Cookie Policy

This Cookie Policy explains how AI Code that Works, LLC ("AI Code that Works," "we," "us," or "our") uses cookies and similar technologies when you visit https://aicodethatworks.com. It supplements our Privacy Policy, which describes the broader Personal Data Processing context. Defined terms used in this Policy have the meanings given to them in the Privacy Policy.

By using the Site you consent to the use of strictly necessary cookies described below. We set analytics cookies and (in the future) marketing cookies only when you have separately granted consent through the cookie banner — our default state is Google Consent Mode v2 'Basic' mode, which denies analytics and marketing categories until you decide.

A cookie is a small text file that a website places on your device (browser, phone, or tablet) to remember information about your visit. Cookies can be 'session cookies' (deleted when you close the browser) or 'persistent cookies' (retained for a defined period). Cookies set by the Site itself are 'first-party cookies'; cookies set by a different domain that the Site loads content from are 'third-party cookies.'

Similar technologies — including HTML5 localStorage, sessionStorage, pixel tags, web beacons, and SDK fingerprints — work in similar ways. For simplicity, this Policy treats all of them as 'cookies' unless we say otherwise.

We group cookies into three categories and present a per-category opt-in through the cookie banner the first time you visit the Site:

• Strictly necessary cookies — required for the Site to function or for security and abuse-prevention purposes. These cookies fire without consent because the Site cannot function without them; under the GDPR and the ePrivacy Directive they fall within the 'strictly necessary' exemption from consent. You cannot opt out of strictly necessary cookies through our banner.
• Analytics cookies — let us understand how the Site is used in aggregate so we can improve content, performance, and structure. GTM-loaded analytics cookies (GA4) fire only when you have granted analytics consent through the banner. PostHog cookies (`ph_*`) and Sentry session-mode session-replay state also fire only after you grant analytics consent (PostHog SDK boots in opt-out mode; Sentry replay is started by `<SentryReplayConsentGate>` post-consent).
• Marketing cookies — used to measure the effectiveness of advertising and (if we run a campaign) to retarget visitors. We do not currently set marketing cookies. If we activate any in the future, they will be loaded only when you have granted marketing consent through the banner, and we will update the inventory below before they go live.

Our consent surface uses Google Consent Mode v2 to signal your choice to Google services and to any third-party tag loaded through our Google Tag Manager container (GTM-WR9T9R8J). AI Code that Works honors the browser Global Privacy Control (GPC) signal — when `navigator.globalPrivacyControl === true`, we dispatch the Consent Mode v2 `denied` state for analytics and marketing on the first render so GTM keeps every analytics/marketing tag gated for the session. An explicit Accept on the cookie banner overrides the GPC default per the GPC spec.

The table below lists every cookie and storage entry the Site may set as of the effective date of this Policy. Where a cookie is set only after a specific event (for example, after analytics consent is granted), we note that next to the entry.

Strictly necessary cookies:

• `revastack_consent` — first-party functional cookie set when you interact with our cookie banner. Stores your consent decision (which categories you allowed) so the banner does not reappear on every load. Provider: AI Code that Works. Duration: 365 days. Always set after first banner interaction.
• `revastack:consent:v1` (localStorage entry) — the canonical copy of your consent decision. We mirror the same value into the cookie above so that server-rendered pages can read the snapshot. Provider: AI Code that Works. Duration: until you clear browser storage.
• Vercel edge/session identifiers (`__vercel_*`) — first-party cookies set by our hosting provider, Vercel, where needed for load balancing, geo-routing, deployment protection, and abuse mitigation. Provider: Vercel. Duration: typically session-only; load-balancing cookies may persist for up to 24 hours.
• Anti-CSRF tokens (set per-form-submit) — first-party transient tokens that protect form submissions against cross-site request forgery. Provider: AI Code that Works / Next.js. Duration: per-request.

Analytics cookies (all entries fire only after analytics consent is granted via the cookie banner):

• `_ga`, `_ga_<measurement-id>` — first-party Google Analytics 4 cookies (loaded via our Google Tag Manager container). Used to distinguish unique users and to track sessions. Provider: Google LLC. Duration: 2 years (`_ga`); 2 years (`_ga_*`).
• `_gid` — first-party Google Analytics cookie used to distinguish users on shorter session windows (loaded via GTM where the underlying tag still uses it). Provider: Google LLC. Duration: 24 hours.
• `ph_*` (including `ph_{api_key}_posthog`) — first-party PostHog cookies. Used to identify a device for aggregated product analytics. The PostHog SDK initializes in opt-out mode (`opt_out_capturing_by_default: true`); no `ph_*` cookies are written until you grant analytics consent. Our current PostHog config captures page-view + page-leave events only — session replay is NOT enabled in PostHog (we do not call `posthog.init({ session_recording: ... })`). Provider: PostHog Inc. Duration: 1 year (rolling) once set.
• `sentry-replay-*` (localStorage / sessionStorage entries) — first-party Sentry session-replay state. Session-mode replay starts only after you grant analytics consent: Sentry boots with `replaysSessionSampleRate: 0` and the `<SentryReplayConsentGate>` calls `Sentry.getReplay()?.start()` post-consent (and `startBuffering()` on withdraw). Buffer-mode replay (a short rolling buffer flushed to Sentry only when an error occurs) runs regardless of consent and relies on the Sentry SDK's default PII masking (`maskAllText`, `maskAllInputs`, `blockAllMedia`). Provider: Functional Software Inc. dba Sentry. Duration: session-only.

Marketing cookies (not currently active):

• `_fbp` — first-party Meta Pixel cookie (set by GTM when consented). Used to attribute ad conversions on Meta platforms. Provider: Meta Platforms, Inc. Duration: 90 days. NOT CURRENTLY ACTIVE.
• `fr` — third-party Meta cookie set by `facebook.com` for ad-targeting. Provider: Meta Platforms, Inc. Duration: 90 days. NOT CURRENTLY ACTIVE.
• `_gcl_au`, `_gcl_aw`, `_gcl_dc`, `_gcl_gb`, `_gcl_gf`, `_gcl_ha` — first-party Google Ads conversion-linker cookies. Used to attribute Google Ads clicks to subsequent form submissions. Provider: Google LLC. Duration: 90 days. NOT CURRENTLY ACTIVE.

Cookie names, durations, and providers are accurate to the best of our knowledge as of the effective date. Third-party cookie behavior may change without notice; we update this inventory when we become aware of material changes.

You can change your cookie preferences at any time:

• Open the cookie preferences dialog on this page using the 'Manage cookie settings' button below. The dialog lets you grant or withdraw analytics and marketing consent independently. Strictly necessary cookies cannot be disabled there because the Site cannot function without them.
• Block cookies through your browser settings. Each major browser provides controls for accepting, blocking, or deleting cookies. Note that blocking strictly necessary cookies will degrade or break parts of the Site. Helpful links: Google Chrome — https://support.google.com/chrome/answer/95647; Apple Safari — https://support.apple.com/guide/safari/manage-cookies-sfri11471; Mozilla Firefox — https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer; Microsoft Edge — https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09.
• Send a Global Privacy Control (GPC) signal. AI Code that Works honors GPC — when your browser sends `navigator.globalPrivacyControl === true`, we treat the signal as an automatic denial of analytics and marketing consent for the session. Many browsers support GPC natively or via an extension (see https://globalprivacycontrol.org for instructions). You can still affirmatively grant consent via the cookie banner if you want analytics or marketing on for this device-session — the GPC spec recognizes the signal as a universal opt-out, not a binding floor, so explicit consent overrides it.
• Opt out of Google Analytics specifically by installing Google's official browser add-on at https://tools.google.com/dlpage/gaoptout (this blocks GA across all sites, not just ours).

If you withdraw consent after previously granting it, the corresponding cookies will not fire on subsequent page loads. Cookies that have already been set on your device will remain until they expire or you delete them through your browser; we do not have the ability to retroactively delete third-party cookies from your device.

When you make a choice through the cookie banner, we record the choice (the categories you granted), the timestamp, and a numeric schema version of the consent record itself (currently `1`). We do NOT record which version of this Cookie Policy was in effect at the time of your choice. The record lives in your browser's `localStorage` (primary) and a first-party cookie (mirror), so the choice survives reloads on the same device. We do NOT propagate that banner choice into form submissions, and we do NOT capture or store the IP address that submitted the banner choice — the consent record is identifier-free at the time it is written and is not currently joined to any server-side record. We keep the local consent record on your device until you clear it or it ages out. The record's primary purpose is to drive the consent-gating logic that decides whether to fire analytics and marketing tags on subsequent page loads.

Several of the cookies above are set by third-party Processors named in our Privacy Policy. Each Processor's own privacy and cookie notices govern its handling of the data it collects:

• Google — https://policies.google.com/technologies/cookies.
• PostHog — https://posthog.com/privacy.
• Sentry — https://sentry.io/privacy.
• Vercel — https://vercel.com/legal/privacy-policy.
• Meta (when activated in the future) — https://www.facebook.com/policies/cookies.

We may update this Cookie Policy from time to time, including when we add or remove a cookie. The 'Last updated' date at the top of this page reflects the most recent change. Where the change materially affects the categories of cookies we use, we will refresh the consent banner so you can review and update your choice.

Cookie-related questions can be sent to alex@aicodethatworks.com.

Effective date: 2026-05-23.