Legal
Cookie Policy
Three cookies. All strictly necessary. No tracking, no analytics, no third parties — ever.
Last updated: May 25, 2026
EU law (ePrivacy Directive Art. 5(3) and GDPR) requires consent before storing or accessing information on a user's device unless that information is "strictly necessary for the provision of a service explicitly requested by the user." Session cookies, authentication cookies, and CSRF security cookies are explicitly named in the exemption.
Clavitor uses exactly three cookies. All are strictly necessary. All are exempt from the consent requirement. There is nothing to consent to, so we do not show a banner asking for consent — that would be misleading.
| Name | Lifetime | Purpose | Flags |
|---|---|---|---|
clv_onb | 8 hours | Carries your session — both during signup (across the multi-step checkout) and after you sign in at /account to manage your subscription. HMAC-signed; cannot be forged or modified. Closing your browser ends the session. | HttpOnly, Secure, SameSite=Lax |
clv_oauth_state_* | 10 minutes | Set when you click Google sign-in. Holds a random CSRF nonce that the OAuth callback verifies — the standard defence against CSRF attacks on OAuth flows. Deleted when the callback completes. | HttpOnly, Secure, SameSite=Lax |
clv_prefs | 1 year | Remembers your language and country preferences when you select them from the navigation or pricing page. | HttpOnly, Secure, SameSite=Lax |
clv_onb is required to provide the signup and account-management features you explicitly requested. Without it, the multi-step signup cannot remember which account you're creating, and /account cannot tell that you just verified your email. The cookie holds only what's needed to continue your session — no tracking identifiers, no behavioural data. There is no functional alternative.
clv_oauth_state_* is a security cookie required to safely complete a social sign-in. Without it, your OAuth callback could be hijacked by a CSRF attack. The exemption explicitly covers "user-input cookies" and security cookies of this kind (see WP29 Opinion 04/2012, EDPB Guidelines 03/2022).
clv_prefs remembers the language and country you selected. Without it, every page load would fall back to your browser's Accept-Language header for language and IP geolocation for pricing currency, ignoring your explicit choices. This is a "user-input cookie" — it stores preferences you explicitly set.
- Analytics: No Google Analytics, Plausible, Fathom, or other analytics. Zero.
- Marketing pixels: No Meta Pixel, no LinkedIn Insight, no retargeting.
- Third-party scripts: No CDN-hosted libraries. No Google Fonts (we self-host the woff2 files).
- Local storage / IndexedDB / sessionStorage: none. EU law treats these the same as cookies, and we use none of them.
- Fingerprinting: none.
- "Remember me" cookies: none. Future authentication will use your fingerprint, face, or security key, which your browser stores separately from cookies.
All cookies are deleted automatically — clv_oauth_state_* after the OAuth callback, clv_onb after 8 hours or when you sign out at /account. You can delete them manually any time through your browser's cookie settings:
- Chrome / Edge / Brave: Settings, Privacy and security, Cookies and other site data
- Firefox: Settings, Privacy & Security, Cookies and Site Data
- Safari: Preferences, Privacy, Cookies and website data
Note: Blocking clv_onb mid-signup will reset you to step 1 and prevent /account from staying signed in. Blocking clv_oauth_state_* will prevent social sign-in from completing.
If we ever add another cookie, we will update this page and the privacy policy. We will not add tracking or analytics cookies, ever — that's a brand commitment, not just a legal one.