§ 01

Why this page exists.

Most cookie policies bury three actual cookies under twenty paragraphs of legal boilerplate. This one tells you what we use, what we don't, and gives you the off switch. The whole policy applies to leomindbody.com — the marketing website. The Leo iOS application is a different surface entirely; it does not use cookies. See § 07 for what it does use.

§ 02

What cookies are.

A cookie is a small piece of text a website asks your browser to store. Next time you visit, the browser sends it back, and the site recognizes you (or your preferences, or your login). They're unavoidable for any modern interactive web feature — logging in, remembering your dark-mode preference, anything that needs continuity between page loads.

For the purposes of this policy, “cookies” also includes related browser-storage mechanisms like localStorage — they do the same job and the privacy implications are the same. Your consent choice on this site is stored in localStorage, not a traditional cookie.

§ 03

What Leo actually uses.

Three things. That's the whole list.

◇Your consent choice — Stored in localStorage so we don't ask you again on every visit.
◇Firebase Auth session — Only if you sign in. Keeps you signed in between pages and refreshes.
◇Google Analytics page-view counter — Anonymized, IP-truncated. Tells us which pages get traffic. Off by default until you opt in.

No advertising cookies. No re-targeting pixels. No cross-site tracking. No social-media trackers. No fingerprinting. Sections 04 through 06 cover each category in detail.

§ 04

Essential — required.

These keep the site usable. They cannot be disabled and do not require consent under GDPR or CCPA because they're strictly necessary for the service to function.

leo-cookie-consent

Stores your cookie consent choice so the consent banner doesn't reappear on every visit.

Duration · Persistent · localStorage·Type · Strictly necessary·Party · First-party

Firebase Auth session

Keeps you signed in across page loads. Only set when you actually sign in.

Duration · Session — up to 1 hour, refreshed silently·Type · Strictly necessary·Party · First-party (Firebase / Google Cloud)

Lawful basis (GDPR)

Legitimate interest — necessary for the website to operate. No consent required under GDPR Article 6(1)(f) or the ePrivacy Directive's strictly-necessary exception.

§ 05

Analytics — optional.

We use Google Analytics to count page views on the marketing site. It tells us things like “how many people visited /conditions this week” — not who they are. IP addresses are truncated before storage and we don't enable advertising features, demographics, or remarketing.

_ga / _ga_*

Anonymized page-view counter. Distinguishes one browser from another so we don't double-count, but doesn't identify you.

Duration · 2 years·Type · Analytics·Party · Third-party · Google Analytics

Off by default

Analytics cookies are not set unless you opt in via the cookie banner. If you decline (or have Do Not Track enabled), Google Analytics is not loaded at all.

Authenticated pages are never tracked

Even if you opt in, no analytics run on signed-in patient surfaces. The tracker is confined to public marketing pages.

Lawful basis (GDPR)

Consent (GDPR Article 6(1)(a)). You can withdraw it at any time — see § 08.

§ 06

Advertising — we don't.

Leo does not run advertising on the website or in the app. We do not sell ad space, we do not buy ad space using your data, and we do not install any of the following:

✗Re-targeting / re-marketing pixels (Meta Pixel, Google Ads, TikTok, LinkedIn Insight, X / Twitter)
✗Cross-site behavioral tracking
✗Social-media share-tracking pixels
✗Browser-fingerprinting libraries
✗Sales of personal information to data brokers

If that ever changes — if we add an ad partner, a pixel, or anything in this category — this page gets updated first and existing account holders are notified by email.

§ 07

Cookies in the iOS app.

The Leo iOS app does not use cookies. Native iOS applications don't need them — the equivalents are:

Authentication

Firebase Auth tokens stored in iOS Keychain, which is encrypted by the operating system and tied to your device. Not a cookie, never sent to a server other than via explicit signed API calls.

User preferences

Light/dark theme, notification permissions, biometric-lock toggle, and similar local settings are stored in UserDefaults on your device.

PHI

Encrypted with your personal Data Encryption Key (DEK) and synced through Firestore. Never in a cookie, never on a marketing page. See /security for the algorithm-level detail.

§ 08

Your choices.

The consent banner

First time you visit the site, you'll see a small banner. “Accept” loads analytics. “Decline” doesn't. Either way, only your choice is remembered — not your behavior.

Change your mind

Clear leomindbody.com site data in your browser to reset the consent state and see the banner again. Most browsers expose this under Settings → Privacy → Clear site data.

Browser-level controls

All modern browsers let you block third-party cookies, send Do Not Track signals, or use Global Privacy Control. We honor Do Not Track and GPC on this site by refusing to load analytics regardless of the banner choice.

Google Analytics opt-out

If you'd like to opt out of Google Analytics across every site that uses it, the official browser add-on is at tools.google.com/dlpage/gaoptout.

§ 09

Changes to this policy.

We'll update the “Last updated” date at the top of the page whenever the list of cookies changes. If we add anything in a new category — particularly anything in § 06 — we'll notify existing account holders by email before the change takes effect, and re-prompt consent.

§ 10

How to contact us.

For questions about cookies, your consent choice, or this policy:

privacy@leomindbody.com

For broader data-rights requests (access, deletion, portability), see /privacy § 05.

Cookie Policy.