Legal

Cookies policy

Last updated · May 2026

We use the minimum set of cookies and similar storage needed to make the product work. We don't use advertising cookies. We don't use cross-site trackers. The list below is the full list

Strictly necessary

  • Supabase auth cookies (sb-*) · Keep you signed in across pages. Set when you complete the magic-link flow. Required to use anything past the public marketing pages
  • Cookie-choice flag · A single localStorage entry (mbb-ready:cookie-choice) that remembers your banner choice. Used to gate any future personalised analytics. No personal data

Anonymous analytics · loaded by default

We load Vercel Analytics on every page to count page views and identify broken pages. Vercel Analytics is cookieless: it uses a daily-salted anonymous fingerprint derived from your IP address and browser to dedupe visits, and that fingerprint changes every day. No persistent identifier is stored. No advertising cookies, no cross-site tracking, no third-party share. This is loaded regardless of your banner choice because cookieless analytics qualifies as legitimate-interest under GDPR/PECR

Product analytics · PostHog

We use PostHog to understand how people move through the case flow, so we can find and fix the points where the product is confusing or broken. It records anonymous interaction events only (for example, “started a case”, “reached the results page”) and page views. We do not record session replays. We only attach your identity once you sign in, so we can connect your own cases to your account. If you choose “Essentials only” on the banner, we stop all PostHog capture for you

Third parties that process your data

  • Supabase · authentication, database. Stores your email, your name, your case sessions, transcripts, and feedback
  • OpenAI · large language model that marks your case. Receives your transcript for scoring. OpenAI's API data policy excludes API content from model training
  • ElevenLabs · voice agent platform. Powers Mira's speech, transcribes yours in real time, and routes turns to our LLM endpoint. Audio is deleted after 30 days
  • Vercel · hosting and serverless compute. Serves the site and the anonymous Vercel Analytics page counts
  • PostHog · product analytics. Receives anonymous interaction events and masked session replays so we can fix usability problems. Honours Do-Not-Track and the “Essentials only” choice

Changes

If we add a new cookie or third party that touches your data, this page will be updated and we'll email you before the change takes effect