At a Glance
Quick summary. Read the full policy below for the complete terms.
- Document owner
- FinSync LLC (operating as Raintree Technology) privacy and compliance team.
- Contact + response
- Questions? Email hello@useclarity.app. We respond to consent inquiries within 5 business days.
- What's on by default?
- Only essential cookies and short-lived referral/OAuth handoff. Analytics cookies, product analytics, and advertising pixels stay off until you allow them.
- Do I have to opt in?
- Yes for analytics and advertising storage. Global Privacy Control is treated as a decline for both.
- Can I change my mind?
- Anytime. Use the controls on this page or clear site data in your browser.
- Is my financial data in cookies?
- Never. No balances, bank names, or account numbers touch cookies.
- Last revised
- May 23, 2026
1. Scope and purpose
This Cookie Policy explains how Clarity (FinSync LLC, operating as Raintree Technology) uses cookies and similar technologies on our marketing site and authenticated application.
This policy covers the browser-side storage and tracking controls that are implemented in the product today.
Separate from optional analytics cookies, Clarity may process necessary server-side security, fraud-prevention, rate-limit, and abuse-detection telemetry to protect the service. That telemetry does not use advertising cookies and is described in the Privacy Policy.
For broader data handling disclosures, review our Privacy Policy.
2. Cookie categories and control model
We currently use four storage categories:
- Strictly Necessary: Required for authentication, security, fraud controls, and core product operation.
- Short-lived attribution and auth handoff: Preserves referral codes, UTM parameters, and OAuth state across sign-in redirects.
- Analytics: Google Analytics measures aggregate site traffic, and PostHog supports product analytics for the authenticated app. Marketing-site analytics and authenticated-app product analytics storage are opt-in.
Control standard:
- Analytics and advertising cookies are off until you explicitly allow them.
- Global Privacy Control (GPC) is treated as a decline for non-essential analytics and advertising storage.
- Necessary security and fraud-prevention telemetry is separate from optional product analytics and may run without analytics cookies.
3. Cookie inventory
Below is the browser storage we currently create directly or rely on in the application codebase. Names managed by third-party auth providers can vary by environment.
Always-on operational storage
These entries support authentication, OAuth handoff, referral attribution, and basic app operation.
| Storage key | Type | Provider | What it does | Lasts |
|---|---|---|---|---|
| Authentication session cookie(s) | Cookie | Clarity / infrastructure provider | Keeps authenticated sessions active | Session / provider-managed |
| clarity_ref | Cookie | Clarity | Carries referral code through the Google OAuth round-trip | 30 minutes |
| clarity_utm | Cookie / local storage | Clarity | Carries UTM attribution through sign-up and OAuth flows | 30 minutes in cookie; browser-controlled in local storage |
| clarity_oauth_event | Cookie | Clarity | Short-lived sign-in/sign-up event marker used after Google OAuth completes | 60 seconds |
Analytics and consent storage (opt-in)
Analytics entries are created only after you allow analytics. Consent-state entries are created only after you make a cookie choice.
| Storage key | Type | Provider | What it does | Lasts |
|---|---|---|---|---|
| _ga, _ga_* | Cookie | Google Analytics | Site analytics and conversion measurement after analytics consent. When analytics storage is denied, the Google Analytics tag is not loaded. | Provider-managed, typically up to 2 years |
| ph_*, __ph_* | Cookie + Local storage | PostHog | Product analytics for the authenticated app. Identifies sessions by your Clarityuser ID only after analytics consent and sign-in. Does not receive account balances, transaction lists, holdings, or your email address. | ~12 months |
| clarity_cookie_preferences | Cookie + Local storage | Clarity | Stores your analytics consent choice | 180 days in cookie; until you clear browser storage in local storage |
Outside the tools listed above, we do not load additional marketing trackers (Segment, Mixpanel, Intercom, TikTok Pixel, LinkedIn Insight, etc.) in the product today. None of the storage above receives balances, account numbers, or institution names.
Operational security events, such as prompt-injection detections, webhook failures, rate-limit abuse, and system error classes, may be captured in server logs or operations tools using security-purpose metadata and pseudonymous identifiers. These events are not used for advertising.
4. Consent and user choice
4.1 Banner and on-page controls
When analytics are enabled for the environment, we show a banner with Decline, Analytics only, and Allow all. Decline keeps non-essential analytics off. Analytics only enables analytics storage. Allow all matches the same analytics-enabled path today. The on-page controls below let you change browser-level analytics preferences at any time. Signed-in product analytics and AI processing are controlled from account settings, where Clarity keeps a server-side grant and withdrawal record.
Analytics: Not set · Advertising: Not set
4.2 Consent timing
Before you record a choice, analytics cookies are not set. The Google Analytics tag and marketing-site PostHog browser SDK load only after the relevant browser consent is granted. The authenticated-app PostHog SDK also requires the signed-in user's account-level product analytics consent. If your browser sends a Global Privacy Control (GPC) signal, we treat that as a decline for non-essential analytics.
4.3 Browser-level controls
Most browsers allow cookie deletion or blocking. Clearing site data removes the stored analytics choice and referral/auth handoff state.
5. Audit evidence and governance
We keep this policy aligned to the codebase through change review and inventory updates. Browser cookie choices are stored locally; signed-in product analytics and AI processing choices are also recorded server-side in account audit logs.
- Current consent state: Your analytics and advertising choices are stored locally in the browser as
clarity_cookie_preferencesin local storage and a first-party cookie so the choice can apply across Clarity subdomains. When signed in, product analytics and AI processing grants or withdrawals are also stamped on your user profile and audit log. - Policy version history: Last revised date, change notes, and publication updates when cookie usage changes.
- Change management evidence: Pull request review and release checks for new scripts, SDKs, or tags.
- Inventory maintenance: We update this page when browser storage or third-party tags change.
If we add a centralized consent manager or server-side consent logging later, this section will be updated to reflect that operational control.
6. Fintech confidentiality requirements
Because Clarity handles sensitive financial context, cookie controls are designed to prevent data leakage and enforce strict minimization.
- No plaintext PII in cookie values.
- No account balances, institution names, or account numbers in cookie payloads.
- Use opaque identifiers and short retention where possible.
- Vendor assessments include security and privacy diligence for cookie-capable partners.
Third-party providers may be requested to provide security assurance artifacts (such as SOC 2 reports) as part of vendor risk management.
7. Policy updates and contact
We may update this policy to reflect changes in technologies, vendors, legal requirements, or control design.
- Last revised date is updated on each policy change.
- Material updates are reflected in product notices or account communications as needed.
For questions or requests related to cookies or privacy rights, contact hello@useclarity.app.