Last updated: 2026-05-16
Cookie Policy
This Cookie Policy explains how cookies and similar technologies are used on the gila.coach website. It complements our Privacy Policy and our Subprocessor List.
The Gila mobile app does not use web cookies. Mobile analytics and authentication run through native SDKs (PostHog, Supabase Auth, Firebase). Those flows are disclosed in the Privacy Policy.
1. What cookies are
You probably already know what cookies are — small files your browser keeps so websites can remember you between clicks. Here is exactly which ones gila.coach sets and what each one does. The mobile app does not use any of this — those flows go through native SDKs and are covered in the Privacy Policy.
Similar technologies include local storage, session storage, and pixel tags. We treat them under the same rules as cookies.
2. The categories we use
We group cookies into three categories. The first is required for the site to work; the other two are only set with your consent (in the European Economic Area, the United Kingdom, Switzerland, and Brazil) or with the option to opt out (everywhere else).
| Category | Set by default? | What it does |
|---|---|---|
| Essential | Yes (cannot be turned off without breaking the site) | Authenticates you, remembers your language and consent choices, protects forms from bots |
| Analytics | Off by default in EEA / UK / CH / BR; on by default elsewhere unless your browser sends Global Privacy Control | Helps us understand which pages help readers and which need work |
| Marketing | None currently | Reserved for future advertising or social-tracking cookies — none in use today |
We do not use behavioural advertising cookies, retargeting pixels, social-network "Like" widgets, or any cookie that builds a profile of you across other sites.
3. The per-cookie inventory
| Name | Set by | Category | Type | Duration | Purpose |
|---|---|---|---|---|---|
sb-<project>-auth-token |
Supabase (first-party via gila.coach domain) | Essential | HTTP cookie | 1 hour (refresh-token lifetime) | Keeps you signed in to your Gila account |
sb-<project>-refresh-token |
Supabase | Essential | HTTP cookie | 30 days | Lets your session refresh without re-login |
NEXT_LOCALE |
gila.coach (Next.js) | Essential | HTTP cookie | 1 year | Remembers your chosen language (en / es / tr) |
gila_consent_v1 |
gila.coach | Essential | HTTP cookie | 12 months | Records your cookie-banner choices so we do not ask again on every page; also stores the policy version you agreed to. Contents: consent choice + region code derived from IP; never the raw IP itself. |
cf-turnstile-* (challenge token) |
Cloudflare (third-party) | Essential | HTTP cookie | 1 hour | Short-lived challenge token that proves you are a human (not a bot) when you submit a form. Discarded as soon as the form is accepted |
| (PostHog cookies — NOT applicable to this site) | — | — | — | — | PostHog runs only in the Gila mobile app, never on gila.coach. No ph_* cookies are set on the website. Mobile SDK analytics is disclosed in the Privacy Policy, not here. |
_vercel_* (Vercel Insights, only if enabled) |
Vercel (third-party) | Analytics | HTTP cookie / local storage | Up to 24 hours | Anonymised Core Web Vitals (page load timings) |
Cookies set by Supabase, Cloudflare, and Vercel are technically third-party but we contract them as data processors under written DPAs — they act on our instructions, not their own. See the Subprocessor List for the full data-sharing detail.
Google Analytics 4 (_ga, _ga_<container_id>) — first-party cookies set by googletagmanager.com/gtag/js, only after you accept the analytics category in our cookie banner. _ga lasts 13 months; _ga_<container_id> lasts 13 months. Both are anonymised at collection (IP-anonymisation enabled, ad-features off). They are not loaded at all if you reject the analytics category, if you have Global Privacy Control enabled, or if you visit from an EEA/UK/CH/BR/TR region without explicit accept. Add them to the inventory above as third-party (Google) / Analytics / consent-gated.
4. Regional defaults
We apply different defaults depending on where you are, based on the consent rules in your region:
| Region | Essential | Analytics | Marketing |
|---|---|---|---|
| European Economic Area (EU + Iceland, Liechtenstein, Norway) | On | Off until you opt in via the banner | n/a (none in use) |
| United Kingdom | On | Off until you opt in | n/a |
| Switzerland | On | Off until you opt in | n/a |
| Brazil (LGPD) | On | Off until you opt in | n/a |
| Türkiye (KVKK) | On | Off until you opt in (explicit consent treated as required) | n/a |
| United States, Canada, Australia, and rest of world | On | On unless you opt out or your browser sends Global Privacy Control | n/a |
| Anyone with Global Privacy Control enabled | On | Off automatically — we treat GPC as a binding opt-out under California CPRA and similar laws | n/a |
We auto-detect your region from your IP address (Cloudflare edge) at first page load. We do not store the IP itself — only the resulting region code, in the consent cookie.
5. Do Not Track and Global Privacy Control
We honour two browser-level signals:
- Do Not Track (DNT) — when your browser sends
DNT: 1, we do not load analytics cookies, regardless of your region. - Global Privacy Control (GPC) — when your browser sends
Sec-GPC: 1, we treat it as an opt-out of analytics and (where applicable) of "sale" or "share" of personal information under California CPRA, Colorado CPA, Connecticut CTDPA, Oregon OCPA, and other US state laws that recognise the signal.
You can enable GPC in browsers including Firefox, Brave, and DuckDuckGo, and in the Privacy Badger extension.
6. How to manage your choices
Three ways:
- The consent banner appears on your first visit. You can accept all, reject non-essential, or open the preference center to choose per category.
- The footer cookie banner lets you reopen your choices at any time, or you can email dpo@gila.coach to change them.
- Your browser settings let you delete cookies or block them entirely. Each browser is different — search "manage cookies" plus your browser name. Note that blocking essential cookies will sign you out and break parts of the site.
Withdrawing analytics consent stops the analytics SDK from loading on the next page load and clears any analytics cookies already set.
7. Third-party cookies and external links
Articles on the learning hub may embed images hosted on Supabase Storage, or link to external sources (medical literature, news articles). Following an external link takes you out of gila.coach and into a site governed by that site's own cookie policy — we have no control over their cookies and we do not receive their data.
We do not embed YouTube, X (Twitter), TikTok, Facebook, or Instagram widgets, because they set tracking cookies on load. Where we link to social media we use plain hyperlinks.
8. Changes to this policy
We review this Cookie Policy every quarter and on any change to the site (new analytics tool, new vendor, new form, new region). When something material changes — for example, adding a marketing category — we update the policy, re-trigger the consent banner for the next visit, and bump the version recorded in the gila_consent_v1 cookie so your prior choice does not auto-apply to a new category you have not seen.
The current version and effective date are at the top of this page.
9. Questions
Email dpo@gila.coach. If a specific cookie on the site is not in the table above, please tell us and we will fix the inventory.