-seed used for personalised constellations	localStorage
`astra.shorts.lastSeen`	Resumes the shorts feed where you left off	localStorage

4. Analytics cookies (opt-in)

Set only after you opt in. We pick analytics providers that do not sell data and do not rely on cross-site identifiers.

Provider	Cookie / ID	Purpose	Lifetime
Plausible	none — cookieless aggregate counts	Page-view counts	n/a
PostHog	`ph_*`	Session replay (sampled), funnel analysis	1 year

You can opt out at any time in Settings → Privacy → Cookies.

5. Third-party cookies

Astra does not set cross-site advertising trackers. We do not use Google Analytics, Facebook Pixel, TikTok Pixel, or similar.

Some third-party services may set their own cookies when their content loads on a page (e.g. on the Stripe Checkout iframe). Those cookies are governed by the third party's own cookie policy:

Stripe — payment-form fraud signals · https://stripe.com/cookies-policy/legal
LiveKit — media-routing performance metrics · https://livekit.io/legal/privacy-policy
Cloudflare — bot protection (__cf_bm) · https://www.cloudflare.com/cookie-policy/

6. Do Not Track and Global Privacy Control

We honour the Global Privacy Control (GPC) signal: if your browser sends GPC, we treat it as an opt-out of analytics cookies and as a CCPA opt-out of sale/share. Browser DNT signals are recorded but, per W3C status, are not treated as a regulated opt-out.

7. How to control cookies

Astra controls — Settings → Privacy → Cookies at any time.
Browser settings — Chrome, Safari, Firefox, Edge all let you block, clear, or limit cookies per-site.
Mobile — iOS Safari and Android Chrome have system-level controls.
Local storage — open DevTools → Application → Local Storage, select tryastra.space, clear entries.

Disabling strictly necessary cookies will break sign-in and other core features.