Last updated: 5 May 2026
This Cookie Policy explains how Pental Limited (we, us, Pental) uses cookies and similar storage technologies on the marketing site at pental.io and on customer portals hosted on the Platform. Read this alongside our Privacy Policy. This policy is written to comply with the UK Privacy and Electronic Communications Regulations 2003 (PECR), the UK and EU GDPR, and the EU ePrivacy Directive.
Cookies are small text files placed on your device by websites you visit. They allow a site to remember actions and preferences (such as login state, theme, or language) over time so you do not have to re-enter them on every page. Similar technologies include:
Local storage — a browser API that lets a site store a larger amount of data than cookies. Used to keep you signed in.
Session storage — short-term per-tab storage that disappears when the tab is closed.
IndexedDB — used by some libraries we depend on (notably Supabase auth) to keep refresh tokens and offline state.
We do not use any analytics, advertising, social media, or behavioural tracking cookies. We do not run Google Analytics, Facebook Pixel, LinkedIn Insight, or any equivalent. We do not have a cookie banner because the only cookies and storage we set are strictly necessary or used for security on forms.
The categories below are the only ones we use:
These are essential to operate the Platform and the marketing site. They cannot be turned off through a cookie banner because the site does not function without them. Legal basis: not subject to consent under PECR (strictly necessary for a service explicitly requested by you).
sb-*-auth-token (local storage / IndexedDB) — your authenticated session for the portal. Set by Supabase. Cleared on sign-out or expiry.
pental_* session keys (local storage) — short-lived state during login (e.g. the current login email, MFA challenge, OAuth state). Cleared when login completes or after a few minutes.
theme (local storage) — your light/dark mode preference. Persists until you change it.
__Host-pental-csrf (cookie) — CSRF token used during OAuth login flows. Lifetime: session.
__Host-pental-session (cookie, where applicable) — server-side session reference. Lifetime: up to 30 days.
We use Google reCAPTCHA v3 to protect our login and contact forms from automated abuse. reCAPTCHA may set the cookie _GRECAPTCHA and may execute JavaScript that uses local storage to compute a risk score. Legal basis: legitimate interests (fraud and abuse prevention). Cookies set by Google are subject to Google's privacy policy.
When you interact with payment forms or the Stripe-hosted billing portal, Stripe may set cookies (such as __stripe_mid and __stripe_sid) to detect fraudulent payment activity. These are only set when you actively engage with billing features. Legal basis: legitimate interests (payment security and fraud prevention) and contractual necessity (processing your payment).
Each customer portal (whether on a Pental subdomain or a customer's own custom domain) uses the same categories of cookies and storage as described above. Portal authentication tokens, theme preferences, and session state are stored in your browser's local storage and IndexedDB scoped to that portal's domain. If a Pental customer (a penetration testing firm) configures their own SMTP provider for emails sent from their portal, no additional cookies are introduced; the SMTP integration is server-side only.
We do not use, and have not implemented, any of the following:
Analytics or product telemetry cookies (no Google Analytics, Plausible, Mixpanel, Segment, Posthog, etc.).
Advertising or remarketing cookies (no Google Ads, Meta Pixel, LinkedIn Insight, etc.).
Social media share buttons that load third-party scripts.
Cross-site tracking pixels.
Cookies used to profile you for behavioural advertising or to build interest segments.
Pental does not participate in advertising networks or sell data derived from cookies.
Most browsers allow you to view, manage, block, or delete cookies and clear local storage through the browser settings menu. Useful guides:
Chrome: Settings → Privacy and security → Cookies and other site data.
Firefox: Settings → Privacy and Security → Cookies and Site Data.
Safari: Preferences → Privacy → Manage Website Data.
Edge: Settings → Cookies and site permissions → Cookies and site data.
If you block or clear strictly-necessary storage, the Platform will not be able to keep you signed in. The marketing site at pental.io will still function for browsing, but features that require login (subscription management, the customer portal) will not.
You can additionally enable Do Not Track or Global Privacy Control in your browser. We do not use cross-site tracking, so these signals do not change our behaviour, but we honour the equivalent objection rights described in our Privacy Policy regardless.
We may update this Cookie Policy when we add, remove, or change cookies or similar technologies. The "Last updated" date at the top of this page reflects the current revision. Material changes will be communicated to subscribed customers by email.
For questions about our use of cookies, contact us at hello@pental.io.