Octonity
Legal

Cookie Policy

A per-cookie breakdown of what we store in your browser, why, and how long. Companion to the banner you saw on first visit.

Last updated: July 3, 2026

1. What we mean by “cookie”

This policy covers all small pieces of data we store in your browser to run the Service — cookies proper, but also localStorage and sessionStorage. Under GDPR + the ePrivacy Directive the same consent rules apply to all three, so we treat them the same here.

2. Categories

We split what we store into three categories:

  • Strictly necessary— auth session, workspace choice, CSRF token, and the record of your cookie-consent choice. Always on; the site can’t work without them. Legal basis: legitimate interest / contract necessity — no consent required under GDPR + ePrivacy.
  • Analytics — anonymised product analytics via PostHog (US Cloud). Cookieless mode by default: PostHog runs without any persistent identifier. Loaded ONLY after you accept this category. Legal basis: consent.
  • Marketing— reserved for future ad-attribution pixels. Currently unused. If we ever enable this we’ll update this policy 30 days before it takes effect. Legal basis: consent.

3. What we store

NamePurposeCategoryRetention
octonity.auth-tokenJWT access token that keeps you signed in to app.octonity.comNecessarySession + refresh
octonity.refresh-tokenRotates the auth token silently in the backgroundNecessary30 days
octonity.cookie-consent.v1Remembers your choice from the banner so we don’t re-askNecessaryUntil you clear browser storage
octonity.tenant-slugWhich workspace you last opened, so we route you there on next visitNecessary6 months
ph_… (PostHog)Product analytics — event batching + memory-persistence session id (no cookie unless you opt in)AnalyticsSession (memory only)
ARRAffinity / ARRAffinitySameSiteLoad-balancer session affinity set by Azure App ServiceNecessarySession

Stripe’s Checkout page (used only when you subscribe or purchase a template) sets its own cookies under stripe.com — see Stripe’s cookie policy. We don’t receive or store those cookies.

4. Changing your mind

You can revoke your consent at any time — clear the site’s storage from your browser and reload; the banner will reappear. We’re building a “Cookie preferences” link in the app footer that opens the banner directly; until then the clear-and-reload path is the reliable way.

5. Do Not Track

We respect the deprecated DNT browser header when set: if DNT: 1 is present we treat it as an analytics-opt-out even if the banner was previously accepted.

6. Changes

We’ll update this page whenever we add or remove a cookie category. Material changes get a 30-day heads-up by email to workspace admins.

7. Contact

Questions about cookies? Email privacy@octonity.com.