Cookie Policy
Last updated 2026-05-05
This page mirrors docs/COOKIE_POLICY.md — the canonical, counsel-reviewable version.
What is a cookie?
A cookie is a small piece of text a website stores in your browser. We also use localStorage and sessionStorage. For ePrivacy purposes, these all count as "information stored on the user's terminal equipment" and follow the same consent rules.
Cookies + storage we use
| Name | Category | Purpose | Lifespan |
|---|---|---|---|
| cortex_session | Strictly necessary | JWT access token (httpOnly, Secure, SameSite=Lax) | 30 minutes |
| cortex_refresh | Strictly necessary | Refresh token (path=/api/auth) | 30 days |
| csrf_state | Strictly necessary | OAuth/CSRF protection | ~10 min/flow |
| cortex_consent | Strictly necessary | Stores your consent choice (localStorage) | Until cleared |
| cortex_theme | Strictly necessary | Light/dark/system theme preference | Until cleared |
| cortex_onboarded | Strictly necessary | Onboarding-tour completion flag | Until cleared |
| cortex_active_thread | Strictly necessary | Last active chat thread ID for resumption | Until cleared |
What we do NOT use
- No third-party cookies
- No analytics cookies (no Google Analytics, Hotjar, Plausible, Amplitude, Mixpanel, Segment, Heap)
- No advertising/retargeting/fingerprinting cookies (no Meta Pixel, Google Ads, LinkedIn Insight, TikTok Pixel)
- No affiliate-tracker cookies
Web Vitals diagnostic data is sent via navigator.sendBeacon to our own backend without setting a cookie and contains no user identifier.
Your choices
The cookie consent banner appears on your first visit. It offers three equal-weight options: Reject all, Accept all, and Customize. Today, Reject and Accept do the same thing because we have no analytics or marketing cookies — but the choice you make now will apply to any future categories we add.
"Do Not Sell or Share My Personal Information" (CCPA)
Cortex does not sell or share personal information as defined under the California Consumer Privacy Act (CCPA / CPRA). There is no sale or share to opt out of.
Global Privacy Control (GPC)
We honour the Global Privacy Control signal as a valid opt-out request from analytics and marketing processing. When your browser sends GPC, the consent banner records a Reject-All choice automatically without showing the prompt.
Sub-processor cookies
When you sign in via WorkOS, WorkOS may set cookies on its own domains during the OAuth flow. When you go to Stripe Checkout for billing, Stripe sets cookies on its own domains. Those cookies are governed by WorkOS's Privacy Policy and Stripe's Privacy Policy respectively.
Contact
Cookie or privacy questions: privacy@loftbrain.ai.