Legal
Cookie Policy
Two cookies. Both strictly necessary. No tracking, no analytics, no third parties — ever.
No banner. Here's why.
EU law (ePrivacy Directive Art. 5(3) and GDPR) requires consent before storing or accessing information on a user's device unless that information is "strictly necessary for the provision of a service explicitly requested by the user." Session cookies, authentication cookies, and CSRF security cookies are explicitly named in the exemption.
Clavitor uses exactly two cookies. Both are strictly necessary. Both are exempt from the consent requirement. There is nothing to consent to, so we do not show a banner asking for consent — that would be misleading.
The two cookies
| Name | Lifetime | Purpose | Flags |
|---|---|---|---|
clv_onb |
1 hour | Carries your in-progress signup state across the three onboarding pages (signup → profile → plan). Without this cookie, the form on page 2 would have no idea who page 1 was. The value is HMAC-signed so it cannot be forged or modified by anyone but us. | HttpOnlySecureSameSite=Lax |
clv_oauth_state_* |
10 minutes | Set when you click the Google sign-in button. Holds a random CSRF nonce that the OAuth callback verifies before exchanging the code — the standard defence against CSRF attacks on OAuth flows. Deleted the moment the callback completes. | HttpOnlySecureSameSite=Lax |
clv_lang |
1 year | Remembers your language preference when you select a language from the navigation dropdown. Without it, the site would fall back to your browser's Accept-Language header on every visit. | HttpOnlySecureSameSite=Lax |
Why these are strictly necessary
clv_onb is required to provide the signup feature you explicitly requested by clicking "Get started". Without it, the multi-step form cannot remember which account you're creating. There is no functional alternative.
clv_oauth_state_* is a security cookie required to safely complete a social sign-in. Without it, your OAuth callback could be hijacked by a CSRF attack. The exemption explicitly covers "user-input cookies" and security cookies of this kind (see WP29 Opinion 04/2012, EDPB Guidelines 03/2022).
What we do NOT use
- Analytics: No Google Analytics, Plausible, Fathom, or self-hosted analytics. Zero.
- Marketing pixels: No Meta Pixel, no LinkedIn Insight, no retargeting.
- Third-party scripts: No CDN-hosted libraries. No Google Fonts (we self-host the woff2 files).
- Local storage / IndexedDB / sessionStorage: none. EU law treats these the same as cookies, and we use none of them.
- Fingerprinting: none.
- "Remember me" cookies: none. Future authentication will use WebAuthn passkeys, which your browser stores separately from cookies.
How to control them
Both cookies are deleted automatically — clv_oauth_state_* after the OAuth callback, clv_onb after one hour or when you finish signup. You can delete them manually any time through your browser's cookie settings:
- Chrome / Edge / Brave: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Preferences → Privacy → Cookies and website data
Note: Blocking clv_onb mid-signup will reset you to step 1. Blocking clv_oauth_state_* will prevent social sign-in from completing.
Changes to this policy
If we ever add a third cookie, we will update this page and the privacy policy. We will not add tracking or analytics cookies, ever — that's a brand commitment, not just a legal one.
Last updated: April 2026