# Cookie Policy **Effective Date:** 2026-05-14 **Version:** 1.0 > **DRAFT — not legal advice.** This document was generated from a code scan and is intended for review by a qualified attorney before publication. This Cookie Policy explains how ResolutionFlow LLC ("ResolutionFlow," "we," "us," or "our") uses cookies and similar technologies on the ResolutionFlow website and Services. ## 1. What are cookies and similar technologies? Cookies are small text files stored on your device when you visit a website. We also use related technologies, including: - **Local storage and session storage** — browser storage similar to cookies but typically larger and not sent on every request - **Software development kits (SDKs)** — code that collects information from your browser as you use a website For simplicity, we use "cookies" to refer to all of these throughout this policy unless we note otherwise. ## 2. Cookies and storage we use We categorize browser storage by purpose. Where applicable laws require consent for non-essential cookies and storage, we will obtain consent before setting them. `[LEGAL REVIEW: a consent banner is required before PostHog and any non-essential analytics fires for EU/UK visitors]` ### 2.1 Strictly necessary These items are essential for the Services to function. They cannot be disabled while you use the Services. | Name / pattern | Type | Set by | Purpose | Duration | |---|---|---|---|---| | `access_token` | localStorage | ResolutionFlow (first-party) | Holds your short-lived API access token so you stay signed in across pages and reloads | Until logout / token expiry | | `refresh_token` | localStorage | ResolutionFlow (first-party) | Used to obtain a new access token without re-entering your password | Until logout or session limit (default 14 days absolute, 3 days idle) | **Note on storage choice.** We deliberately store these tokens in your browser's `localStorage` rather than in HTTP-only cookies. Tokens in `localStorage` are accessible to JavaScript running on the page, so a cross-site-scripting (XSS) attack against the Services could expose them. We mitigate this risk with content-security headers, short access-token lifetimes, idle and absolute session limits, and the ability to revoke all sessions on password change. ### 2.2 Functional / preference These items are not strictly necessary but disabling them reduces functionality. | Name | Type | Set by | Purpose | Duration | |---|---|---|---|---| | `theme-storage` | localStorage | ResolutionFlow (first-party) | Remembers your dark / light theme preference | Persistent | | `rf-editor-fullscreen` | localStorage | ResolutionFlow (first-party) | Remembers whether you prefer fullscreen editor mode | Persistent | | `rf-intended-plan` | localStorage | ResolutionFlow (first-party) | Carries a pricing-page selection into the signup flow | Cleared after signup | | `recentFlows` storage key | localStorage | ResolutionFlow (first-party) | Remembers the flows you've recently opened so the navigation MRU works | Persistent | | "Step feedback hint shown" flag | localStorage | ResolutionFlow (first-party) | Hides a one-time coachmark after you've seen it | Persistent | | "Rated sessions" list | localStorage | ResolutionFlow (first-party) | Suppresses the post-session rating prompt for sessions you've already rated | Persistent (capped at 100 entries) | | "Escalation queue seen" set | localStorage | ResolutionFlow (first-party) | Marks notifications you've seen so badges clear correctly | Persistent | ### 2.3 Analytics These items help us understand how the Services are used so we can improve them. They are set only with your consent in jurisdictions that require it. `[LEGAL REVIEW: the consent banner described here is not currently implemented]` | Name | Type | Set by | Purpose | Duration | |---|---|---|---|---| | `ph_*` (e.g., `ph__posthog`) | Cookie + localStorage | PostHog (third-party) | Identifies your browser to PostHog so we can attribute events to a stable identifier, capture page views, autocapture interactions, and report Web Vitals. The cookie is set because we configure PostHog with `persistence: 'localStorage+cookie'`. | Up to 12 months | We also use Sentry to monitor errors and a sampled subset of browser sessions (1% of normal sessions, 100% of sessions in which an error occurs). Sentry does not set tracking cookies but does collect telemetry about your browser interactions during sampled sessions. See the [Privacy Policy](privacy-policy.md) and our [Subprocessor List](subprocessor-list.md). ### 2.4 Advertising We do not use advertising cookies, advertising pixels, or cookies for cross-context behavioral advertising. ### 2.5 Embedded third-party services - **Google Fonts** — Our public website loads fonts from `fonts.googleapis.com` and `fonts.gstatic.com`. Google receives your IP address as part of loading the fonts. Google does not set cookies via these requests, but the IP-address exposure is a disclosure. `[LEGAL REVIEW: consider self-hosting fonts to remove this disclosure]` ## 3. Your choices ### 3.1 Managing consent Where required by law, we obtain your consent for analytics and other non-essential storage via a consent mechanism on the Services. You can change your preferences at any time. `[LEGAL REVIEW: implement and link to the consent mechanism here]` ### 3.2 Browser controls Most browsers allow you to: - Block all cookies - Block third-party cookies - Clear cookies when you close the browser - Receive notification when a cookie is set Disabling all cookies and `localStorage` will prevent the Services from functioning correctly because authentication relies on browser storage. For browser-specific instructions, see: - [Chrome](https://support.google.com/chrome/answer/95647) - [Firefox](https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer) - [Safari](https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac) - [Edge](https://support.microsoft.com/en-us/help/4027947/microsoft-edge-delete-cookies) ### 3.3 Do Not Track signals The Services do not currently respond to "Do Not Track" browser signals because there is no industry consensus on how to interpret them. ### 3.4 Global Privacy Control We treat **Global Privacy Control (GPC)** signals as an opt-out of sale or sharing of personal information for California and other states where required by law. We do not sell or share personal information for cross-context behavioral advertising regardless of GPC. ## 4. Changes to this Cookie Policy We may update this Cookie Policy from time to time. Material changes will be announced through the Services and the "Effective Date" above will be updated. ## 5. Contact Questions about our use of cookies? Contact us at **support@resolutionflow.com**.