Last updated: July 3, 2026
1. What we mean by “cookie”
This policy covers all small pieces of data we store in your browser to run the Service — cookies proper, but also localStorage and sessionStorage. Under GDPR + the ePrivacy Directive the same consent rules apply to all three, so we treat them the same here.
2. Categories
We split what we store into three categories:
- Strictly necessary— auth session, workspace choice, CSRF token, and the record of your cookie-consent choice. Always on; the site can’t work without them. Legal basis: legitimate interest / contract necessity — no consent required under GDPR + ePrivacy.
- Analytics — anonymised product analytics via PostHog (US Cloud). Cookieless mode by default: PostHog runs without any persistent identifier. Loaded ONLY after you accept this category. Legal basis: consent.
- Marketing— reserved for future ad-attribution pixels. Currently unused. If we ever enable this we’ll update this policy 30 days before it takes effect. Legal basis: consent.
3. What we store
| Name | Purpose | Category | Retention |
|---|---|---|---|
| octonity.auth-token | JWT access token that keeps you signed in to app.octonity.com | Necessary | Session + refresh |
| octonity.refresh-token | Rotates the auth token silently in the background | Necessary | 30 days |
| octonity.cookie-consent.v1 | Remembers your choice from the banner so we don’t re-ask | Necessary | Until you clear browser storage |
| octonity.tenant-slug | Which workspace you last opened, so we route you there on next visit | Necessary | 6 months |
| ph_… (PostHog) | Product analytics — event batching + memory-persistence session id (no cookie unless you opt in) | Analytics | Session (memory only) |
| ARRAffinity / ARRAffinitySameSite | Load-balancer session affinity set by Azure App Service | Necessary | Session |
Stripe’s Checkout page (used only when you subscribe or purchase a template) sets its own cookies under stripe.com — see Stripe’s cookie policy. We don’t receive or store those cookies.
4. Changing your mind
You can revoke your consent at any time — clear the site’s storage from your browser and reload; the banner will reappear. We’re building a “Cookie preferences” link in the app footer that opens the banner directly; until then the clear-and-reload path is the reliable way.
5. Do Not Track
We respect the deprecated DNT browser header when set: if DNT: 1 is present we treat it as an analytics-opt-out even if the banner was previously accepted.
6. Changes
We’ll update this page whenever we add or remove a cookie category. Material changes get a 30-day heads-up by email to workspace admins.
7. Contact
Questions about cookies? Email privacy@octonity.com.
