Legal

Cookie & Storage Notice

Last updated June 11, 2026 · Version 1 · Questions? contact us.

[fix]net's websites and web app set only strictly-necessary first-party storage. There are no analytics cookies, no advertising cookies, no cross-site tracking, and no consent banner — because nothing we set requires one.

What "strictly necessary" means

Under EU ePrivacy law, storage that is *strictly necessary* to deliver a service you have actively requested is exempt from prior-consent requirements. Every item in this notice falls into that category: sign-in sessions you created, a private-beta gate you unlocked by entering a key, and payment cookies Paddle sets when you open the checkout you asked to see.

If we ever add storage that is not strictly necessary — analytics, preferences that survive across sessions without serving the core product, advertising pixels — we will update this notice and the consent mechanism before any such storage is set. The change will appear in this page's version history and in `legal/CHANGELOG.md`.

Storage inventory

This list was verified by reading the code at the revision tagged on `effective` above. If you believe it is wrong or incomplete, please tell us at privacy@fixa.sh.

`fixstore_session_v1` — Store sign-in session

What it stores: A JSON blob containing a Supabase session for your Store account (access token, refresh token, and expiry). Kept only to sign you in once across pages — without it you would be asked to sign in on every navigation.
Where it is set: `localStorage` on `store.fixa.sh`.
Lifetime: Until you sign out (the key is deleted), or until you clear localStorage. The token is refreshed silently before expiry; signing out deletes it immediately.
Controlled by: ePress Norden AB. The session is issued by Supabase as our authentication processor.

Supabase auth token — App sign-in session

What it stores: A JSON blob containing your account session for the web app (access token, refresh token, and expiry). Same purpose as the Store session above; the two are separate sessions for separate origins.
Where it is set: `localStorage` on `app.fixa.sh`. The key name follows the `supabase-js` default pattern (`sb-{project-reference}-auth-token`); the exact key includes our Supabase project reference, which is set at deploy time.
Lifetime: Until you sign out, or until you clear localStorage. The token is refreshed silently before expiry.
Controlled by: ePress Norden AB. The session is issued by Supabase as our authentication processor.

`fixnet_beta` — Private-beta gate

What it stores: An opaque credential that lets your browser through the private-beta access gate on `fixnet.se`. You obtain it by entering a beta key at the door URL; we do not set it on any public domain. When the private beta is retired, this cookie becomes unused and is cleared on your next visit.
Where it is set: A cookie on `.fixnet.se`, scoped to that domain only. Attributes: `Secure; HttpOnly; SameSite=Lax`.
Lifetime: 1 year from when you enter the key (`Max-Age=31536000`). You can clear it immediately by visiting `/dev-door?logout=1`.
Controlled by: ePress Norden AB.

Paddle checkout cookies — during checkout only

What it stores: Paddle, our Merchant of Record, sets its own cookies when the checkout overlay opens. These are strictly necessary for the checkout to function (fraud prevention, payment session, and Paddle's own compliance requirements).
Where they are set: Paddle's checkout domain, not on any `fixa.sh` or `fixnet.se` origin. They are only present while the checkout overlay is open — no Paddle storage is set on a normal page view.
Lifetime: Determined by Paddle.
Controlled by: Paddle.com, Inc., as an independent controller. See Paddle's Privacy Policy for what Paddle stores, why, and your rights over it.

What we do not store

No analytics cookies or local-storage keys. There are no tracking pixels, no `gtag`, no session-replay scripts, and no visit-counting identifiers of any kind.
No advertising cookies. [fix]net does not participate in ad networks.
No cross-site identifiers. Nothing in our storage is shared with or readable by a third party (except Paddle's own checkout cookies on their own domain, disclosed above).
No third-party fonts or scripts on normal page views. DM Mono and Syne are self-hosted; no request is made to Google Fonts or any other external domain to render a normal page.

Your rights

You can delete or inspect any item in this list by opening your browser's developer tools (`Application → Local Storage` and `Application → Cookies`). Sign-out buttons in the product delete sign-in storage immediately. If you have questions or believe something is missing from this inventory, please contact us at privacy@fixa.sh.

For broader privacy rights — access, erasure, portability — see the Privacy Policy.

Amendment

If we ever add storage beyond what is listed here, this notice will be updated and a new version will be published before the new storage is set (anchor L4). Material changes follow the same versioning and notice discipline as every other document in `legal/` (see `legal/CHANGELOG.md`).