Hi Matt (and David!)
The policy you’re looking for is at https://anvil.works/privacy, which we’ve tried to keep as clear and comprehensible as we can. It tells you what we do with your data (as an application developer), and your app users’ data. If we have to change it, you’ll get notified (as described on that page).
To answer your particular question, we do not store [non-session] cookies on your app visitors’ computers unless you use anvil.server.set_cookie() (or by enabling the “Remember Me” checkbox in the Users service - both of which count as explicit instructions from the Data Controller [you] to the Data Processor [us]).
Of course, if you want to store personal information about your users, or track them, you’re going to need to have a lawful basis for doing that, just like any other data controller.
Hope that helps clear things up 