GymGridGymGrid Cookie Policy
Last updated: 2026-05-13 Effective date: 2026-05-13
This Cookie Policy describes the cookies and similar technologies that GymGrid ("we," "us," "our") uses on our public website and the Service. It is incorporated into and governed by the GymGrid Privacy Policy.
1. Scope and relationship to the Privacy Policy
This Cookie Policy is the detailed companion to Section 8 of our Privacy Policy. If anything in this document conflicts with the Privacy Policy, the Privacy Policy controls.
2. The two categories
2.1 Strictly necessary
These are required for the Service to function. They cannot be disabled while using the Service.
| Item | Where set | Purpose |
|---|---|---|
| Supabase authentication tokens (in browser local storage) | After you sign in | Keeps you signed in across page loads. |
Supabase session cookies (sb-…) | After you sign in, if our SSR session pathway plants them | Server-side session validation. Today our client uses local storage only, so these are usually not set. |
Cloudflare bot-management cookie (__cf_bm) | On every request via Cloudflare to gymgrid.ca | First-party, ~30-minute lifetime. Bot and abuse protection. Cannot be disabled while accessing the site. |
Our consent-preference record (browser local storage, key gymgrid-cookie-consent) | When you make a choice in the cookie banner | Remembers your choice so we don't ask again. |
2.2 Analytics
Off by default. When you opt in, we may collect aggregated, de-identified usage measurement (e.g., which pages are visited most, where users drop off in onboarding) to improve the Service.
Today we do not load any analytics provider. This category exists so that if we add one in the future (e.g., a privacy-respecting tool such as Plausible or PostHog), your stored choice immediately controls whether it loads. We will update this page and the Privacy Policy before any analytics provider goes live.
3. What stays on regardless of your choice
We use Sentry to detect and diagnose errors in the Service. Sentry processing happens regardless of your cookie-consent choice. We rely on PIPEDA's legitimate-interest basis for this because error monitoring is necessary for security and reliable operation.
Sentry receives stack traces, the URL where the error occurred, and browser metadata. It does not receive your IP address (we have "Prevent Storing of IP Addresses" enabled at the organization level). Session Replay is disabled. Today Sentry sets no cookies and writes nothing to your browser's local storage.
Forward-note: if we enable Session Replay in the future (e.g., for a one-off investigation), Session Replay moves under the Analytics category and becomes consent-gated. Enabling Session Replay is a coordinated update to this document, the Privacy Policy, and a bump of
CURRENT_CONSENT_VERSIONso existing consent records are re-prompted.
4. The consent record
When you make a choice in the cookie banner, we store a small JSON
record in your browser's local storage under the key
gymgrid-cookie-consent. The record contains:
- Schema version (
1). essential: true(always — required for the Service).- Your analytics choice (
trueorfalse). - ISO 8601 timestamp of when you made the choice.
- How you made it (Accept all, Reject all, or Save custom).
This is a local record of when you made your choice, sufficient for our current scope because no analytics SDK is flowing yet. Server-side consent logging is a future question that we will address if and when there is actual data to gate.
5. How to change your preferences
You can change your cookie preferences at any time:
- Click Cookie preferences in the footer of any public page on our website.
- The banner re-opens in customize mode with your current choices.
- Adjust the Analytics toggle and click Save preferences.
You can also clear your browser's local storage for this site — the next page load will show the cookie banner again so you can make a fresh choice.
We do not currently respond to Do Not Track browser signals; there is no settled industry standard for them.
6. Third-party services that may set their own technologies
The third-party services listed in Privacy Policy §6.1 support the Service. Of those:
- Supabase — sets the authentication-related storage entries described in Section 2.1.
- Vercel — hosts the application. Does not set first-party tracking cookies in our current configuration.
- Stripe — used for subscription billing. Stripe-set cookies appear only on the checkout page when billing is live (post-Gate-3).
- Resend, Anthropic, Sentry — server-side processors; do not set browser cookies or local storage on your visit.
When we add an analytics provider, this list will be updated and the new vendor's storage items will appear in Section 2.2.
7. Children
The Service is not designed to collect or store information about athletes, including minor athletes. Section 13 of the Privacy Policy covers our commitments around minor data in full.
8. Changes to this policy
We may update this Cookie Policy from time to time. For material changes (new category of technology, new analytics vendor), we will provide at least fifteen (15) days' notice by email and/or in-app notice, consistent with Privacy Policy §14.
9. Contact
For questions about this Cookie Policy, contact our Privacy Officer:
Email: [email protected] Mailing address: 12 Groat Crest Spruce Grove, AB T7X 1Z7 Canada
10. Effective date and versioning
| Version | Date | Summary |
|---|---|---|
| 1.0 | 2026-05-13 | Initial publication. |