Skip to main content
Being988

Cookie Policy

Last Updated: May 30, 2026

Two Functional Cookies + Privacy-Respecting Analytics

Being’s website (www.being.fyi) uses two small first-party cookies for site functionality, plus PostHog product analytics (EU cloud) scoped tightly to pageviews and waitlist signup events. No advertising trackers, no session replay, no autocapture, no cross-site profiling.

We honor the Global Privacy Control (Sec-GPC) signal automatically — when your browser sends it, PostHog does not load, no analytics cookie is set, and no event is transmitted. No banner, no preference center.

Cookies We Use

being_ab_variant

  • Purpose: Assigns you to an A or B variant so we can measure which version of the site converts better.
  • Type: First-party functional.
  • Value: Either A or B — no identifier, no behavioral data.
  • Lifetime: 30 days.
  • Shared with third parties: No. The variant label is stored alongside waitlist signups in our internal Notion database for conversion analysis; we don’t share it with advertising or analytics vendors.

being_gpc

  • Purpose: Caches the Global Privacy Control signal so the page can display an acknowledgement.
  • Type: First-party functional.
  • Value: 1 when your browser sends Sec-GPC: 1; otherwise the cookie is cleared.
  • Lifetime: 24 hours; automatically cleared on any subsequent request that doesn’t carry the header.
  • Shared with third parties: No.

ph_* (PostHog)

  • Purpose: Anonymous product analytics — pageviews and waitlist signup events only. Helps us understand which marketing pages drive waitlist signups.
  • Type: Third-party analytics (PostHog Inc., EU data residency — Frankfurt).
  • Value: A random distinct identifier (no email, no name, no PII).
  • Lifetime: 365 days (PostHog default).
  • Shared with third parties: Yes, with PostHog. No further onward sharing or sale.
  • Not set when GPC is detected. If your browser sends Sec-GPC: 1 or exposes navigator.globalPrivacyControl === true, PostHog does not load and no ph_* cookie is set. See Global Privacy Control section below.
  • What we do NOT capture: No autocapture (no recording of all clicks/forms), no session replay, no heatmaps, no raw email or other PII. See our Privacy Policy §5.2 for the full web-analytics scope.

What We Don’t Use

  • No Advertising Cookies: We don’t serve ads or use ad networks.
  • No Google Analytics, Mixpanel, Amplitude, or Segment. We use PostHog (disclosed above) for pageviews + waitlist conversion events only — no other analytics vendors.
  • No Social Media Cookies: No social media widgets or share buttons with tracking.
  • No Cross-Site Tracking Cookies: No advertising network cookies that follow you across the web.
  • No Fingerprinting or Session Replay: No FullStory, LogRocket, Hotjar, or similar. PostHog session replay is explicitly disabled in our configuration.
  • No Autocapture: PostHog supports auto-recording all clicks, form fields, and DOM interactions — we have this turned off. Only the named events (pageviews + waitlist signup success/failure) are sent.

Global Privacy Control

If your browser sends the Sec-GPC: 1 request header (Brave, DuckDuckGo, Firefox with an extension, etc.), we treat it as an opt-out of any sale or sharing of personal information under CCPA, TDPSA, CPA, and CTDPA.

When the signal is present, PostHog does not load — no script is fetched, no ph_* cookie is set, and no event is sent. The detection is structurally enforced by our AnalyticsGate component, which checks both the being_gpc cookie (set by middleware when Sec-GPC: 1is received) and the browser’s navigator.globalPrivacyControl JS API. An X-GPC-Honored: 1 response header confirms detection to anyone inspecting the request.

See the Multi-State Privacy Rights page for the underlying state law obligations.

Mobile App Data Storage

The Being mobile app stores data locally on your device using secure, encrypted storage (not cookies):

  • Local Storage: Your check-ins, assessments, and journal entries (AES-256 encrypted)
  • User Preferences: App settings, theme preferences, notification settings
  • Authentication Tokens: If you enable cloud backup (securely stored)

This data is stored locally on your device and never sent to third parties. See our Privacy Policy for details.

Server Logs (Minimal Data Collection)

Our web server collects minimal technical information for security and performance:

  • IP Address: To prevent abuse and ensure security
  • Request URL: Which page you visited (no tracking across sessions)
  • User Agent: Browser type (to ensure compatibility)
  • Timestamp: When the request occurred

This data is not used for tracking, profiling, or advertising. It’s retained for a limited period for security purposes only.

Your Choices

You can clear any of the cookies at any time via your browser’s site-data settings. Clearing being_ab_variant just reassigns a variant on your next visit; clearing being_gpc is harmless because the cookie reflects the header, not a stored preference; clearing ph_*opts you out of any PostHog session continuity (you’ll appear as a new anonymous visitor next time). Enabling Global Privacy Control in your browser is the simplest way to suppress PostHog entirely.

For questions about server logs, mobile app data storage, or anything else, see our Privacy Policy or contact privacy@being.fyi.

Changes to This Policy

If we add or change cookies in the future, we’ll update this page and bump the Last Updated date above. We’re committed to transparency and to honoring your privacy choices by default.

Questions?

Contact us at privacy@being.fyi