Michael Chihlas
41f5519916
Generated by the resolutionflow-legal skill from a code scan of the FastAPI
backend + React frontend on commit 0564646. Each document is a starting
point for attorney review, not legal advice.
Includes:
- privacy-policy.md, terms-of-service.md, cookie-policy.md (public-facing)
- dpa.md (contractual; signed with MSP customers)
- subprocessor-list.md (Railway, Anthropic, Voyage, Stripe, Resend, Sentry,
PostHog, Google Fonts — confirmed live as of scan)
- data-inventory.md + classification.md (Phase 1/2 working files)
- attorney-review-checklist.md (consolidated [LEGAL REVIEW] punch list)
- implementation-verification.md (claim-by-claim audit vs. actual code)
Three blocking issues filed before public publication:
- #175 deletion-on-offboarding (or rewrite retention claims)
- #176 narrow Sentry send_default_pii + Session Replay config
- #177 EU/UK consent for PostHog + Google Fonts
Public-facing documents intentionally route physical-mail requests through
support@ rather than publishing the LLC's registered address.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
6.7 KiB
Cookie Policy
Effective Date: 2026-05-14 Version: 1.0
DRAFT — not legal advice. This document was generated from a code scan and is intended for review by a qualified attorney before publication.
This Cookie Policy explains how ResolutionFlow LLC ("ResolutionFlow," "we," "us," or "our") uses cookies and similar technologies on the ResolutionFlow website and Services.
1. What are cookies and similar technologies?
Cookies are small text files stored on your device when you visit a website. We also use related technologies, including:
- Local storage and session storage — browser storage similar to cookies but typically larger and not sent on every request
- Software development kits (SDKs) — code that collects information from your browser as you use a website
For simplicity, we use "cookies" to refer to all of these throughout this policy unless we note otherwise.
2. Cookies and storage we use
We categorize browser storage by purpose. Where applicable laws require consent for non-essential cookies and storage, we will obtain consent before setting them. [LEGAL REVIEW: a consent banner is required before PostHog and any non-essential analytics fires for EU/UK visitors]
2.1 Strictly necessary
These items are essential for the Services to function. They cannot be disabled while you use the Services.
| Name / pattern | Type | Set by | Purpose | Duration |
|---|---|---|---|---|
access_token |
localStorage | ResolutionFlow (first-party) | Holds your short-lived API access token so you stay signed in across pages and reloads | Until logout / token expiry |
refresh_token |
localStorage | ResolutionFlow (first-party) | Used to obtain a new access token without re-entering your password | Until logout or session limit (default 14 days absolute, 3 days idle) |
Note on storage choice. We deliberately store these tokens in your browser's localStorage rather than in HTTP-only cookies. Tokens in localStorage are accessible to JavaScript running on the page, so a cross-site-scripting (XSS) attack against the Services could expose them. We mitigate this risk with content-security headers, short access-token lifetimes, idle and absolute session limits, and the ability to revoke all sessions on password change.
2.2 Functional / preference
These items are not strictly necessary but disabling them reduces functionality.
| Name | Type | Set by | Purpose | Duration |
|---|---|---|---|---|
theme-storage |
localStorage | ResolutionFlow (first-party) | Remembers your dark / light theme preference | Persistent |
rf-editor-fullscreen |
localStorage | ResolutionFlow (first-party) | Remembers whether you prefer fullscreen editor mode | Persistent |
rf-intended-plan |
localStorage | ResolutionFlow (first-party) | Carries a pricing-page selection into the signup flow | Cleared after signup |
recentFlows storage key |
localStorage | ResolutionFlow (first-party) | Remembers the flows you've recently opened so the navigation MRU works | Persistent |
| "Step feedback hint shown" flag | localStorage | ResolutionFlow (first-party) | Hides a one-time coachmark after you've seen it | Persistent |
| "Rated sessions" list | localStorage | ResolutionFlow (first-party) | Suppresses the post-session rating prompt for sessions you've already rated | Persistent (capped at 100 entries) |
| "Escalation queue seen" set | localStorage | ResolutionFlow (first-party) | Marks notifications you've seen so badges clear correctly | Persistent |
2.3 Analytics
These items help us understand how the Services are used so we can improve them. They are set only with your consent in jurisdictions that require it. [LEGAL REVIEW: the consent banner described here is not currently implemented]
| Name | Type | Set by | Purpose | Duration |
|---|---|---|---|---|
ph_* (e.g., ph_<token>_posthog) |
Cookie + localStorage | PostHog (third-party) | Identifies your browser to PostHog so we can attribute events to a stable identifier, capture page views, autocapture interactions, and report Web Vitals. The cookie is set because we configure PostHog with persistence: 'localStorage+cookie'. |
Up to 12 months |
We also use Sentry to monitor errors and a sampled subset of browser sessions (1% of normal sessions, 100% of sessions in which an error occurs). Sentry does not set tracking cookies but does collect telemetry about your browser interactions during sampled sessions. See the Privacy Policy and our Subprocessor List.
2.4 Advertising
We do not use advertising cookies, advertising pixels, or cookies for cross-context behavioral advertising.
2.5 Embedded third-party services
- Google Fonts — Our public website loads fonts from
fonts.googleapis.comandfonts.gstatic.com. Google receives your IP address as part of loading the fonts. Google does not set cookies via these requests, but the IP-address exposure is a disclosure.[LEGAL REVIEW: consider self-hosting fonts to remove this disclosure]
3. Your choices
3.1 Managing consent
Where required by law, we obtain your consent for analytics and other non-essential storage via a consent mechanism on the Services. You can change your preferences at any time. [LEGAL REVIEW: implement and link to the consent mechanism here]
3.2 Browser controls
Most browsers allow you to:
- Block all cookies
- Block third-party cookies
- Clear cookies when you close the browser
- Receive notification when a cookie is set
Disabling all cookies and localStorage will prevent the Services from functioning correctly because authentication relies on browser storage.
For browser-specific instructions, see:
3.3 Do Not Track signals
The Services do not currently respond to "Do Not Track" browser signals because there is no industry consensus on how to interpret them.
3.4 Global Privacy Control
We treat Global Privacy Control (GPC) signals as an opt-out of sale or sharing of personal information for California and other states where required by law. We do not sell or share personal information for cross-context behavioral advertising regardless of GPC.
4. Changes to this Cookie Policy
We may update this Cookie Policy from time to time. Material changes will be announced through the Services and the "Effective Date" above will be updated.
5. Contact
Questions about our use of cookies? Contact us at support@resolutionflow.com.