Cookie Policy

This Policy explains how the Home Service Pulse web application (“Platform”) uses cookies and similar browser-storage technologies (collectively, “Storage”). It supplements our Privacy Policy.

The Platform is a B2B product. The Storage described here is set when a User of a Customer-Tenant signs in or interacts with the Platform.

• Cookies are small text files stored on your device by your browser when you visit a website. They are used to remember information across page loads and sessions.
• localStorage is a browser key-value store that survives page reloads and browser restarts until explicitly cleared.
• sessionStorage is similar to localStorage but is cleared when the browser tab is closed.
• IndexedDB is a structured-storage API used by some libraries (notably Firebase) to cache authentication state and offline data.

Some Storage is essential to operating the Platform. Other Storage supports user-experience features such as remembering your dark/light theme.

Based on a review of the application code at the time of this draft, the Platform uses the following categories of Storage.

3.1 Strictly Necessary — Authentication and Identity

Set by Google Cloud Identity Platform / Firebase Authentication (a service provider). Used to keep you signed in and to verify your identity on each request.

• firebase:authUser:* [localStorage / IndexedDB] — Stores the current Firebase user session and refresh token so that you remain signed in across page loads. Lifetime: until sign-out or token expiry.
• firebase-installations-store [IndexedDB] — Identifies the browser installation for Firebase services. Long-lived.
• firebase-heartbeat-store [IndexedDB] — Diagnostic heartbeat used by Firebase SDKs. Long-lived.
• App Check token — [IndexedDB, and in memory for active sessions] Used by Firebase App Check to attest that requests come from a legitimate browser. The token has approximately 1 hour of validity; the IndexedDB record persists across browser sessions until cleared or refreshed by the SDK.

These items are essential to authentication; the Platform cannot function without them.

3.2 Strictly Necessary — Workspace and Tenant Context

Set directly by the Platform.

• hsp:actingTenantId (or successor key) [localStorage] — Stores the Tenant context you most recently selected so the same context is used on subsequent visits. Required by the API on the first request after a page load. Lifetime: until cleared or until you sign in as a different user.
• hsp:selectedBrandId and hsp:selectedBrandSlug (or successor keys) [localStorage] — Stores the Brand sub-context within a Tenant. Lifetime: until cleared or until the Tenant changes.

3.3 Functional — User Preferences

Set directly by the Platform.

• hsp:theme (or successor key) [localStorage] — Remembers your dark / light / auto theme preference. Lifetime: until cleared.

3.4 Security — Bot Protection

Issued by Cloudflare when you interact with sign-in or other protected entry points.

• Cloudflare Turnstile challenge cookies / storage [short-lived cookie / in-memory token] — Verifies that requests originate from a legitimate browser, not an automated client. Used at sign-in and on similar high-risk endpoints. Session / short-lived.
• Cloudflare network-edge cookies (e.g., __cf_bm) [first-party cookie set by Cloudflare on homeservicepulse.ai] — Bot-management and rate-limiting on the network edge. Up to 30 minutes per Cloudflare documentation.

3.5 Analytics

The Platform uses, or intends to deploy in the near term, the following analytics tools to understand how Users interact with the Platform, diagnose issues, and improve the product. The cookies listed below are set only when the corresponding tool is deployed and active on the page you visit:

• Google Analytics 4 (Google LLC) — sets _ga, _gid, and similar cookies when deployed; lifetime up to 2 years. Will be configured with IP anonymization enabled and Google Signals disabled; data will be retained per our Google Analytics property settings (currently planned for 14 months). Used for aggregate site-usage analytics. No advertising features will be enabled.
• PostHog (PostHog Inc., US region) — sets ph_* cookies when deployed; lifetime up to 1 year. Used for product analytics, session replay, and feature-flag delivery within signed-in sessions. Personally identifiable information will be masked in session replay where configured.

Once deployed, analytics cookies are not strictly necessary. You may opt out by (i) using your browser’s controls to block or delete these cookies, (ii) installing the Google Analytics Opt-out Browser Add-on, or (iii) sending a Global Privacy Control signal, which we will honor.

We do not currently use any other third-party web-analytics products and do not set advertising or cross-site tracking cookies.

Server-side logs (HTTP method, status, IP address, request identifier) are recorded for security and operational purposes regardless of cookie state. See the Privacy Policy, Section 3.3.

You may control or delete cookies and local storage at any time through your browser settings. Disabling strictly necessary items (Sections 3.1, 3.2) will prevent you from signing in or using the Platform. Disabling functional items (Section 3.3) will reset your preferences to defaults.

Sign-out clears the Firebase session keys in Section 3.1 from your browser. Clearing site data through your browser’s developer tools or settings removes all localStorage, sessionStorage, IndexedDB, and cookies set by the Platform on your device.

The Platform does not currently respond to “Do Not Track” browser signals. We disclose this because California’s Online Privacy Protection Act requires disclosure of DNT response. The Platform recognizes Global Privacy Control (GPC) signals. Because the Platform does not sell or share personal information for cross-context behavioral advertising and does not use sensitive personal information for purposes beyond what is permitted without an opt-in, GPC signals do not currently change Platform behavior. If our practices change, we will update this Policy and honor GPC signals as required by applicable law.

The Platform is intended for business use and is not directed at children under 13 (COPPA), and we do not knowingly sell or share personal information of consumers under 16 (CCPA). See the Privacy Policy, Section 11.

We may update this Cookie Policy from time to time. The “Last Updated” date above reflects the current version.

Questions about Storage and tracking on the Platform: privacy@homeservicepulse.ai