Cookie Policy
Cookie Policy
Effective: May 1, 2026 · Version: 2026.05.01-1
This Cookie Policy explains how OfiFlow uses cookies and similar tracking technologies on ofiflow.com and the OfiFlow dashboard (the "Sites"). It supplements our Privacy Policy at /privacy.
If you have questions, email legal@ofiflow.com.
1. What is a cookie?
A cookie is a small text file stored on your device when you visit a website. Cookies allow the site to recognize your device, remember your preferences, and provide a personalized experience.
We also use localStorage (a similar browser-storage mechanism) for some preferences. For simplicity, this Policy refers to both as "cookies."
2. Categories of cookies we use
OfiFlow uses two categories of cookies:
Essential cookies (always on)
These cookies are required for the Sites to function. You cannot disable them via our cookie banner, but you can disable cookies entirely in your browser (which may break the Sites).
| Cookie | Purpose | Duration | Provider |
|---|---|---|---|
sb-access-token |
Authentication session for the OfiFlow dashboard | Session (cleared on logout) | Supabase Auth |
sb-refresh-token |
Token refresh for authenticated dashboard sessions | 30 days from last login | Supabase Auth |
csrf-token |
Cross-site request forgery protection | Session | OfiFlow |
ofiflow_cookie_consent_v1 |
Stores your cookie-consent choice | 365 days | OfiFlow (localStorage) |
Analytics (cookieless — no consent required)
We use Vercel Analytics for anonymous Web Vitals + page-view telemetry. Vercel Analytics is cookieless — it does not set browser cookies and does not require consent under ePrivacy regimes. We do not use any analytics or advertising cookies.
(Previously this section listed ph_*_posthog analytics cookies. PostHog was retired 2026-04-29 per ADR-019 amendment; Vercel Analytics, bundled with our Vercel Pro plan, replaces it without requiring cookies.)
We do not use:
- Advertising cookies
- Cross-context behavioral advertising trackers
- Third-party advertising SDKs (Google Ads, Meta Pixel, etc.)
- Session replay tools
- Heatmap or visitor-recording tools
3. Your choices
OfiFlow sets only essential cookies, and our analytics (Vercel Analytics) is cookieless, so there are no optional or analytics cookies to consent to. When you first visit ofiflow.com, a brief banner notifies you that only essential cookies are used; dismissing it ("Got it") records that you have seen the notice.
You can also disable cookies in your browser settings. Note that disabling essential cookies will break authentication and the dashboard will not function.
Browser-level controls
- Chrome: Settings → Privacy and security → Cookies and other site data
- Safari: Preferences → Privacy → Manage Website Data
- Firefox: Preferences → Privacy & Security → Cookies and Site Data
- Edge: Settings → Cookies and site permissions → Cookies and site data
Do Not Track
We honor browser "Do Not Track" signals where reasonably practical. Because our analytics is cookieless and we set no analytics or advertising cookies, there is no cross-site tracking to disable; a Do Not Track signal does not change what we collect.
4. Updates to this Policy
We will update this Policy if we add, change, or remove cookies. The "Effective" date and "Version" at the top reflect the most recent update. For material changes, we will re-prompt you via the cookie banner.
5. Contact
Questions about cookies: legal@ofiflow.com
6. Related documents
- Privacy Policy — /privacy
- Terms of Service — /terms
- Subprocessor List — /subprocessors (Vercel covers our analytics processing under the same Vercel DPA as our hosting subprocessor)