Get started
Minimal · No Ad Tracking · Essential Only

Cookie Policy

Effective date: 12 April 2026·Version 1.0

This Cookie Policy explains how Goalka Technologies Private Limited ("Goalka", "we", "us") uses cookies and similar storage technologies on the Goalka platform at goalka.com. We take a minimal approach: we use only what is strictly necessary to run the platform securely, with no advertising cookies or third-party trackers.

1. What Are Cookies

Cookies are small text files stored on your device by your web browser when you visit a website. They are widely used to make websites work, improve user experience, and provide usage information to site owners. Cookies can be "session cookies" (deleted when you close your browser) or "persistent cookies" (remain for a set period).

In addition to cookies, we use browser-side storage (localStorage and sessionStorage) and HTTP-only secure tokens to manage your authenticated session. This policy covers all of these storage mechanisms collectively.

2. Types of Storage We Use

Goalka uses storage in three categories, summarised below. We do not use advertising cookies, cross-site tracking, browser fingerprinting, or third-party analytics that identify individual users.

Essential

Required for the platform to function. Cannot be disabled without breaking authentication and core features.

Analytics

Aggregated, anonymised usage data to improve platform performance. No individual user identification.

Preference

Stores your UI preferences (theme, language, timezone) locally. Never transmitted to our servers.

3. Essential Cookies (Always Active)

These cookies are strictly necessary to provide the Goalka service. They cannot be disabled without preventing you from logging in or using core features. No consent is required for essential cookies under the IT (Reasonable Security Practices) Rules, 2011, as they are necessary for the provision of a service explicitly requested by the user.

Cookie / Storage KeyTypeDurationPurpose
sb-access-tokenHttpOnly Cookie1 hour (auto-renewed)Supabase JWT access token for authenticated API calls
sb-refresh-tokenHttpOnly Cookie7 days (renewed on activity)Supabase session refresh — allows seamless re-authentication without re-login
sb-auth-token (localStorage)localStorageSession durationClient-side Supabase session state (if cookie auth is unavailable)
goalka_csrfCookieSessionCSRF protection token for state-mutating API requests
goalka_onboarding_steplocalStorageUntil onboarding completeTracks which onboarding step you are on — prevents restarting from step 1 on page reload
goalka_themelocalStoragePersistentStores your UI theme preference (dark/light). Never sent to the server.
goalka_tzlocalStoragePersistentYour detected timezone for scheduling briefing times accurately (e.g., IST).

4. Analytics & Performance

We collect first-party, anonymised analytics data to understand how the platform is used and to identify performance issues. This data is:

  • Aggregated — individual user sessions are not tracked or stored individually beyond the active session
  • Anonymised — IP addresses are truncated to the /24 subnet level before any analytics storage
  • Not shared — we do not share analytics data with advertising networks or data brokers
  • Not cross-site — we do not track your activity outside goalka.com

We do not use Google Analytics, Meta Pixel, Hotjar, or any other third-party analytics service that associates usage data with external advertising profiles.

Storage KeyDurationPurpose
goalka_anon_idsessionStorage — session onlyAnonymous session identifier for aggregated feature usage analytics. Regenerated on each new browser session. Not linked to your account.
goalka_perfsessionStorage — session onlyPage load timing and Core Web Vitals metrics. Used to identify slow pages. Aggregated only.

5. Third-Party Cookies

Goalka does not use third-party advertising cookies. We have no Meta Pixel, no Google Ads remarketing tags, no LinkedIn Insight Tag for advertising, and no affiliate tracking cookies on goalka.com.

Some platform features connect to third-party services at your explicit request. These services may set their own cookies in accordance with their own policies when you interact with embedded content:

  • Razorpay Payment Gateway: When you initiate a payment, Razorpay's checkout loads in a secure iFrame. Razorpay may set fraud-prevention cookies on their payment domain (not goalka.com). These are governed by Razorpay's Privacy Policy.
  • Supabase Auth (Google OAuth): When you use "Sign in with Google", you are redirected to Google's OAuth consent screen. Google may set authentication cookies on their domain. These are governed by Google's Privacy Policy. No Google advertising cookies are set on goalka.com as a result.

6. Browser Storage (localStorage / sessionStorage)

In addition to cookies, we use the Web Storage API (localStorage and sessionStorage) to store certain data locally in your browser:

  • localStoragePersistent storage that survives browser restarts. We use it for UI preferences (theme, timezone), onboarding state, and Supabase session tokens. Contents are only accessible to JavaScript running on goalka.com — never transmitted to third parties.
  • sessionStorageTemporary storage cleared when the browser tab is closed. We use it for anonymous analytics session IDs and performance metrics. No personal data is stored in sessionStorage.

You can clear all localStorage and sessionStorage data for goalka.com at any time through your browser's developer tools (Application tab → Storage → Clear Site Data). Note that clearing authentication storage will log you out of your session.

7. Supabase Auth Token Behaviour

Goalka uses Supabase Auth for authentication. Understanding how Supabase manages session tokens is important:

  • Access Token: A JWT (JSON Web Token) valid for 1 hour. Stored as an HttpOnly, Secure, SameSite=Strict cookie where supported by your browser. Falls back to localStorage if the browser blocks third-party cookies.
  • Refresh Token: A long-lived token used to silently renew the access token without requiring re-login. Stored as an HttpOnly cookie with a 7-day sliding window. Each use issues a new refresh token (token rotation), invalidating the previous one.
  • Session Expiry: If you are inactive for more than 1 hour and close the browser, you will be required to log in again. Sessions can be extended by enabling "Remember me" which uses the refresh token mechanism described above.
  • Google OAuth Tokens: If you connect Google Calendar or Gmail, the OAuth access token (not your Google account password) is stored in our database in an AES-256 encrypted column. This token is rotated on each use. You can revoke access at any time from your Google Account Permissions page or from Goalka Settings → Integrations.
  • Social OAuth Tokens (LinkedIn/Instagram): Access and refresh tokens for social media integrations are encrypted at rest (AES-256, separate key from Supabase master key). Token values are never logged or exposed in error messages.

8. How to Manage Cookies

You have several ways to control cookies and browser storage:

Browser Settings

All major browsers (Chrome, Firefox, Safari, Edge) allow you to view, block, or delete cookies. Access via browser Settings → Privacy & Security → Cookies. Note: blocking essential cookies will prevent you from logging in to Goalka.

Clear Site Data

In Chrome/Edge DevTools → Application → Storage → Clear Site Data removes all Goalka cookies and local storage immediately. In Safari: Develop → Empty Caches. This will log you out.

Private / Incognito Mode

Using Goalka in a private browser window prevents any persistent storage — all cookies and localStorage are cleared when the window closes. You will need to log in each visit.

Goalka Settings

Navigate to Settings → Privacy in your Goalka account to opt out of anonymous analytics collection. Essential cookies cannot be disabled from within the app as they are required for the service to function.

9. Do Not Track

Goalka respects the "Do Not Track" (DNT) browser signal. When DNT is enabled in your browser, we:

  • Disable all non-essential analytics storage (goalka_anon_id, goalka_perf)
  • Do not record page-level usage events beyond what is necessary for billing and security
  • Continue setting essential cookies required for authentication and security, as these are not tracking mechanisms

Since Goalka does not use cross-site advertising trackers, the practical effect of DNT on our platform is minimal — we already operate at a privacy-first standard that exceeds DNT requirements.

10. Changes to This Policy

We may update this Cookie Policy when we add new features that use different storage mechanisms. Material changes will be announced via in-app notification at least 14 days before they take effect. The current version is always available at goalka.com/cookie-policy.

11. Contact

Questions about our cookie practices?

Privacy enquiries
privacy@goalka.com
Company
Goalka Technologies Private Limited
91Springboard, Koramangala, Bengaluru, Karnataka 560034, India