Legal
Cookie Policy
Last updated: 2026-05-21
What cookies are
A cookie is a small text file a website asks your browser to store. The browser sends the file back to the site on every subsequent request so the site can remember things between page loads — that you're signed in, what theme you chose, which workspace you were last in.
We also use similar technologies (localStorage, sessionStorage, IndexedDB) for the same purposes. Where this policy says "cookies", it covers all of them.
How we use them
Essential cookies: keep you signed in, protect you from CSRF, and let the product function. You can't turn these off and still use the product.
Preference cookies: remember settings like your theme and last-active workspace so the product feels personal across sessions.
Analytics cookies: let us see which features are used and where users get stuck. We aggregate before we look — we don't profile individuals, and we don't sell this data.
We do not use advertising cookies. We do not retarget you. We do not embed third-party trackers on the marketing site.
Cookies we set
The table below lists every cookie our product currently sets. If we add or remove cookies, we'll update this policy and bump the "last updated" date.
| Name | Category | Purpose | Duration |
|---|---|---|---|
| fx_session 1st party | Essential | Keeps you signed in across page loads. Without it, the product can't authenticate you to the API. | Session |
| fx_refresh 1st party | Essential | Refresh token cookie used to extend a session without re-prompting for a password. HttpOnly, SameSite=Lax. | 30 days · rotated on use |
| fx_csrf 1st party | Essential | Anti-CSRF token bound to your session. Mitigates cross-site request forgery on state-changing requests. | Session |
| fx_theme 1st party | Preference | Remembers light/dark theme preference so the app doesn't flash the wrong theme on cold loads. | 1 year |
| fx_workspace 1st party | Preference | Remembers which workspace you last had open when you have access to multiple businesses (typical for CPAs). | 90 days |
| mp_* 3rd party | Analytics | Mixpanel product-analytics cookies — anonymous device identifier and event-batching state. We use these to understand which features are used so we can prioritize improvements. | 1 year |
Third-party cookies
Mixpanel sets the mp_* cookies described above when you use the product. They act as a processor under our instructions and are bound by the same security and confidentiality terms as our other sub-processors (see /dpa).
When you embed Stripe or Plaid forms in a checkout or bank-link flow, those providers may set their own cookies on their iframe. Those cookies are governed by their own policies (stripe.com/privacy, plaid.com/legal/) and are essential to the payment or bank-link operation.
How to turn cookies off
Essential cookies: you can't turn these off without breaking the product. Sorry.
Preference and analytics cookies: go to Settings → Privacy in the app and toggle "Product analytics" off. The mp_* cookies stop being set and any existing ones are cleared at next sign-in.
You can also delete cookies in your browser at any time. Settings vary by browser — search "delete cookies" for your specific browser if you need step-by-step instructions.
Do Not Track
Web browsers offer a "Do Not Track" signal. Because there is no industry consensus on what DNT means and no enforcement, we don't change behavior based on it. The opt-out toggle in Settings → Privacy is the supported way to disable analytics.
Changes
We update this policy when we change which cookies we set. Material changes will be announced in the product and by email to workspace owners. The current version always lives at finxteam.com/cookies with a "last updated" date at the top.
Contact
Questions about cookies or analytics opt-out: privacy@finxteam.com. We respond within one business day.