Cookie Policy
Last updated: 2026-05-26
This page explains every cookie and similar storage item we set, what it does, and how long it lasts. We don't use ad-tracking cookies and we don't sell your data. Essential storage runs without your consent because the site can't function otherwise; everything else only runs after you say yes.
Change your preferences any time
Reopens the banner so you can change which categories run. Your decision is stored locally on this device.
What we store
| Name | Category | Purpose | Duration | Set by |
|---|---|---|---|---|
| next-auth.session-token | Essential | Keeps you signed in across pages. | 30 days (sliding) | First-party |
| next-auth.csrf-token | Essential | Prevents cross-site request forgery during sign-in. | Session | First-party |
| next-auth.callback-url | Essential | Remembers where to send you after sign-in. | Session | First-party |
| __Host-authjs.* | Essential | NextAuth secure cookies on HTTPS. | Session / 30 days | First-party |
| Stripe (__stripe_mid, __stripe_sid) | Essential | Fraud prevention during checkout. Only set on payment pages. | 1 year / 30 min | Third-party Stripe |
| mindshape_completed_tests_v1 | Essential | Remembers which tests you've finished so we can show progress, even when logged out. localStorage. | Until you clear it | First-party |
| mindshape_pending_results | Essential | Stores a saved result during sign-up redirect so it isn't lost. Cleared once saved. localStorage. | Until claimed | First-party |
| mindshape_consent_v1 | Essential | Stores your cookie preferences so we don't ask again. localStorage. | Until you change it | First-party |
| _ga, _ga_* | Analytics | Google Analytics — distinguishes unique visitors, aggregates page views. Anonymized IP. Only set if you accept analytics. | 13 months | Third-party Google LLC |
Sub-processors
The companies that process personal data on our behalf. Each is bound by a data-processing agreement.
Vercel Inc.
Web hosting, edge delivery, serverless functions.
USA · GDPR DPA + SCCs in place
Neon Inc.
Managed Postgres database (account data, saved test results).
USA / EU regions · GDPR DPA in place
Stripe, Inc.
Payment processing for Mindshape Plus subscriptions and lifetime.
USA · PCI-DSS Level 1, GDPR DPA in place
Google LLC (NextAuth)
Sign-in via Google OAuth (only if you choose Google as your sign-in method).
USA · standard Google data-processing terms
Google LLC (Analytics)
Aggregate analytics (only if you opt in via the cookie banner).
USA · GA4 with anonymized IP + Consent Mode v2
Resend Inc.
Transactional email delivery (account-related notifications, when used).
USA · GDPR DPA in place
Your rights
Under GDPR / UK-GDPR / CCPA you can access, correct, export, or delete your data. Two routes:
- Self-serve: go to /account → "Download my data" for a full export, or use "Delete account" to wipe everything.
- Email us: team@mindshape.io — we respond within 30 days as the GDPR requires.
If you do nothing
Essential storage runs (we can't sign you in without it). Analytics and marketing stay offuntil you explicitly accept them. Google's servers receive cookieless “consent denied” pings under Consent Mode v2 — no identifiers, no profile building.
See also: Privacy Policy · Terms of Service · Contact us