Legal

Cookie Policy

Last updated: 2026-05-22 · Version v1.0.0

EverCFO is operated by Celeste Business Advisors LLP (“EverCFO”, “we”, “our”, or “us”). This Cookie Policy explains what cookies and similar technologies EverCFO uses, why we use them, and the choices available to you. It supplements our Privacy Policy — for the rights you have over the underlying data, see Privacy Policy section 7.

1. What are cookies and similar technologies

A cookie is a small text file that a website places in your browser the first time you visit. On return visits, the browser sends the cookie back so the site can recognize you, keep you signed in, or remember your preferences. “Similar technologies” covers other client-side storage mechanisms that serve the same purpose, including browser localStorage, sessionStorage, and IndexedDB. This policy uses the word “cookies” to refer to all of them.

2. Categories of cookies we use

2.1 Strictly necessary

These cookies are required for the EverCFO application to function. Without them you cannot sign in, your session cannot be maintained, and protections against cross-site request forgery (CSRF) cannot be enforced. They are set when you authenticate and are removed when your session ends or you sign out.

  • Authentication. Session and refresh tokens that prove you are signed in. Managed by our authentication provider (Supabase).
  • CSRF protection. Short-lived token used to validate that requests against your account were initiated from inside EverCFO.
  • Page context. Lightweight values used to preserve your current workspace selection, sidebar state, and theme preference between page navigations.

You cannot disable strictly necessary cookies inside EverCFO. Disabling them at the browser level will prevent sign-in.

2.2 Analytics and product

These cookies measure how the EverCFO product is used so we can improve it. They are first-party cookies set by EverCFO and read by our analytics sub-processor.

  • PostHog. Page-event metadata, error events for replay, and feature-flag exposure. Used to debug regressions, prioritize improvements, and measure feature adoption. PostHog is named in our Privacy Policy section 3 sub-processor list; see PostHog’s own privacy practices at posthog.com/privacy.

2.3 Third-party cookies set by connected integrations

When you connect a third-party service to EverCFO, the connecting flow itself may set transient cookies under that third party’s control. These are short-lived and exist only for the duration of the connection process.

  • Shopify install flow. Shopify sets connection-state cookies when you authorize EverCFO from inside your Shopify Admin.
  • Plaid Link. When the bank-integration feature ships (see Privacy Policy section 10), Plaid Link will set its own consent-flow cookies inside the Plaid-served frame during a connection attempt.
  • OAuth callbacks (QuickBooks Online, Xero, Nango). The OAuth handshake that authorizes EverCFO to read your accounting data sets transient state cookies that exist only long enough to complete the redirect back to EverCFO.

None of these third-party cookies are read by EverCFO directly and none persist after the connection flow completes.

3. Your choices

You have two real, working ways to manage analytics cookies in EverCFO today. We do not list options that are not yet built — when an in-product opt-out toggle becomes available, we will update this section and announce the change.

  • Browser controls.Every major browser lets you block third-party cookies, send a “Do-Not-Track” signal, or clear all cookies for a specific site. Blocking analytics cookies at the browser level stops PostHog tracking on EverCFO. Note that blocking strictly necessary cookies will prevent sign-in.
  • Email request. Email our privacy contact at privacy@evercfo.ai from the address associated with your EverCFO account and ask us to opt your account out of product analytics. We will apply the opt-out to PostHog at the account level and confirm in writing without undue delay.

We do not honor browser-level strictly necessary cookie blocking as a privacy choice because doing so would prevent the EverCFO application from functioning. Users who do not wish to use authentication cookies should not sign in.

4. Changes to this Cookie Policy

We may update this Cookie Policy from time to time. Material changes will be announced inside the EverCFO product and via email to the account owner at least 30 days before they take effect. The “Last updated” date and version at the top of this page always reflect the current version.

5. Contact

Questions about this Cookie Policy or about a specific cookie EverCFO sets can be sent to our privacy contact at privacy@evercfo.ai. For the broader privacy program and full contact details, see Privacy Policy section 13.