Cookie Policy | ZenFitness

This Cookie Policy explains exactly what cookies and browser storage ZenFitness uses, why, and how you can manage them. It is based on a direct audit of the application code.

1. What Are Cookies?

Cookies are small text files stored on your device by the web server when you visit a site. They are sent back to the server with each request and are commonly used for authentication and session management.

Separately, browsers also support Local Storage — a client-side store for small data items that your browser keeps on your device. Unlike cookies, local storage is never automatically sent to the server. We use it for UI preferences and performance optimisation.

2. Cookies Used by ZenFitness

ZenFitness does not set any first-party cookies of its own. The only cookies present are set by our authentication provider, Neon Auth, and are strictly necessary for you to log in and stay logged in.

All three cookies share the prefix __Secure-neon-auth, which means they are only ever transmitted over HTTPS and are marked HttpOnly (inaccessible to JavaScript on the page — a security measure to prevent token theft).

`__Secure-neon-auth.session_token`

Purpose: Your primary authentication token. Proves to the server that you are logged in.
Duration: Persists across browser sessions (you stay logged in between visits).
Set by: Neon Auth on successful login.

`__Secure-neon-auth.local.session_data`

Purpose: A signed copy of your session data, used to verify session integrity server-side without a database round-trip on every request.
Duration: Persists across browser sessions.
Set by: Neon Auth on successful login.

`__Secure-neon-auth.session_challange`

Purpose: A short-lived CSRF/state token generated at the start of the sign-in flow (including Google OAuth). It is verified when the sign-in completes to prevent cross-site request forgery attacks.
Duration: Deleted immediately after sign-in completes.
Set by: Neon Auth when you initiate login.

Disabling or deleting these cookies will log you out and prevent you from logging back in. Because they are HttpOnly, they cannot be read or modified by any JavaScript running on the page.

3. Local Storage Used by ZenFitness

The app stores the following items in your browser's Local Storage. None of these are ever transmitted to our servers — they exist only on your device to improve your experience.

`theme`

Purpose: Stores your dark/light mode preference so the correct theme loads immediately on your next visit without a flash of the wrong theme.
Data stored: "dark" or "light".
Set by: next-themes library when you toggle the theme.

`zen_background_style`

Purpose: Stores your chosen background visual style for the app.
Data stored: A string identifier for the selected style.
Set by: ZenFitness when you change your background preference in settings.

`zen_background_accent`

Purpose: Stores whether the background accent/overlay effect is enabled or disabled.
Data stored: A boolean-like string.
Set by: ZenFitness when you toggle the background accent in settings.

`zen_cached_plan`

Purpose: Stores a JSON copy of your active workout plan so the app can display it instantly on load without waiting for a database request. This avoids a blank screen on each visit.
Data stored: A JSON object containing your workout plan structure (exercise names, sets, reps). Does not contain your name, email, or any identifying information.
Set by: ZenFitness when your active plan is loaded.
Cleared: Automatically deleted from local storage when you log out.

`zen_stats_mock_flag`

Purpose: Tracks whether sample/placeholder statistics are currently being shown in the Statistics page. Used when you have little or no workout history, so the dashboard can display an appropriate hint.
Data stored: "true" or "false".
Set by: ZenFitness when you view the Statistics page.

4. Summary

Name	Type	Provider	Purpose
__Secure-neon-auth.session_token	Cookie — Strictly Necessary	Neon Auth	Keeps you logged in
__Secure-neon-auth.local.session_data	Cookie — Strictly Necessary	Neon Auth	Session integrity verification
__Secure-neon-auth.session_challange	Cookie — Strictly Necessary	Neon Auth	CSRF protection during sign-in
theme	Local Storage	ZenFitness / next-themes	Dark / light mode preference
zen_background_style	Local Storage	ZenFitness	Background style preference
zen_background_accent	Local Storage	ZenFitness	Background accent toggle
zen_cached_plan	Local Storage	ZenFitness	Workout plan cache for fast loads; cleared on logout
zen_stats_mock_flag	Local Storage	ZenFitness	Tracks whether sample stats are shown

5. No Tracking or Advertising

ZenFitness does not use cookies or any other technology for:

Behavioural advertising or retargeting.
Cross-site tracking or device fingerprinting.
Analytics platforms (Google Analytics, Mixpanel, Amplitude, or similar).
Performance or heatmapping tools (Hotjar, FullStory, or similar).
Social media tracking pixels (Meta, TikTok, X, or similar).

There are no third-party advertising or tracking scripts loaded by this application.

6. How to Manage Cookies & Local Storage

Cookies: You can view and delete cookies through your browser settings. However, deleting the Neon Auth cookies will log you out, and blocking them will prevent you from logging in at all. Browser-specific instructions:

Local Storage: To clear local storage, open your browser's developer tools (F12 on most browsers), go to the Application or Storage tab, and delete the entries for this site. This will reset your theme, background, and other preferences to their defaults. Your workout data is stored in our database — it is not affected by clearing local storage.

7. Changes to This Policy

If we introduce new features that store additional cookies or local storage items, we will update this page to reflect those changes. The "Last Updated" date at the top of this page will always indicate when the policy was last revised.

8. Contact Us

If you have questions about the storage items listed above, please contact:

Adam Lamprecht (ZenFitness)
Support: support@zenfitness.pro