johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests 3 Packages Projects Releases Wiki Activity
clavitor/clavitor.ai/templates/cookies.tmpl

68 lines
4.9 KiB
Cheetah
Raw Blame History

{{define "cookies"}}
<div class="hero container">
<p class="label mb-3">Legal</p>
<h1 class="mb-6">Cookie Policy</h1>
<p class="lead mb-8">Two cookies. Both strictly necessary. No tracking, no analytics, no third parties — ever.</p>
</div>
<hr class="divider">
<div class="section container">
<h2 class="mb-4">No banner. Here's why.</h2>
<p class="mb-4">EU law (ePrivacy Directive Art. 5(3) and GDPR) requires consent before storing or accessing information on a user's device <em>unless</em> that information is "strictly necessary for the provision of a service explicitly requested by the user." Session cookies, authentication cookies, and CSRF security cookies are explicitly named in the exemption.</p>
<p class="mb-6">Clavitor uses exactly two cookies. Both are strictly necessary. Both are exempt from the consent requirement. There is nothing to consent to, so we do not show a banner asking for consent — that would be misleading.</p>
<h2 class="mb-4">The two cookies</h2>
<table class="data-table mb-8">
<thead>
<tr><th>Name</th><th>Lifetime</th><th>Purpose</th><th>Flags</th></tr>
</thead>
<tbody>
<tr>
<td><code>clv_onb</code></td>
<td>1 hour</td>
<td>Carries your in-progress signup state across the three onboarding pages (signup &rarr; profile &rarr; plan). Without this cookie, the form on page 2 would have no idea who page 1 was. The value is HMAC-signed so it cannot be forged or modified by anyone but us.</td>
<td><code>HttpOnly</code><br><code>Secure</code><br><code>SameSite=Lax</code></td>
</tr>
<tr>
<td><code>clv_oauth_state_*</code></td>
<td>10 minutes</td>
<td>One per provider (Google, Apple, Meta) when you click a social sign-in button. Holds a random CSRF nonce that the OAuth callback verifies before exchanging the code &mdash; the standard defence against CSRF attacks on OAuth flows. Deleted the moment the callback completes.</td>
<td><code>HttpOnly</code><br><code>Secure</code><br><code>SameSite=Lax</code></td>
</tr>
</tbody>
</table>
<h2 class="mb-4">Why these are strictly necessary</h2>
<p class="mb-4"><strong><code>clv_onb</code></strong> is required to provide the signup feature you explicitly requested by clicking "Get started". Without it, the multi-step form cannot remember which account you're creating. There is no functional alternative.</p>
<p class="mb-6"><strong><code>clv_oauth_state_*</code></strong> is a security cookie required to safely complete a social sign-in. Without it, your OAuth callback could be hijacked by a CSRF attack. The exemption explicitly covers "user-input cookies" and security cookies of this kind (see WP29 Opinion 04/2012, EDPB Guidelines 03/2022).</p>
<h2 class="mb-4">What we do NOT use</h2>
<div class="card alt mb-6">
<ul class="mb-0">
<li><strong>Analytics:</strong> No Google Analytics, Plausible, Fathom, or self-hosted analytics. Zero.</li>
<li><strong>Marketing pixels:</strong> No Meta Pixel, no LinkedIn Insight, no retargeting.</li>
<li><strong>Third-party scripts:</strong> No CDN-hosted libraries. No Google Fonts (we self-host the woff2 files).</li>
<li><strong>Local storage / IndexedDB / sessionStorage:</strong> none. EU law treats these the same as cookies, and we use none of them.</li>
<li><strong>Fingerprinting:</strong> none.</li>
<li><strong>"Remember me" cookies:</strong> none. Future authentication will use WebAuthn passkeys, which your browser stores separately from cookies.</li>
</ul>
</div>
<h2 class="mb-4">How to control them</h2>
<p class="mb-4">Both cookies are deleted automatically &mdash; <code>clv_oauth_state_*</code> after the OAuth callback, <code>clv_onb</code> after one hour or when you finish signup. You can delete them manually any time through your browser's cookie settings:</p>
<ul class="mb-6">
<li><strong>Chrome / Edge / Brave:</strong> Settings &rarr; Privacy and security &rarr; Cookies and other site data</li>
<li><strong>Firefox:</strong> Settings &rarr; Privacy &amp; Security &rarr; Cookies and Site Data</li>
<li><strong>Safari:</strong> Preferences &rarr; Privacy &rarr; Cookies and website data</li>
</ul>
<p class="mb-6 text-secondary"><strong>Note:</strong> Blocking <code>clv_onb</code> mid-signup will reset you to step 1. Blocking <code>clv_oauth_state_*</code> will prevent social sign-in from completing.</p>
<h2 class="mb-4">Changes to this policy</h2>
<p class="mb-4">If we ever add a third cookie, we will update this page and the privacy policy. We will not add tracking or analytics cookies, ever &mdash; that's a brand commitment, not just a legal one.</p>
<p class="text-sm text-tertiary">Last updated: April 2026</p>
</div>
{{end}}
Reference in New Issue View Git Blame Copy Permalink