Cookie Policy
Effective 3 May 2026 · Last updated 3 May 2026 · Version 1.0
This Cookie Policy explains how Pathrule ("Pathrule", "we", "us", "our") uses cookies and similar technologies on the website at pathrule.io (the "Website"). It is part of, and should be read together with, our Privacy Policy (/privacy-policy) and Terms of Service (/terms-of-service).
Short version. The Website uses a small number of cookies. Strictly necessary cookies always run because the site cannot function without them. Analytics cookies (Google Analytics 4) load only after you give consent through our cookie banner. You can change or withdraw your consent at any time. The Pathrule desktop app and CLI do not use HTTP cookies, and the product telemetry they send is separate from this Website: it is pseudonymous, carries no account or content, and is off in CI. See section 9.
1. What cookies are
Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work, remember your preferences, and provide information to the site operator about how the site is being used. This Policy also covers similar technologies that achieve the same purposes, for example localStorage, sessionStorage, IndexedDB, pixels and SDKs, even though they are not technically cookies. Where we say "cookies" in this Policy we mean any of these technologies.
A first-party cookie is set by the domain you are visiting (here, pathrule.io). A third-party cookie is set by a different domain whose code is loaded on the page (for example, an analytics provider).
2. Categories we use
We group cookies into the following categories. Only strictly necessary cookies are loaded before you make a choice. Everything else waits for your consent.
| Category | What it is for | Consent |
|---|---|---|
| Strictly necessary | Cookies and storage required for the Website to load, to remember your cookie-banner choice, and to protect against cross-site request forgery on forms. | Not required (essential under GDPR Recital 32 and ePrivacy Art. 5(3)) |
| Functional | Remembers preferences such as your language, region, and theme (light or dark) so the site behaves the way you set it up. | Not required where strictly tied to a feature you actively use; otherwise consent |
| Analytics | Aggregated usage analytics: which pages visitors land on, how they move through the site, what country they are in. We use this to improve the product and prioritise work. | Consent required for visitors in the EU, UK, EEA, Switzerland and Türkiye |
| Marketing / advertising | Pathrule does not currently use marketing or advertising cookies, ad-network pixels, or cross-site tracking. If we ever do, we will update this Policy and ask for your consent first. | Consent required (currently none in use) |
3. Cookies on this Website
The list below describes the cookies and storage we set on pathrule.io. Names of cookies set by third-party services may change as those services evolve; we update this list when material changes occur.
| Name | Provider | Purpose | Type | Duration | Category |
|---|---|---|---|---|---|
pathrule_cookie_consent | pathrule.io (first party) | Stores your cookie-banner choice (accepted, declined, or per-category preferences) so we don't ask again on every page. | Cookie or localStorage | 12 months | Strictly necessary |
pathrule_theme | pathrule.io (first party) | Remembers whether you chose light or dark mode. | localStorage | Until you clear it | Functional |
_ga | Google LLC / Google Ireland Ltd. (third party) | Distinguishes unique visitors so we can count visits and sessions accurately. | Cookie | 2 years (rolling) | Analytics |
_ga_FGFM3Q0BS2 | Google LLC / Google Ireland Ltd. (third party) | Used by Google Analytics 4 to persist session state for our specific measurement property. | Cookie | 2 years (rolling) | Analytics |
_gid | Google LLC / Google Ireland Ltd. (third party) | Distinguishes users for short-term session analysis. Only set if Google Analytics enables it for the property. | Cookie | 24 hours | Analytics |
If you accept analytics cookies, Google Analytics 4 may also receive your truncated IP address, user-agent, page URL, referrer and event timing. We have IP-anonymisation enabled and we do not enable Google Signals, ads personalisation, advertising features, or data sharing with Google for advertising on this property.
4. Third-party services that may receive data
The Website also loads resources from a small number of third parties. Some of these can technically observe a request (and therefore your IP address and user-agent) even when they do not set cookies on our site:
| Service | Provider | What it does | Sets cookies on pathrule.io? |
|---|---|---|---|
| Google Analytics 4 | Google Ireland Ltd., Ireland (data may be transferred to Google LLC, USA) | Aggregated visitor analytics. Loaded only after consent. | Yes (see section 3) |
| Google Fonts | Google Ireland Ltd. | Serves the Inter and JetBrains Mono web fonts used by the site. Google receives the request to deliver the font. | No |
| FormSubmit | FormSubmit (formsubmit.co) | Forwards contact and investor inquiry form submissions to our team email. Only contacted when you submit a form. | No (no third-party cookies on page load) |
| Vercel | Vercel Inc., USA | Hosts the Website. Edge servers see standard request metadata (IP, user-agent) needed to serve the page. | No persistent tracking cookies |
For transfers to the United States, we rely on the EU–US Data Privacy Framework where the recipient is certified, on the UK Extension to the DPF for UK transfers, and on the European Commission's Standard Contractual Clauses (SCCs) where DPF certification does not apply, together with the supplementary measures described in our Privacy Policy, section 8 (/privacy-policy).
5. Legal basis for using cookies
Where the GDPR (Regulation (EU) 2016/679), the UK GDPR, the ePrivacy Directive (2002/58/EC, as transposed nationally, for example PECR in the UK), the Swiss FADP, and the Turkish KVKK apply, we rely on the following legal bases:
- Strictly necessary cookies. Article 5(3) of the ePrivacy Directive permits storage that is "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user" without consent. We rely on this for cookies that make the site work and that record your cookie-banner choice. Where personal data processing is also involved, the legal basis under GDPR is our legitimate interest in operating a secure, functional website (Article 6(1)(f)).
- Analytics cookies. We rely on your consent under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) of the GDPR. We ask for that consent through our cookie banner before any analytics tag fires. You can withdraw consent at any time and the withdrawal does not affect the lawfulness of processing carried out before it.
- Functional cookies. Where a functional cookie is strictly necessary to deliver a feature you actively turned on (for example, switching to dark mode), we treat it as essential and rely on the same basis as strictly necessary cookies. Otherwise we ask for consent.
Under the Turkish KVKK we treat consent under Article 5(1) of Law No. 6698 as our legal basis for non-essential cookies in the same way the GDPR requires.
6. How long cookies last
Cookies are either session cookies, which are deleted as soon as you close the browser, or persistent cookies, which stay on your device for a defined period (or until you delete them). The duration for each cookie we set is shown in the table in section 3. We never set a cookie for longer than is necessary for the purpose described.
7. Your choices and how to withdraw consent
You have several ways to control cookies on this Website:
- Cookie banner. The first time you visit the Website you will see a banner that lets you accept all cookies, reject non-essential cookies, or pick categories. You can re-open the banner at any time using the "Cookie settings" link in the footer of the site.
- Withdraw consent. If you have previously accepted analytics cookies, you can withdraw consent at any time via the same "Cookie settings" link. Existing analytics cookies in your browser are then deleted on your next visit and no new ones are set.
- Browser controls. Most browsers let you block or delete cookies. The exact steps vary; see your browser's help pages for Chrome, Safari, Firefox, Edge, Brave or Arc. Note that blocking strictly necessary cookies will break the site.
- Google Analytics opt-out. You can install the official Google Analytics opt-out browser add-on at tools.google.com/dlpage/gaoptout (https://tools.google.com/dlpage/gaoptout), which prevents the GA4 script from sending data on any site you visit.
- Right to object and other rights. Where we process personal data through cookies you can also exercise the rights described in section 5 of our Privacy Policy (/privacy-policy), including the right to object, the right of access, and the right to lodge a complaint with your supervisory authority.
8. Do Not Track and Global Privacy Control
Some browsers send a Do Not Track (DNT) header or a Global Privacy Control (GPC) signal. There is no industry-wide standard for how a website should react to DNT, so we do not rely on it. We do honour the Global Privacy Control signal as a valid expression of opt-out where applicable law treats it that way (for example under the California CCPA/CPRA): when GPC is on, we treat it as a refusal of analytics consent and do not load analytics tags.
9. Cookies in the Pathrule desktop app and CLI
The Pathrule desktop app and the Pathrule CLI do not use HTTP cookies. Settings, draft content, and preferences are stored in the app's OS-level data directory. In the desktop app on macOS, credentials are stored in the system Keychain, and authentication tokens against the Pathrule cloud are managed by Supabase Auth and stored in the app's isolated context, so they are not exposed to any browser or website outside the app. The CLI runtime stores its credentials in its own user-only data directory, again not as a browser cookie.
Product telemetry is not a cookie and is not part of this Website. The desktop app and CLI send aggregate telemetry keyed to a pseudonymous install id only. It never carries your user, organization, or workspace ids, file paths, or content. You can disable it by setting NO_TELEMETRY=1, or rotate the install id with pathrule config reset telemetry-id. It is off automatically in continuous-integration environments. This is the same telemetry behavior described on our Security page.
10. Changes to this Policy
We may update this Cookie Policy from time to time, for example when we add or remove a service, when a third party renames a cookie, or when the law changes. The "Last updated" date at the top of this page reflects the most recent revision. Material changes (a new third-party tracker, a change in legal basis, or a new category of cookies) will be flagged through our cookie banner so that you can review your choices.
11. Contact
- Operator: Pathrule
- Registered address: 30 Ağustos Zafer Mah. 73. Sok. No:3, Bursa/Nilüfer, Türkiye
- Privacy contact: [email protected]
- Data Protection & KVKK contact person: Sertan Helvacı, [email protected]
Questions about cookies, tracking, or how to exercise your rights? Email [email protected].