What's a cookie?
A cookie is a small text file a website stores in your browser. It comes back to the server on every request so the server can recognise you between page loads. That's the whole mechanism - no magic, no secret data store.
Cookies we set
Session cookie (first-party, strictly necessary)
Name: __hoist_session
Purpose: Keeps you signed in between requests. Contains an HMAC-signed token - no personal data is encoded inside it. The server validates the signature on every request; an invalid or expired signature produces an immediate sign-out.
Duration: Session (clears when you close the browser tab or after 24 hours of inactivity, whichever comes first).
Can you disable it? No. Without it the dashboard doesn't work. If you don't want a session cookie, don't sign in.
Clerk session cookie (first-party, strictly necessary)
Name: __clerk_db_jwt and related Clerk internals.
Purpose: Clerk (our identity provider) sets these to maintain your authenticated session on the dashboard. They contain a signed JWT - not readable without the signing key.
Duration: Up to 7 days with activity; expires on sign-out.
Third-party? These are set on assets.hoistai.com (first-party domain), not a third-party Clerk domain. Clerk's CDN at accounts.assets.hoistai.com is a subdomain we control via a CNAME.
Can you disable it? Same as above - disable means no authenticated dashboard access.
Stripe checkout cookies (third-party, functional)
Set by: stripe.com and js.stripe.com
Purpose: When you go through the Stripe-hosted payment flow (adding a card, upgrading your plan), Stripe sets its own cookies to maintain checkout state and prevent fraud. These cookies are set on Stripe's domain, not ours.
Duration: Varies; typically session or up to 1 year for fraud signals.
Can you disable it? Blocking Stripe's cookies may break the checkout flow. If you're on a browser with strict third-party cookie blocking (Safari ITP, Firefox ETP), Stripe's checkout page handles this gracefully via redirects rather than pop-ups.
Stripe's policy: stripe.com/au/privacy
Cloudflare WAF cookies (third-party, security)
Name: __cf_bm and related Cloudflare cookies.
Purpose: Cloudflare's bot management and WAF set these to distinguish legitimate traffic from automated abuse. They're present on every request to our origin, not just the payment flow.
Duration: 30 minutes rolling.
Can you disable it? Not without breaking the site - they're set at the network layer before our application code runs. If Cloudflare's bot management triggers on your traffic incorrectly, use the current contact route at /contact/.
Cloudflare's policy: cloudflare.com/privacypolicy/
What we don't set
- No advertising or retargeting cookies.
- No cross-site tracking pixels (Meta, Google Ads, LinkedIn Insight, etc.).
- No A/B testing cookies from third-party platforms.
- No analytics cookies that persist across sessions or are shared with third parties. Our analytics are event-based, server-side only, and do not use browser cookies.
How to manage or disable cookies
Every major browser lets you view, block, and delete cookies. The session and Clerk cookies above are strictly necessary for the dashboard to function - blocking them means no sign-in. The Stripe and Cloudflare cookies affect checkout and site access respectively.
- Chrome: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Settings → Privacy → Manage Website Data
- Edge: Settings → Cookies and site permissions
To delete only Hoist Assets cookies: open DevTools (F12) → Application tab → Cookies → assets.hoistai.com → select and delete.
Changes to this policy
If we add a new cookie category (for example, if we ship an analytics tool that uses browser cookies), we'll update this page and note the change in /changelog tagged privacy. We don't send email notifications for cookie-only updates unless the change is material to personal-data processing.
Questions
Use the current contact route at /contact/. Full privacy policy at /privacy/.