Cookies Policy

1. Overview

This Cookies Policy explains how Flopinio uses cookies and similar browser storage on its public site and authenticated product.

It should be read together with our Privacy Policy.

2. What We Currently Use

Based on the current shipped product, Flopinio primarily uses essential first-party cookies to support authenticated sessions and account security.

The main browser cookie used by the application is a signed session identifier that helps the server recognize an authenticated browser and associate it with a server-side session record.

3. Essential Session Cookies

Our essential session-cookie behavior currently supports:

• Maintaining authenticated sessions across requests while the related server-side session remains active
• Supporting OAuth-authenticated product access and the account-completion banner/restriction state for users who still need to create a local password
• Supporting bounded session lifetime, idle expiry, and explicit session revocation
• Supporting security-sensitive browser behavior tied to authenticated and identity-confirmed use

These cookies are part of the core operation of the service and are not used for advertising purposes.

4. Security Characteristics

We configure our authentication cookie with security-focused attributes such as signing, `HttpOnly`, `SameSite=Lax`, and expiration tied to the related server-side session. In production we also rely on HTTPS and secure-cookie protections.

These measures help reduce the risk of tampering, script access, and certain cross-site request behaviors, but they do not eliminate all security risk.

5. Non-Essential Cookies

The public marketing surface does not load Microsoft Clarity and does not rely on advertising or marketing cookies. Ahoy is configured without cookies. Signed-in product users may be asked to opt in to Microsoft Clarity analytics when it is configured for the workspace product shell.

If accepted, Microsoft Clarity may set non-essential cookies and collect interaction data used for heatmaps, session replay, navigation diagnostics, and product usability analysis. Flopinio sends internal user IDs and limited product tags such as role and organization ID; we do not intentionally send email addresses, names, form contents, or customer-visible workspace text as custom Clarity identifiers or tags.

You can decline product analytics from the authenticated product prompt. Essential session cookies remain required for signed-in use.

6. Browser Controls

Most browsers let you inspect, block, or delete cookies through browser settings. Because Flopinio currently depends on essential session cookies for authenticated use, disabling those cookies may prevent sign-in or break core product behavior.

If you want to manage cookies, review your browser's cookie and privacy controls for the device you use to access the service.

7. Changes to This Policy

We may update this Cookies Policy to reflect changes in the product, legal requirements, or our use of browser storage technologies. Material updates will be reflected by an updated effective date on this page.