Cookie and Web Application Policy

This Cookie and Web Application Policy ("Cookie Policy") explains how WorkSlate, Inc. ("WorkSlate," "we," "us," or "our") uses cookies, web storage, tracking technologies, and related mechanisms on our website (getworkslate.com), web application, and customer portal (collectively, the "Web Services"). This Policy applies to all users of the Web Services globally, including users in the United States, European Economic Area (EEA), United Kingdom, Canada, and Australia.

1. What Are Cookies?

Cookies are small text files placed on your device by a website or application when you visit. They allow the site to remember your actions and preferences over time. In addition to cookies, we use related technologies including web beacons, pixel tags, local storage, and session storage (collectively referred to as "Tracking Technologies") for similar purposes.

2. Categories of Cookies and Tracking Technologies We Use

2.1 Strictly Necessary. These are essential for the Web Services to function. They cannot be disabled. Examples include:

• Session authentication tokens (keeping you logged in)
• Security tokens and CSRF protection
• Load balancing and infrastructure routing
• Customer portal session state (quote approvals, invoice payment progress)
• Cookie consent preference storage
• Error and security monitoring (e.g., Sentry) used to detect, diagnose, and fix faults and to protect the integrity of the Web Services. This error and event capture sets no cookies and stores nothing on your device; we treat it as strictly necessary and rely on our legitimate interest in keeping the Web Services secure and reliable. Sentry's optional session replay is non-essential and is consent-gated — see Section 2.3

2.2 Functional. These enhance your experience by remembering preferences and choices. Disabling them may affect some features. Examples include:

• Language and regional preferences
• UI layout and display preferences
• Remembered form inputs and portal settings
• Chat widget state

2.3 Analytics and Performance. These help us understand how users interact with the Web Services so we can improve them. All data collected is aggregated and de-identified where possible. These include:

• PostHog: product analytics including page views, session duration, and user flow (browser traffic is routed through a first-party reverse proxy)
• Sentry session replay: a masked, on-error screen recording used to debug faults (activated only with your consent)
• Feature-flag evaluation and product experiments

These analytics technologies are activated only with your consent (or where no consent is required); they are not used if you decline them or send a Do Not Track or Global Privacy Control signal. Sentry's error and event capture is separate — it sets no cookies, is not gated as analytics, and is described in Section 2.1.

2.4 Marketing and Targeting. WorkSlate does not currently use marketing, advertising, or cross-context behavioral targeting cookies (such as Google Ads conversion tracking, the Meta Pixel, or the LinkedIn Insight Tag) on the Web Services. If we introduce any such cookies in the future, they will be activated only with your explicit prior consent and disclosed on our third-party scripts list at getworkslate.com/legal/third-party-scripts.

2.5 AI and Feature Interaction. Where AI-assisted features are enabled, WorkSlate may use session-level storage to maintain context across interactions within a single session. This data is not used to build persistent behavioral profiles unless you have consented. See the AI Addendum for details.

3. Web Application Storage

In addition to cookies, the WorkSlate web application uses the following browser storage mechanisms:

3.1 Local Storage. Used to persist non-sensitive user preferences (such as UI layout choices and recently viewed items) across browser sessions. Local storage data remains until cleared by the user or application. WorkSlate does not store sensitive personal data or authentication credentials in local storage; session tokens are held in cookies.

3.2 Session Storage. Used to maintain temporary state within a single browser session (e.g., multi-step quote approval or payment flow). Session storage data is cleared when the browser tab is closed.

3.3 IndexedDB. Used in the WorkSlate web application to support offline capability and caching of non-sensitive operational data (e.g., job lists, form drafts) for improved performance. IndexedDB data is cleared upon logout or account deletion.

3.4 Service Workers and Caching. WorkSlate may use service workers to cache application assets for offline performance. Cached data does not include personally identifiable information and is cleared upon application updates or account deletion.

4. Third-Party Cookies and Scripts

Certain pages within our Web Services may load scripts or content from third parties, which may set their own cookies. These third parties include:

• Stripe (payment processing and Connect embedded components)
• PostHog (product analytics, routed through a first-party reverse proxy)
• Sentry (error and performance monitoring)
• Google Fonts (web font stylesheet delivery)

WorkSlate does not control third-party cookies. Refer to each third party's privacy policy for information on their data practices. We maintain the authoritative, current list of active third-party scripts at getworkslate.com/legal/third-party-scripts.

5. Consent and Your Choices

5.1 Consent Banner. When you first visit our website or web application, you will be presented with a cookie consent banner allowing you to accept all cookies, reject non-essential cookies, or customize your preferences by category.

5.2 Updating Preferences. You may update your cookie preferences at any time by clicking the "Cookie Preferences" link in the footer of our website or within the platform settings.

5.3 Browser Settings. You may control cookies through your browser settings. Note that disabling cookies may affect the functionality of the Web Services. Instructions for common browsers:

• Chrome: Settings > Privacy and Security > Cookies
• Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Manage Website Data
• Edge: Settings > Cookies and Site Permissions

5.4 Do Not Track and Global Privacy Control. WorkSlate honors Global Privacy Control (GPC) and Do Not Track (DNT) signals from browsers where technically feasible. Where either signal is detected, analytics and marketing cookies are not set unless you subsequently opt in through the cookie preferences control.

5.5 Opt-Out of Analytics. You may opt out of analytics cookies at any time through the "Cookie Preferences" control described in Section 5.2, or by enabling a Do Not Track signal as described in Section 5.4. Because our product analytics are routed through a first-party proxy, browser blocklists that target third-party analytics domains may not fully disable them; use the cookie preferences control instead.

6. EEA and UK Users

For users in the European Economic Area or United Kingdom, non-essential cookies are only set with your explicit prior consent as required by the EU ePrivacy Directive and UK Privacy and Electronic Communications Regulations (PECR). You have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

7. Cookie Retention Periods

• Strictly necessary cookies: session duration or up to 12 months for authentication tokens
• Functional cookies: up to 12 months
• Analytics cookies: up to 24 months
• Marketing cookies: up to 90 days, subject to third-party provider settings
• AI session storage: cleared at end of session or upon logout

8. Web Application Security

WorkSlate implements the following security measures for web application sessions and storage:

• All authentication cookies are marked HttpOnly and Secure
• Session cookies use SameSite=Strict or SameSite=Lax attributes to prevent CSRF
• Content Security Policy (CSP) headers are enforced to restrict unauthorized script execution

9. Changes to This Policy

We may update this Cookie Policy at any time. Material changes will be communicated via a notice on our website or via email at least thirty (30) days before the effective date.

10. Contact

For questions about our use of cookies or web application storage: privacy@getworkslate.com