Cookie Policy
Last updated: February 18, 2026 β’ Effective Date: February 18, 2026
1. Introduction
This Cookie Policy explains how One Last AI ("we," "our," or "us") uses cookies and similar tracking technologies on our websites at onelastai.co and maula.dev, including all sub-applications (Canvas App, Canvas Studio, GenCraft Pro, and Maula Editor).
By using our website, you consent to our use of cookies in accordance with this policy and our Privacy Policy. You can manage your cookie preferences at any time.
Legal Framework: Our cookie practices comply with the , GDPR, , Thailand's Personal Data Protection Act (PDPA B.E. 2562), Singapore's Personal Data Protection Act 2012, and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL).
2. What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help websites:
π Remember You
Store login status and preferences
π Analyze Usage
Track how visitors use the site
β‘ Improve Performance
Optimize loading times and functionality
π― Personalize Experience
Customize content and features
Cookie Types by Duration
Session Cookies
Temporary cookies deleted when you close your browser. Used for essential site functions.
Persistent Cookies
Remain on your device until expiration or manual deletion. Remember preferences between visits.
Cookie Types by Source
First-Party Cookies
Set by One Last AI directly. We have full control over these cookies.
Third-Party Cookies
Set by external services (e.g., Stripe for payment processing). We do not use third-party tracking cookies such as Google Analytics or Facebook Pixel.
3. Cookies We Use
3.1 Strictly Necessary Cookies
These cookies are essential for the website to function. We do not need your consent for these.
| Cookie Name | Purpose | Attributes | Duration |
|---|---|---|---|
| neural_link_session | Primary JWT authentication token | HTTP-only, Secure, SameSite=Lax | 7 days |
| neural_token | Backup authentication token | HTTP-only, Secure | Session |
| session_id / sessionId | Session linking for analytics & tracking | HTTP-only | Session |
| cookie_consent | Stores your cookie preferences | Standard | 1 year |
3.2 Performance & Analytics Cookies
Help us understand how visitors use our site. We need your consent for these.
Self-Hosted Analytics
We use our own self-hosted analytics system to track page views, visitor sessions, and performance metrics. We do not use Google Analytics, Facebook Pixel, or any third-party tracking tools.
| Data Collected | Purpose | Retention |
|---|---|---|
| Page views & URL paths | Understand which features are used | 1 year |
| Visitor sessions (via session_id cookie) | Group page views into sessions | 1 year |
| UTM parameters | Track marketing campaign effectiveness | 1 year |
| Device type & browser | Optimize for popular platforms | 1 year |
All analytics data is stored server-side in our PostgreSQL database. No data is sent to third-party analytics services.
AI Usage Metrics
We track AI tool usage for credit billing and service optimization. These are server-side metrics, not cookies.
| Metric | Purpose | Retention |
|---|---|---|
| Token counts & model used | Credit billing calculation | 2 years |
| Response latency | Performance optimization | 2 years |
3.3 Functional Cookies
Remember your preferences and provide enhanced features. Consent required.
| Cookie Name | Purpose | Duration |
|---|---|---|
| theme_preference | Remembers dark/light mode choice | 1 year |
| language | Stores preferred language | 1 year |
| agent_preferences | Saves favorite AI agents | 6 months |
| voice_settings | Remembers voice interaction preferences | 6 months |
4. Third-Party Services
We integrate the following third-party services that may set cookies or process data on our behalf:
β No Third-Party Tracking Cookies
We do not use Google Analytics, Facebook Pixel, or any third-party tracking/advertising cookies. All analytics are self-hosted.
Stripe (Payment Processing)
PCI DSS Level 1 compliant payment processor. Stripe may set its own cookies for fraud detection during checkout. Your card details never touch our servers.
Privacy Policy: stripe.com/privacy
AI Model Providers
All AI API calls are made through One Last AI's own platform API keys on your behalf β you never need accounts with any AI provider. Our AI providers process API requests server-to-server; they do not set cookies in your browser. Your prompts and code context are sent via encrypted API calls.
Providers: Anthropic (Claude), OpenAI (GPT-4o, TTS, DALLΒ·E), Google (Gemini), Mistral AI (Codestral), xAI (Grok), Groq (LLaMA), Cerebras (LLaMA), HuggingFace (open-source models), Ollama (local/self-hosted), fal.ai / Minimax (video generation), Azure AI Vision (image analysis).
Data protection: We do not sell, share, or license your data to any AI provider or third party. We do not use your data to train, fine-tune, or improve any AI model. No AI provider has access to your email, name, password, credentials, or payment information. Anthropic (our primary provider) and all API-tier providers do not use API request data for model training.
AWS S3 (File Storage)
Generated files (project archives, images, videos) are stored on AWS S3 with AES-256 server-side encryption (SSE-S3). Files are accessed via signed URLs with short expiration times; no cookies are set.
Deployment Platforms (User-Initiated)
When you deploy projects to Vercel, Netlify, GitHub, or AWS using your own credentials, those platforms set their own cookies governed by their policies. This is user-initiated and optional.
5. Local Storage & Client-Side Data
In addition to cookies, our sub-applications use browser localStorage to store non-sensitive preferences and session data. This data never leaves your browser and is not transmitted to our servers.
| Key | Application | Data Stored | Purpose |
|---|---|---|---|
| onelastai_user_id | All apps | UUID string | Link anonymous analytics |
| canvas_studio_usage | Canvas Studio | Usage counter | Track free-tier usage limit |
| canvas_studio_model | Canvas Studio | Model name string | Remember preferred AI model |
| canvas_studio_provider | Canvas Studio | Provider name string | Remember preferred AI provider |
| canvas_dark_mode | Canvas Studio | Boolean | Theme preference |
| gencraft_v4_history | GenCraft Pro | JSON array of past prompts | Prompt history for quick reuse |
| userEmail | All apps | Email string | Pre-fill login forms |
| auth_token | All apps | JWT string | Client-side auth state |
How to clear: You can clear localStorage at any time via your browser's Developer Tools (Application β Local Storage β Clear) or by clearing all site data in your browser settings. Clearing localStorage will reset your preferences but will not affect your server-side account data.
6. Regional Cookie Compliance
In addition to EU/EEA and California cookie regulations, the following regional data protection laws impose specific requirements on how cookies and similar technologies are used:
πΉπ Thailand β PDPA (B.E. 2562 / 2019)
Under Thailand's PDPA, cookies that collect personal data require a lawful basis. We rely on consent for non-essential cookies (analytics, functional) and legitimate interest / contract performance for strictly necessary cookies (authentication, security). Thai users may withdraw consent for non-essential cookies at any time via our cookie preference settings without affecting the lawfulness of prior processing.
Supervisory Authority: Personal Data Protection Committee (PDPC) β www.pdpc.or.th
πΈπ¬ Singapore β PDPA (2012, amended 2020)
Singapore's PDPA requires organizations to obtain consent before collecting personal data, including data collected via cookies. We provide clear notification of our cookie purposes and obtain consent for non-essential cookies. Singapore users may withdraw consent by adjusting cookie preferences. We comply with the PDPC's Advisory Guidelines on the PDPA for websites.
Supervisory Authority: Personal Data Protection Commission (PDPC) β www.pdpc.gov.sg
π¦πͺ United Arab Emirates β PDPL (Federal Decree-Law No. 45 of 2021)
The UAE PDPL requires that personal data processing (including via cookies) has a lawful basis. We rely on consent for non-essential cookies and contract performance / legitimate interest for strictly necessary cookies. UAE users may withdraw consent for non-essential cookies at any time. We ensure that any cookie-related data transfers outside the UAE comply with Article 22 cross-border transfer requirements.
Supervisory Authority: UAE Data Office β established under the Executive Regulations
7. Managing Your Cookie Preferences
7.1 Cookie Settings on Our Site
You can manage your cookie preferences at any time:
Adjust settings for analytics, functional, and other non-essential cookies
7.2 Browser Settings
Most browsers allow you to control cookies through settings:
Google Chrome
Settings β Privacy and Security β Cookies
Mozilla Firefox
Options β Privacy & Security β Cookies
Safari
Preferences β Privacy β Cookies
Microsoft Edge
Settings β Privacy β Cookies
7.3 Opt-Out Tools
- Do Not Track (DNT): Our platform does not currently respond to DNT browser signals, as there is no industry-wide standard for compliance.
- Global Privacy Control (GPC): Learn more
- Browser Settings: Use your browser's built-in cookie management to block or delete cookies (see Section 7.2 above)
Important: Blocking strictly necessary cookies may prevent you from using essential features of our platform, including login and account management.
8. Updates to This Policy
We may update this Cookie Policy from time to time to reflect changes in our practices or for legal compliance. Updates will be posted on this page with a new "Last Updated" date. Significant changes will be communicated via email or platform notification.
9. Contact Us About Cookies
Cookie Questions:
Privacy: privacy@onelastai.co
Data Protection Officer: dpo@onelastai.co
Support: support@onelastai.co
Websites: onelastai.co β’ maula.dev