Last updated: June 3, 2026
Cookie Policy
Mehashi currently uses one first-party session cookie. It is required for login, authentication, and account security. Mehashi does not currently use analytics, advertising, marketing, or tracking cookies. Because the session cookie is strictly necessary, it is not controlled by a consent toggle.
First-Party Cookie
This cookie allows the API to recognize that you are logged in and helps keep your account secure. It is not used for advertising, cross-site tracking, or marketing.
The cookie is HttpOnly, which means browser JavaScript cannot read it. In production, it is sent only over HTTPS. The matching server-side session expires after 14 days. Logging out removes the current session. Requesting account deletion revokes active sessions and clears the current session cookie.
| Name | Purpose | Duration | Settings | Category |
|---|---|---|---|---|
| mehashi_session | Keeps an authenticated user signed in and lets the API identify the server-side session. | 14 days. Earlier if you log out, request account deletion, or the API removes an invalid or expired session. | HttpOnly. Secure in production. SameSite=None in production and SameSite=Lax outside production. Path is /. No explicit Domain is set, so the browser scopes it to the API host that set it. | Strictly necessary |
Browser Storage
Browser storage is different from cookies. Mehashi uses it to remember interface choices, keep drafts, and cache app screens.
Preferences include language, sidebar state, selected organization, recent and starred projects, recent project badge choices, project tab visibility, and active project view.
Drafts and cached content include message drafts, optional local message-thread fallback data, demo project/task data, and short-lived application caches for the app shell, sidebar, workspace, settings, and project-board screens. Some browser storage can contain user-generated text entered into the application.
Saved weather preferences can include city, latitude, longitude, and whether the location came from browser geolocation or manual entry.
Google OAuth redirect context is stored in sessionStorage during Google sign-in. It expires after 15 minutes and is removed when consumed.
The inspected source does not use document.cookie, IndexedDB, Cache API storage, or service worker storage.
Storage Retention
localStorage generally persists until browser data is cleared or the app overwrites or removes the stored value.
sessionStorage is usually removed when the browser tab or browser session ends.
Third-Party Flows
Mehashi's own session cookie is separate from external services that you choose to connect or use. Google Sign-In, Google Calendar, Mailchimp, Stripe, and the other third-party services disclosed in the Privacy Policy can use their own cookies, browser storage, or data-processing practices under their own policies. Mehashi does not set those third-party cookies.
See the Privacy Policy for the full service inventory.
Cookie Notice
Mehashi can display a short cookie notice to explain the strictly necessary session cookie. The notice is informational and does not create a consent-management system because Mehashi does not use optional analytics, advertising, marketing, or tracking cookies.