Back to Me Journal

Draft document — awaiting legal review

This cookie policy draft (last updated 2026-05-02) describes Me Journal's current practices accurately, but has not yet been reviewed by qualified legal counsel. Until our solicitor signs off, please do not rely on this document for compliance decisions in your jurisdiction. For specific privacy/legal questions, contact privacy@me-journal.com.

Cookie Policy

Cookie Policy — Me Journal

Document control · Version 1.0 · Classification Confidential — Legal · Created 2026-05-02 · Last updated 2026-05-22 · Owner N (Astronero Ltd) · Next review 2026-11-18 · Location legal/COOKIE_POLICY.md

| Version | Date | Author | Summary of change | |---|---|---|---| | 1.0 | 2026-05-22 | N / Claude | Doc-control header added; content pre-existing |

Last updated: 2026-05-02 Effective date: to be set when published

DRAFT — NOT YET LEGALLY REVIEWED. Audit specifically: the actual cookies set by Clerk + Convex + Vercel + Stripe in production (the table below is based on documentation; verify with browser DevTools); the cookie banner consent flow; whether GPC honoring is implemented in code (it should be).

1. What this policy covers

This policy explains:

  • What cookies and similar technologies we use
  • What each one does
  • How long they last
  • How you can control them

It is a companion to our Privacy Policy.

2. What is a cookie?

A cookie is a small text file that a website stores on your device when you visit. It lets the site remember things between visits — for example, that you're logged in.

We also use similar technologies:

  • Local storage / session storage — like cookies but stored by your browser instead of sent with each request
  • IndexedDB — used to cache large items like meditation audio for offline playback
  • Service worker — runs in the background to deliver push notifications and cache app assets

For simplicity, we refer to all of these as "cookies" in this policy unless we need to be specific.

3. The cookies we use

3.1 Strictly necessary cookies

These cookies are essential for the Service to work. They are set automatically and do not require consent under UK PECR or EU ePrivacy Directive.

| Cookie / storage | Set by | Purpose | Duration | |---|---|---|---| | __session, __client_uat, __clerk_db_jwt | Clerk | Keep you signed in across pages and tabs | Session / up to 1 year | | mj_auth_cache | Me Journal | Cache subscription/admin status server-side to make navigation fast (HttpOnly, server-set only) | 5 minutes | | mj-install-prompt-dismissed-v1 | Me Journal | Remember that you dismissed the "install app" prompt so we don't show it repeatedly | Persistent (localStorage) | | Service worker registration | Me Journal | Deliver push notifications you've opted into | Persistent until you uninstall the PWA | | IndexedDB caches (mj_audio_cache) | Me Journal | Store downloaded meditation audio so it plays offline | Persistent until you clear browser data |

3.2 Analytics cookies (subject to consent in EU/EEA)

| Cookie / storage | Set by | Purpose | Duration | |---|---|---|---| | vercel-analytics-* | Vercel | Aggregate page-view counts for product improvement; pseudonymous; no cross-site tracking | 1 year |

In the EU/EEA, we ask for consent before setting these. In the UK, we treat them as consent-required by default in line with ICO guidance, even though some recent UK reforms (DUAA 2025) signal that low-impact analytics cookies may be permitted under legitimate interests in future. We err on the strict side until that's settled.

3.3 Payment cookies (set only when you check out)

| Cookie / storage | Set by | Purpose | Duration | |---|---|---|---| | Stripe checkout cookies | Stripe | Run the secure checkout flow; fraud detection | Session / up to 1 year |

These are set only when you go through Stripe checkout. They are strictly necessary for the payment, so they don't require separate consent under PECR.

3.4 No advertising / tracking cookies

We do not use:

  • Google Analytics
  • Facebook Pixel
  • Google Ads conversion pixels
  • LinkedIn Insight Tag
  • TikTok Pixel
  • Any other behavioural advertising or cross-site tracking technology

If you've used third-party tools to identify cookies on a website (e.g. EditThisCookie, browser DevTools), and you see something here that's not in this list, please email privacy@me-journal.com — that would be something we should fix.

4. How we ask for consent

4.1 EU/EEA users

When you first visit the website, we show a cookie banner that:

  • Explains what cookies do (the brief version) with a link to this policy
  • Offers two clearly equal-prominence options: Accept and Reject all non-essential
  • Sets only strictly necessary cookies until you choose
  • Allows you to change your choice at any time via a "Cookie Preferences" link in the footer

Closing the banner without choosing means only strictly necessary cookies are set — closing is not consent.

4.2 UK users

Same approach as EU/EEA. The UK is moving toward more permissive rules for low-impact analytics cookies under the Data (Use and Access) Act 2025, but until ICO publishes finalised guidance, we apply the stricter standard.

4.3 California users

We honour Global Privacy Control (GPC) signals from your browser as a valid opt-out request. You'll see a confirmation that we've honoured the signal in your account privacy settings.

We don't sell or share personal information for cross-context behavioural advertising, so the "Do Not Sell or Share My Personal Information" right is, for us, automatic — but the link is provided in the footer for completeness.

4.4 Other regions

If your jurisdiction's law doesn't require explicit opt-in, we use a soft consent model — show the banner, set non-essential cookies only after you click Accept. Functionally the same as the EU model.

5. How to change your cookie preferences

Within Me Journal:

  • Click Cookie Preferences in the footer

In your browser:

Chrome

Settings → Privacy and security → Cookies and other site data → See all site data and permissions → search for "me-journal.com" → remove or block

Safari (macOS)

Safari → Settings → Privacy → Manage Website Data → search for "me-journal.com" → Remove

Safari (iOS)

Settings → Safari → Advanced → Website Data → search for "me-journal.com" → swipe to delete

Firefox

Settings → Privacy & Security → Cookies and Site Data → Manage Data → search for "me-journal.com" → Remove

If you delete cookies, you'll be signed out. To use the Service, you'll need to allow at least the strictly necessary cookies.

6. Cookies and the Service we provide

If you reject all non-essential cookies:

  • The Service still works — the strictly necessary cookies are enough to run it
  • We can't measure aggregate usage (but that's fine; aggregate usage isn't required for any feature)
  • Your privacy is identical or stronger

If you delete strictly necessary cookies:

  • You will be signed out
  • The app will treat you as a new visitor

7. Changes to this policy

When we add or change cookies materially, we update this page and notify you via the cookie banner so you can re-consent if needed.

Old versions of this policy are archived at https://me-journal.com/legal/cookies/history.

8. Contact

  • Cookie or tracking questions: privacy@me-journal.com
  • Lead supervisory authority: Information Commissioner's Office (ICO) — https://ico.org.uk
  • EU/EEA users: you may also lodge a complaint with your own national data protection supervisory authority.

Related documents

Privacy PolicyTerms of ServiceCookie PolicySecurity StatementSub-Processors