Cookie Policy
Which cookies Lobor uses, why we use them, and how to control cookie preferences.
Cookie Policy
Lobor, Inc.
Last updated: 2026-04-20
Effective date: 2026-04-20
1. About This Policy
This Cookie Policy explains how Lobor, Inc. ("Lobor", "we", "our", or "us") uses cookies and similar tracking technologies on https://lobor.ai, https://staging.lobor.ai, and Lobor-managed applications and dashboards (collectively, the "Services").
This Policy supplements our Privacy Policy. Capitalized terms not defined here have the meaning given in the Privacy Policy or Terms of Service.
By continuing to use the Services after reviewing the Cookie Banner, you confirm your cookie preferences. You may withdraw or change your choices at any time by clearing the lobor.cookieConsent entry in your browser's site storage (the banner will then re-appear on your next visit) or by adjusting cookie settings in your browser.
2. What Are Cookies
Cookies are small text files that a website places on your device (computer, phone, or tablet) when you visit it. Similar technologies include local storage, session storage, pixels, and SDKs that perform comparable functions.
- First-party cookies are set by Lobor on the
lobor.aidomain. - Third-party cookies are set by service providers we embed (for example, payment processors or model provider domains during BYOK authentication).
- Session cookies expire when you close the browser tab or window.
- Persistent cookies remain on your device for a defined retention period or until you delete them.
We also use localStorage to store non-sensitive UI state such as your cookie consent record, language preference, and theme (theme — stored as localStorage, not as a cookie). These entries are not transmitted to our servers automatically except where explicitly noted (for example, your consent choice is also recorded server-side for audit purposes — see Section 3.2).
3. Cookies We Use
3.1 Essential Cookies
Essential cookies are strictly necessary to deliver the Services you request: authentication, security, language, and theme. They cannot be disabled through the Cookie Banner because the Services would not function without them.
| Name | Purpose | Duration | Type |
|---|---|---|---|
lobor_session | Client-readable session marker (intentionally JavaScript-accessible) used by the web application to detect an active server-side session and hydrate the UI accordingly. Does not carry identity — the authentication token is stored separately in the HttpOnly auth_token cookie. | ~30 days | First-party cookie |
auth_token | Refresh token used to renew session credentials securely. Signed JSON Web Token whose payload includes your account identifier, email address, role, and session version. Email address is used server-side to identify your session; HttpOnly protection prevents third-party readability. | ~30 days | First-party, HTTP-only cookie |
lobor_token | First-party cookie (JavaScript-readable) carrying the authentication token on password-login sessions. Used by server-rendered pages to authenticate the initial render when the HttpOnly auth_token cookie is not present. Carries the same signed JWT payload as auth_token. | ~30 days | First-party cookie |
lobor_consent_binding | First-party HttpOnly cookie, signed with a server secret, binding your cookie-consent choice to your current browser session. Used to safely associate your anonymous consent record with your account if you subsequently log in. Does not carry identity on its own. | ~24 hours | First-party, HTTP-only cookie |
lobor-locale | Stores your selected interface language (en, zh, fr, de, es). | 1 year | First-party cookie |
The auth_token and lobor_token cookies carry a signed JSON Web Token whose payload includes your account identifier, email address, role, and session version. The email address is used server-side to identify your session; it is not readable by third parties due to HttpOnly/SameSite protections on auth_token and the TLS transport layer.
We may also set short-lived CSRF and rate-limit cookies that are required for security and are treated as essential.
3.2 Analytics Cookies
Lobor does not deploy third-party analytics cookies (such as Google Analytics, Mixpanel, Segment, PostHog, Amplitude, Heap, FullStory, or Hotjar). Lobor does maintain an internal server-side event log for service operation, which records anonymized session identifiers, anonymized IP hashes, and truncated user-agent strings on every request. Writes to this log that are tied to your session are gated by your choice in the Cookie Banner (the "Analytics" toggle). You may withdraw your consent at any time via the Cookie Settings page (see Section 4). Withdrawal stops new records from being written; it does not delete historical records, which are retained per our [Data Retention policy](/legal/data-retention). Essential server logs unrelated to your Analytics choice (such as error logs and security logs) are retained independently, per the same retention policy.
3.3 Third-Party Cookies
The following third parties may set their own cookies on their own domains when you interact with their embedded flows on the Services. Their cookie use is governed by their own policies.
- Stripe — Stripe Checkout and Stripe Elements may set session and fraud-prevention cookies during payment, in line with Stripe's Privacy Policy and Cookie Policy.
- LLM providers (BYOK) — When you authenticate to a model provider (for example, OpenAI, Anthropic, or Google) through our Bring-Your-Own-Key flow, that provider's domain may set cookies on its own domain during the OAuth or sign-in step. Lobor does not read those cookies.
- Cloud infrastructure — Our hosting and edge providers may set short-lived security cookies for DDoS protection and load balancing.
We do not embed advertising networks, social media trackers, or cross-site behavioral advertising cookies on the Services.
3.4 Marketing Cookies
Marketing cookies help us understand how you arrived at Lobor (e.g., via a search engine, social media, or referral link). We store UTM parameters from the URL you arrive through, the hostname of your referring site (e.g., google.com — not the full URL), and the landing page path. This data is kept locally in your browser until you complete signup, at which point the marketing attribution of your first visit and last visit before signup may be recorded on your account for campaign analytics.
We do NOT collect:
- Advertising identifiers (gclid, fbclid, msclkid) unless separate advertising consent is later introduced
- Full referring URL (only the hostname)
- Third-party ad-network trackers
| Name (in browser) | Purpose | Duration | Type |
|---|---|---|---|
lobor_first_touch (localStorage) | First source of visit (UTM + referrer + landing) | Cleared at signup | First-party |
lobor_last_touch (localStorage) | Most recent source of visit before signup | Cleared at signup | First-party |
3.5 Personalization Cookies
Personalization cookies remember your preferences and activity on the site so you see a more tailored interface when you return. We store your recently viewed agents (up to 10, on your account) and your local UI preferences (such as marketplace sort order, filter selections, and sidebar state).
We do NOT use personalization data for third-party targeting or advertising.
| Name (in browser) | Purpose | Duration | Type |
|---|---|---|---|
lobor.uiPreferences (localStorage) | Marketplace sort, filter, sidebar collapse state | Persistent until you clear site data or revoke consent | First-party |
Server-side recently_viewed_agents table | Your last 10 agents viewed, per account | Persistent until account deletion or consent revocation | Server |
4. Your Choices
You can control how cookies are used in several ways:
- Cookie Banner. On your first visit, the Cookie Banner offers three actions:
- Accept All — enables analytics, marketing, and personalization categories.
- Reject Non-Essential — only essential cookies are used.
- Customize — opens a settings panel where you can toggle each non-essential category individually (Analytics, Marketing, Personalization) before saving.
- Revisit your choices. Visit [/legal/cookie-settings](/legal/cookie-settings) at any time to review and update your preferences. You do not need to clear any browser data.
- Browser-level controls. Most browsers allow you to view, delete, and block cookies through their settings. Blocking essential cookies may prevent the Services from working.
- Do Not Track (DNT). Lobor honors the DNT signal for non-essential cookies. If your browser sends
DNT: 1ornavigator.doNotTrack === '1', we will treat your preferences as if you selected "Reject Non-Essential" and will not show the Cookie Banner.
5. How to Delete Cookies
You can delete cookies that have already been stored on your device through your browser settings. The exact steps differ by browser; the links below are placeholders pointing to common help articles:
- Google Chrome —
Settings → Privacy and security → Cookies and other site data - Mozilla Firefox —
Settings → Privacy & Security → Cookies and Site Data - Safari (macOS) —
Safari → Settings → Privacy → Manage Website Data - Microsoft Edge —
Settings → Cookies and site permissions → Manage and delete cookies and site data - Mobile browsers — refer to your device's browser help center.
Deleting cookies will sign you out of the Services and reset your saved preferences, including language and theme.
6. Changes
We may update this Cookie Policy from time to time to reflect changes to the Services, the cookies we use, or applicable law. The "Last updated" date at the top indicates when the Policy was last revised. Material changes will be communicated through an in-product notice or by re-prompting the Cookie Banner.
7. Contact
For questions about this Cookie Policy or our cookie practices, contact:
Lobor, Inc.
Email: privacy@lobor.ai