Cookie Policy — clavitor

No banner. Here's why.

EU law (ePrivacy Directive Art. 5(3) and GDPR) requires consent before storing or accessing information on a user's device unless that information is "strictly necessary for the provision of a service explicitly requested by the user." Session cookies, authentication cookies, and CSRF security cookies are explicitly named in the exemption.

Clavitor uses exactly two cookies. Both are strictly necessary. Both are exempt from the consent requirement. There is nothing to consent to, so we do not show a banner asking for consent — that would be misleading.

The two cookies

Name	Lifetime	Purpose	Flags
`clv_onb`	1 hour	Carries your in-progress signup state across the three onboarding pages (signup → profile → plan). Without this cookie, the form on page 2 would have no idea who page 1 was. The value is HMAC-signed so it cannot be forged or modified by anyone but us.	`HttpOnly` `Secure` `SameSite=Lax`
`clv_oauth_state_*`	10 minutes	One per provider (Google, Apple, Meta) when you click a social sign-in button. Holds a random CSRF nonce that the OAuth callback verifies before exchanging the code — the standard defence against CSRF attacks on OAuth flows. Deleted the moment the callback completes.	`HttpOnly` `Secure` `SameSite=Lax`

Why these are strictly necessary

clv_onb is required to provide the signup feature you explicitly requested by clicking "Get started". Without it, the multi-step form cannot remember which account you're creating. There is no functional alternative.

clv_oauth_state_* is a security cookie required to safely complete a social sign-in. Without it, your OAuth callback could be hijacked by a CSRF attack. The exemption explicitly covers "user-input cookies" and security cookies of this kind (see WP29 Opinion 04/2012, EDPB Guidelines 03/2022).

What we do NOT use

Analytics: No Google Analytics, Plausible, Fathom, or self-hosted analytics. Zero.
Marketing pixels: No Meta Pixel, no LinkedIn Insight, no retargeting.
Third-party scripts: No CDN-hosted libraries. No Google Fonts (we self-host the woff2 files).
Local storage / IndexedDB / sessionStorage: none. EU law treats these the same as cookies, and we use none of them.
Fingerprinting: none.
"Remember me" cookies: none. Future authentication will use WebAuthn passkeys, which your browser stores separately from cookies.

How to control them

Both cookies are deleted automatically — clv_oauth_state_* after the OAuth callback, clv_onb after one hour or when you finish signup. You can delete them manually any time through your browser's cookie settings:

Chrome / Edge / Brave: Settings → Privacy and security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Cookies and website data

Note: Blocking clv_onb mid-signup will reset you to step 1. Blocking clv_oauth_state_* will prevent social sign-in from completing.

Changes to this policy

If we ever add a third cookie, we will update this page and the privacy policy. We will not add tracking or analytics cookies, ever — that's a brand commitment, not just a legal one.

Last updated: April 2026