Cookie Policy
Last Updated: 2026-06-07
This Cookie Policy explains what cookies and similar technologies are used on the MainBook service ("Service") operated by Human Beyond LLC ("MainBook", "we", "us", "our"). This Cookie Policy is incorporated by reference into our Terms of Service and Privacy Policy.
1. Summary
- We use a small number of cookies and similar local-storage items that are strictly necessary to provide the Service.
- Only with your consent, we also use Google Analytics 4 cookies for first-party audience and traffic measurement, and the Meta Pixel (Facebook Pixel) cookies (
_fbp/_fbc) for advertising conversion measurement. - We display a cookie-consent banner with equal Accept and Reject options. Strictly necessary cookies are always set (they are exempt from consent under EU ePrivacy Directive Article 5(3) and analogous laws); non-essential analytics and advertising cookies are set only if you accept them.
- Until you accept, analytics runs cookieless (Google Consent Mode v2, advanced mode) and the Meta Pixel is held with consent revoked so it does not fire or set cookies — no analytics or advertising cookies are placed on your device.
- You can change your choice at any time using the "Cookie settings" link in the footer of the Service.
- A small number of third-party services (Cloudflare anti-fraud and Stripe payment processing) may set their own cookies, on their own domains, when their services are invoked. These are described below.
2. What Is a Cookie
A "cookie" is a small text file placed on your device by a website. We also use other local-storage technologies (browser localStorage and sessionStorage) which serve similar purposes. In this Cookie Policy, "cookie" includes all such technologies unless context indicates otherwise.
3. Cookies and Local Storage We Set
The following items are set by our service (on mainbook.ai and api.mainbook.ai). All are strictly necessary for the operation of the Service.
3.1 Authentication cookies
| Name | Type | Purpose | Duration | HTTP-only |
|---|---|---|---|---|
access_token | First-party cookie | Authenticated session — short-lived JWT access token | ~15 minutes (rotates) | Yes |
refresh_token | First-party cookie | Authenticated session — refresh token used to obtain a new access token | ~7 days (rotates) | Yes |
mb_csrftoken | First-party cookie | Cross-Site Request Forgery (CSRF) protection — issued together with the session and echoed back as a request header on state-changing requests (double-submit pattern) | ~7 days (rotates) | No (by design — the JavaScript in the Service reads this cookie to set the matching request header) |
In production, these cookies have Domain=.mainbook.ai, Secure (HTTPS-only), and SameSite=Lax attributes.
3.2 Local storage (browser localStorage)
| Name | Purpose | Duration |
|---|---|---|
mainbook_device_id | Anonymous device fingerprint used to enforce guest-tier limits and prevent abuse | Persistent until cleared by you |
mainbook_guest_session | Local state for the guest mode (uploaded files, conversion progress) before you create an Account | Persistent until cleared by you |
mainbook.conversion.divider_ratio | User-interface preference (position of the split divider on the conversion view) | Persistent until cleared by you |
3.3 Session storage (browser sessionStorage)
Our error-monitoring sub-processor (Sentry) may write transient session-storage entries for the duration of a browser tab to maintain breadcrumb context across page navigations. These entries do not contain your personal data beyond what the Sentry client SDK is configured to send (PII is excluded by default) and are cleared when the tab is closed.
3.4 Analytics cookies (Google Analytics 4) — set only with consent
| Name | Type | Purpose | Duration | HTTP-only |
|---|---|---|---|---|
_ga | Google Analytics | Distinguishes users for audience and traffic measurement | ~2 years (Google default) | No |
_ga_<container-id> | Google Analytics | Persists Google Analytics session state for the specific measurement property | ~2 years (Google default) | No |
These cookies are set by Google Analytics only after you accept analytics cookies on our cookie-consent banner. Before you consent (and if you decline), Google Analytics operates without cookies under Google Consent Mode v2 in advanced mode, and no analytics cookies are placed on your device. When analytics runs, Google may receive your IP address (which Google uses only momentarily to derive an approximate, region-level location and then discards — it is not logged or stored as a full IP address) and a Google Analytics client identifier. We do not transmit your uploaded documents, the extracted data (Output), financial amounts, or your account credentials to Google Analytics.
3.5 Advertising cookies (Meta Pixel) — set only with consent
| Name | Type | Purpose | Duration | HTTP-only |
|---|---|---|---|---|
_fbp | Meta Pixel | Browser identifier used for advertising conversion measurement and audience building for our Meta (Facebook/Instagram) ad campaigns — set only with consent | ~90 days (about 3 months) | No |
_fbc | Meta Pixel | Ad-click identifier — set only if you arrive from a Meta ad link that carries a click parameter (fbclid), and only with consent | ~90 days (about 3 months) | No |
These cookies are set by the Meta Pixel only after you accept advertising cookies on our cookie-consent banner. Before you consent (and if you decline), the Meta Pixel library may load but consent is held revoked so that it does not fire any event and does not set any cookie on your device. When it runs (after consent), the Meta Pixel fires a standard PageView event and sends Meta your online identifiers (the _fbp cookie value), the page URL and referrer, your IP address (used by Meta), and browser and device metadata. We do not enable Advanced Matching — we do not send your hashed email, phone number, or name to Meta. We do not transmit your uploaded documents, the extracted data (Output), financial amounts, or your account credentials or passwords to Meta.
4. Third-Party Services
The following third-party services may set cookies on their own domains when their services are invoked through the Service. These are not cookies on the mainbook.ai domain; they are cookies set by the third party on the third party's own domain.
4.1 Cloudflare Turnstile (anti-fraud)
When the Service requires verification that you are a human user (for example, on signup or guest upload), it loads the Cloudflare Turnstile widget from challenges.cloudflare.com. Cloudflare may set its own anti-fraud and bot-management cookies (such as __cf_bm, cf_clearance, and challenge-related cookies) on Cloudflare's own domain. These cookies are operationally essential to anti-fraud protection of the Service.
4.2 Stripe Checkout (payment processing)
When you initiate a purchase of Credits, you are redirected to the Stripe-hosted checkout page on checkout.stripe.com (or a related Stripe-controlled domain). Stripe sets its own cookies on Stripe's own domain to operate the checkout. These cookies are not on the mainbook.ai domain. When the checkout completes, you return to the Service. We do not store your full payment card details.
For more information about Stripe's cookies, see Stripe's Cookie Policy.
4.3 Sentry (error tracking, server-side primarily)
We use Sentry for error tracking. Our Sentry client-side configuration is minimal: no session replay, no performance tracing, no automatic personally identifiable information attachment. In this minimal configuration Sentry does not set cookies on the mainbook.ai domain; it may use transient session storage (see Section 3.3).
4.4 Google OAuth (only if you sign in via Google)
If you choose to sign in to MainBook using Google, you will be redirected to Google's authentication flow on Google-controlled domains, which may set their own cookies. After authentication, you return to the Service. We do not control Google's cookies.
5. Analytics and Advertising With Your Consent; No Session-Replay
We use Google Analytics 4 for first-party audience and traffic measurement, and the Meta Pixel (Facebook Pixel) for advertising conversion measurement. Both are enabled only with your consent, given through our cookie-consent banner and applied through Google Consent Mode v2 in advanced mode. Until you accept, Google Analytics runs cookieless (no _ga cookies) and the Meta Pixel is held with consent revoked so that it does not fire or set cookies; if you decline, both stay in that non-tracking state. When you consent, Google Analytics also receives advertising-measurement signals (ad_storage, ad_user_data, and ad_personalization) that we use in connection with our Google Ads campaigns, and the Meta Pixel fires a standard PageView event and sets its first-party _fbp (and, if you arrived from a Meta ad link, _fbc) cookies, as described in Section 3.5.
We do not use:
(a) session-replay or behavior-recording tools (such as Hotjar, FullStory, or Microsoft Clarity);
(b) the Meta Pixel's Advanced Matching feature — we do not send hashed email, phone number, or name to Meta; the only advertising or social-media tracking pixel we use is the consent-gated Meta Pixel described in Sections 3.5 and 5 (we do not use any other ad or social pixel);
(c) cookies to build profiles of you for any purpose other than the consent-based analytics and advertising-measurement described above.
We do not sell your personal information for money. Where you consent to analytics and advertising cookies, certain online identifiers (such as a Google Analytics client identifier, the Meta Pixel _fbp / _fbc cookie values, and related cookie data) are shared with Google and Meta for analytics and advertising-measurement purposes; depending on your jurisdiction this may be treated as "sharing" for cross-context behavioral advertising under the California Consumer Privacy Act or other U.S. state privacy laws. You can decline this at any time by choosing Reject on our banner, by changing your choice via the footer "Cookie settings" link, or by sending a Global Privacy Control signal — each of which we honor.
6. Cookie Consent Banner
We display a cookie-consent banner. By default, non-essential (analytics and advertising) cookies are denied until you make a choice — no analytics or advertising cookies are set unless and until you accept them. The Accept and Reject options are presented with equal prominence.
Your choice is stored locally and is not re-prompted on every visit. You may change your choice at any time using the "Cookie settings" link in the footer of the Service; choosing to decline previously accepted analytics or advertising cookies withdraws your consent going forward.
Strictly necessary cookies (authentication, CSRF protection, anti-fraud, payment processing, and the technical operation of the guest mode and conversion view) remain exempt from consent under the EU ePrivacy Directive (Article 5(3)), the GDPR, the UK ePrivacy Regulations, and analogous U.S. state privacy laws, and are always set.
7. How to Control Cookies
You can control cookies through your browser settings:
- Most browsers allow you to refuse, accept, or delete cookies by adjusting their settings;
- You can clear
localStorageandsessionStoragefrom your browser settings or developer tools.
If you disable or delete the cookies set by the Service, parts of the Service will not work — for example, you will not stay logged in, and certain anti-fraud and security protections will not function. The Service is not designed to operate without these strictly necessary cookies.
8. Updates to This Cookie Policy
We may update this Cookie Policy from time to time to reflect changes in our cookie practices, third-party services, or applicable law. The "Last Updated" date at the top reflects the date of the most recent change. Material changes take effect on at least thirty (30) days' notice; non-material changes take effect upon posting.
9. Contact
For questions about this Cookie Policy:
Human Beyond LLC Email: hello@human-beyond.ai