— the legal stuff.

// // cookie notice

Cookies.

Workhand uses the minimum cookies required to operate the service. No third-party tracking, no advertising pixels, no analytics on the public marketing site.

Effective 1 May 2026

Draft · awaiting solicitor review before binding use

What we set

On the public marketing site (workhand.co.uk and its sub-pages): nothing. No cookies are set unless you sign in.

Inside the dashboard (/client/* and /operations/*): a session cookie (Supabase Auth) so you stay signed in, plus short-lived OAuth state cookies during the Connect-Gmail / Connect-Calendar round-trip. All are first-party, all are httpOnly, all expire on session end except the auth session which lasts 30 days.

What we don't set

No advertising cookies. No third-party analytics (no Google Analytics, no Meta Pixel, no LinkedIn Insight, etc.). No cross-site tracking. No fingerprinting. We measure traffic anonymously through server-side logs only.

Why we don't need a cookie banner

Under PECR, banners are required for non-essential cookies. We only set strictly-necessary cookies (auth session, OAuth state), which are exempt. If we ever add anything optional, the banner ships in the same release.

Questions on this page? Email felix@workhand.co.uk — Felix reads everything. For DSAR submissions specifically, use the in-app DSAR form so the request lands in the audit log directly.