Cookies Policy

Overview

This Cookies Policy explains how Tolstoy Compose uses cookies, browser storage, service-worker cache, IndexedDB, local storage, session storage, and similar technologies on the website and in the app.

These technologies can store information on, or access information from, your device. They are used only where needed for the website, app, security, account, billing, installation, preference, recovery, export, and support functions described below.

Strictly necessary technologies

Compose uses necessary storage and access technologies for:

• App operation, local document storage, local recovery, local versions, preferences, recent state, and offline support.
• Authentication, session handling, account state, paid-device authorisation, Teams administration, and security.
• Checkout, billing return flows, checkout intent state, selected plan and seat quantity, subscription management, statutory subscription notices, and fraud or abuse prevention.
• Service-worker cache and app-shell files so the installed app and website can load reliably.
• Rate limiting, diagnostics, and protection of support and sign-in forms.

Because these technologies are used to provide the service you request or to keep it secure, we treat them as necessary. If you block or clear them, Compose may sign you out, lose preferences, remove local recovery data, remove local documents stored only in the browser, or stop parts of the app from working.

Examples of storage used by Compose

Compose may use IndexedDB for local workspace snapshots, local documents, local versions, recovery data, citations, and review state. The launch app source uses IndexedDB databases named compose_workspace, compose_document_recovery, and compose_version_history.

Compose may use localStorage for preferences, language choice, appearance/theme settings, sidebar and view state, highlight settings, current workspace selection, current device identifiers for paid-device limits, account/session state where needed to keep you signed in, pending checkout intent, local clipboard history, table presets, and fallback local saves for workspace, recovery, and version data if IndexedDB is unavailable or fails.

Compose may use sessionStorage for temporary app-update and reload state, and may use it for short-lived checkout, billing-return, or browser-session state where the relevant release implements that storage path.

Compose may use service-worker cache and the browser Cache API for app-shell files, static assets, icons, stylesheets, scripts, locale files, and runtime resources. The launch app source is designed not to cache same-origin /api/* responses through the service worker.

The production app source we reviewed does not intentionally set advertising, analytics, behavioural profiling, heatmap, or session-recording cookies. A development-only plan-preview cookie may exist in local development when explicitly enabled; it is not intended for production use. Compose may also use provider-controlled cookies or equivalent server-side mechanisms for account, security, rate-limit, checkout, billing-portal, webhook, or infrastructure flows where required. Compose storage should not contain full payment-card details.

Local content risk

Some necessary storage can contain document content or document fragments, including local workspace snapshots, recovery entries, version history, citations, review state, table presets, and clipboard history. This is part of the local-first product design. Clearing browser storage can delete this data; using a shared browser profile can expose it to other users of that profile.

No advertising or analytics cookies

We do not use advertising cookies, behavioural profiling cookies, social media pixels, heatmaps, session-recording tools, or third-party analytics platforms on this website or in Compose at launch.

Third-party checkout and infrastructure

When you use Stripe Checkout or the Stripe Customer Portal, Stripe may set cookies or use similar technologies on Stripe-controlled pages for payment, fraud prevention, tax, invoicing, subscription, refund, and billing functionality. Cloudflare, Supabase, and Resend may also process technical data needed for hosting, security, authentication, database, email, and infrastructure delivery.

Consent position

At launch, Compose is designed not to set non-essential advertising, analytics, or profiling cookies. If we introduce non-essential cookies or similar technologies later, we will update this policy and add a consent mechanism where required before using them.

Storage notice and user controls

Information about necessary cookies and storage should be easy to find from the website footer and from relevant app surfaces such as account, support, billing, installation, and local-storage/reset flows.

If Compose later introduces non-essential analytics, advertising, profiling, heatmap, session-recording, or similar technologies, the product should add a consent mechanism before those technologies run, keep consent separate from necessary app storage, and give users a practical way to change their choice.

Managing storage

You can control or clear cookies and browser storage through your browser settings. You can also unregister service workers or clear site data in browser developer or privacy settings. Clearing site data may sign you out, remove preferences, delete local recovery data, delete documents stored only in that browser, and interrupt checkout or billing-return flows.

Changes

We may update this policy as Compose changes or as legal requirements develop. The latest version will be published on this website.