ThumbLead← Back to site

Cookie Policy

FrançaisEnglishEspañolDeutschItalianoPortuguêsРусский
⚠︎ This is a courtesy translation. Only the French version is legally binding.Read the French version

Cookie Policy — ThumbLead

Last updated: 2 July 2026

This cookie policy describes how the ThumbLead website and application, accessible at https://thumblead.com (hereinafter the "Service"), use cookies and similar technologies (trackers) when you browse or use the Service.

It is drawn up in accordance with Directive 2002/58/EC (the "ePrivacy" Directive), Article 82 of French Act No. 78-17 of 6 January 1978 as amended (the French Data Protection Act, "loi Informatique et Libertés"), Regulation (EU) 2016/679 ("GDPR"), Act No. 2004-575 of 21 June 2004 on confidence in the digital economy ("LCEN"), as well as the recommendations and guidelines of the French Data Protection Authority (Commission nationale de l'informatique et des libertés, "CNIL") relating to cookies and other trackers.

Publisher of the Service: Enzo Violante, SIRET 948 968 318 000 14, 6 rue Émile Barthe, 34500 Béziers, France. Contact: contact@thumblead.com.

This policy supplements our Privacy Policy, to which reference should be made for all information relating to the processing of your personal data.


Article 1 — What is a cookie?

1.1 Definition

A "cookie" is a small text file placed and stored on your device (computer, tablet, smartphone) through your browser when you visit a website or use an application. It notably enables your device to be recognised during subsequent visits, certain information relating to your browsing to be retained, or your connection to be secured.

The term "cookie" is used, in this policy, in a broad sense: it covers all trackers placed and/or read when using the Service, whatever their technology (HTTP cookies in the strict sense, but also session identifiers, tokens stored locally via localStorage or sessionStorage, or equivalent technologies).

1.2 What are cookies used for?

Depending on their purpose, cookies may notably enable:

  • the technical operation of the Service to be ensured and your session to be secured (for example, keeping you authenticated from one page to another);
  • your display and usage preferences to be remembered (language, light/dark theme);
  • certain operations, such as online payment, to be carried out properly.

1.3 Who places cookies?

A distinction is made between:

  • first-party cookies ("internal"): placed by ThumbLead for the operation of the Service itself;
  • third-party cookies: liable to be placed by third-party services integrated into the Service, in connection with specific features (for example, the payment provider during a transaction). ThumbLead uses no third-party cookie for advertising or behavioural tracking purposes (see Article 4).

Article 2 — Cookies used by ThumbLead

The Service uses exclusively cookies strictly necessary for its operation, as well as preference cookies intended to improve your ease of use. None of these cookies is used for advertising, profiling or data-resale purposes.

2.1 Authentication session cookie

Authentication to the Service relies on the NextAuth (Auth.js) library. When you log in to your account, a session cookie is placed in order to keep you authenticated throughout your browsing and to secure your exchanges with the Service.

This cookie has the following security characteristics:

  • HttpOnly attribute: the cookie is not accessible via scripts executed in the browser, which limits the risk of session theft (XSS-type attacks);
  • SameSite attribute: the cookie is transmitted only in a legitimate browsing context, which limits the risk of cross-site request forgery (CSRF) attacks;
  • Secure attribute: the cookie is transmitted only over an encrypted connection (HTTPS).

This cookie is strictly necessary: without it, it is not possible to log in or to access the protected areas of the Service.

2.2 Cookies and storage of preferences

The Service may retain certain of your usage preferences in order to personalise your experience and to avoid having to set them again on each visit, for example:

  • the display language of the Service;
  • the display theme (light / dark);
  • any interface preferences (for example, the display state of certain panels).

This information may be stored by means of cookies and/or the browser's local storage (localStorage / sessionStorage). It does not contain data enabling you to be identified for advertising purposes and is not shared with third parties.

2.3 Summary table

Cookie / tracker Type Purpose Placed by Consent required Indicative duration
Authentication session (NextAuth) Strictly necessary (HttpOnly, SameSite, Secure) Keep the user logged in and secure the session ThumbLead (internal) No (exempt) Duration of the session / 30 days
Anti-CSRF token (NextAuth) Strictly necessary Protect against cross-site request forgery ThumbLead (internal) No (exempt) Duration of the session
Language / theme preference Preference / convenience Remember your display choices ThumbLead (internal) No (exempt within the meaning of the CNIL recommendation — personalisation at your initiative) 12 months
Cookies placed by Stripe (see Article 5) Functional / payment security Secure the transaction and prevent fraud Stripe (third party) No for cookies necessary for payment security See Stripe's policy
Audience measurement (PostHog) Analytics Understand use of the Service in order to improve it PostHog (third party — hosted in the European Union) Yes — placed only after your consent Up to 12 months

Article 3 — Strictly necessary cookies

The cookies mentioned in Article 2.1 are strictly necessary for the provision of the Service that you have expressly requested (namely logging in to your account and using the application). As such, and in accordance with Article 82 of the French Data Protection Act ("loi Informatique et Libertés") as well as the CNIL guidelines, they are exempt from prior consent.

These cookies cannot be disabled from the Service without compromising its operation. You may nevertheless block or delete them via your browser settings (see Article 7), it being specified that, in that case, you will no longer be able to log in or use the features of the Service that require authentication.


Article 4 — Advertising and audience measurement

ThumbLead uses no cookie or tracker for advertising, profiling, behavioural targeting, retargeting or data-resale purposes.

In particular, the Service:

  • uses no advertising agency and no third-party advertising network;
  • places no social-network tracker for tracking purposes (tracking share buttons, social pixels, etc.);
  • carries out no cross-referencing of your browsing data with third-party databases for commercial purposes.

ThumbLead uses an audience-measurement tool (PostHog, hosted in the European Union) in order to understand use of the Service and to improve it. These trackers are subject to your consent: a consent-collection banner (accept / refuse) is presented before any placement, your refusal has no consequence on access to the Service, and your choice may be changed at any time. Apart from this audience measurement, no other tracker subject to consent is used, and this policy would be updated prior to any change.


Article 5 — Cookies placed by third-party services

Certain features of the Service rely on third-party providers which, strictly within the scope of those features, may place their own cookies. ThumbLead does not exercise control over all the trackers placed by these third parties, which are governed by their own policies.

5.1 Stripe (payment)

Payment for subscriptions is handled by Stripe (Stripe Payments Europe, Ltd., Ireland). When you make a payment or access a payment page, Stripe is liable to place and/or read cookies intended to:

  • secure the transaction and prevent fraud;
  • ensure the proper functioning of its payment interface.

These cookies are, for the most part, necessary for the security and completion of the payment operation that you have requested. No banking data is stored by ThumbLead: your payment details are collected and processed directly by Stripe.

To find out more, you may consult Stripe's cookie policy and privacy policy: https://stripe.com/fr/privacy and https://stripe.com/fr/legal/cookies-policy.

5.2 Google (login and integrated services)

When you use login via Google (OAuth) or features relying on the Google services integrated into the Service (Google Calendar synchronisation, AI analysis via Gemini), you may be redirected to pages hosted by Google (Google Ireland Ltd.), which may place their own cookies in connection with the authentication and security of your Google account.

These cookies are governed by Google's policy and are beyond ThumbLead's control. To find out more: https://policies.google.com/technologies/cookies.

5.3 No advertising purpose

The use of these third-party providers has no advertising purpose on behalf of ThumbLead. These cookies are implemented solely to enable the operation of the services concerned (payment, authentication, features that you activate).


Article 6 — Legal basis

6.1 Cookies exempt from consent

In accordance with Article 82 of the French Data Protection Act ("loi Informatique et Libertés") and the CNIL guidelines, the following cookies are exempt from consent:

  • those whose exclusive purpose is to enable or facilitate communication by electronic means; or
  • those strictly necessary for the provision of an online communication service expressly requested by the user.

This category includes authentication and security session cookies (Article 2.1), as well as, according to the CNIL's interpretation, certain interface-personalisation cookies resulting from an express choice on your part (language, theme). The basis for their implementation is the performance of the contract binding you to the publisher and the publisher's legitimate interest in ensuring the operation and security of the Service.

6.2 Cookies subject to consent

Any non-strictly-necessary cookie (notably advertising, non-exempt audience-measurement, profiling or tracking cookies) may be placed only with your prior, free, specific, informed and unambiguous consent, within the meaning of Articles 4(11) and 7 of the GDPR.

As at the date of this policy, ThumbLead implements no cookie of this category (see Article 4). Consequently, no consent is required for use of the Service. Should such cookies be introduced, a compliant consent-collection mechanism would be deployed, allowing you to accept, refuse or configure the trackers concerned, and to withdraw your consent at any time as easily as you gave it.


Article 7 — How to manage or refuse cookies

7.1 Configuration via your browser

You may at any time configure your browser to accept or refuse cookies, to accept only certain cookies, to be warned before a cookie is placed, or to delete cookies already stored on your device.

Each browser offers its own configuration methods, generally described in its help menu. By way of indication:

  • Google Chrome: Settings → Privacy and security → Cookies and other site data;
  • Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data;
  • Microsoft Edge: Settings → Cookies and site permissions;
  • Apple Safari: Settings/Preferences → Privacy.

7.2 Consequences of refusal

We draw your attention to the fact that blocking or deleting strictly necessary cookies prevents the operation of the Service, and in particular logging in to your account and accessing protected features. Your browser configuration is liable to alter your conditions of access to the Service.

7.3 Third-party cookies

For cookies placed by third-party services (Article 5), you may also refer to the management tools and policies made available by those third parties (Stripe, Google), the links to which appear above.


Article 8 — Cookie retention period

The lifespan of cookies varies according to their nature:

  • session cookies are deleted when you close your browser or when the authentication session expires;
  • persistent cookies (for example, the remembering of your preferences) are retained for a specified period, at the end of which they expire, or until you delete them.

In accordance with the CNIL recommendation, the retention period of trackers placed by ThumbLead does not exceed what is necessary in view of their purpose. The indicative durations appear in the table in Article 2.3 (up to 30 days for the session cookie, up to 12 months for preferences). Cookies placed by third-party services are retained for the periods defined by those third parties in their own policies.


Article 9 — Amendments to this policy

ThumbLead reserves the right to amend this cookie policy at any time, notably in order to adapt it to changes in the Service, the technologies used or the applicable regulations.

Any amendment takes effect upon its publication on the Service. The last-updated date appearing at the top of the document makes it possible to verify the version in force. In the event that new trackers subject to consent are introduced, these will be placed only after your consent has been collected under the conditions provided for in Article 6.2.


Article 10 — Contact

For any question relating to this cookie policy or to the exercise of your rights over your personal data, you may contact the publisher at the following address: contact@thumblead.com.

You also have the right to lodge a complaint with the French Data Protection Authority (Commission nationale de l'informatique et des libertés, CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — https://www.cnil.fr.