Cookie Policy
Version 2026-05. Last updated: 20 May 2026.
This Cookie Policy describes the cookies and other client-side storage that Confidly uses across its properties. It supplements the Privacy Policy and is informed by Directive 2002/58/EC ("ePrivacy"), Art. 5(3) of the ePrivacy Directive on terminal-equipment storage, and the European Data Protection Board's Guidelines 2/2023 on Article 5(3).
Confidly does not use advertising cookies, tracking pixels, browser fingerprinting, third-party analytics, social-media widgets, or cross-site identifiers on any property. We do not share data with ad networks or data brokers.
What is a cookie
A cookie is a small text file stored by the browser when you visit a website. It can be a first-party cookie (set by the site you are visiting) or a third-party cookie (set by a domain different from the one in the address bar). "Strictly necessary" cookies under Art. 5(3) ePrivacy are exempt from prior consent because they are essential to deliver a service the user explicitly requested. Other categories require consent.
Marketing site: confidly.eu
The marketing site is fully static, served from the EU, and does not set any cookies or local-storage entries by default. We do not use Google Analytics, Plausible, Mixpanel, Hotjar, Segment, or comparable analytics. Server access logs are kept for 30 days for security and abuse-detection purposes (legitimate interest, GDPR Art. 6(1)(f)) and contain IP address, request path, timestamp, and user-agent. They are not joined with any other dataset.
Application: app.confidly.eu
| Name | Provider | Purpose | Category | Retention |
|---|---|---|---|---|
__session | Clerk | Authenticated session for staff users (signed JWT in cookie form, HttpOnly, Secure, SameSite=Lax) | Strictly necessary | Session (typ. 7 days idle) |
__client | Clerk | Identifier used to bind the session to a particular browser; HttpOnly, Secure | Strictly necessary | 1 year |
__clerk_db_jwt | Clerk | Short-lived JWT used by Clerk's SDK to communicate with its backend | Strictly necessary | Session |
confidly.active_org_slug | Confidly (localStorage) | Remembers which organisation the staff user last selected, so they land in the same place after sign-in | Strictly necessary | Persistent (cleared on logout) |
All of these are strictly necessary to authenticate the user and to deliver the authenticated dashboard the user explicitly requested. They are exempt from prior consent under Art. 5(3) ePrivacy, second sentence.
Public reporting channel: report.confidly.eu and tenant.confidly.eu
| Name | Provider | Purpose | Category | Retention |
|---|---|---|---|---|
reporter_token | Confidly | Short-lived JWT (HttpOnly, Secure, SameSite=Strict) that binds the browser to a single case so the reporter can return within the same browser without re-entering the case code and secret | Strictly necessary | 24 hours, on revocation, or on tab close |
confidly.lang | Confidly (localStorage) | Stores the language the reporter selected so the page renders in that language on return | Strictly necessary | Persistent until cleared |
The reporter channel is intentionally cookie-light. We do not set any analytics or marketing cookie because that would create a residual identifier on the reporter's device, which could be used to fingerprint or correlate sessions and would conflict with the anonymity guarantees of Directive (EU) 2019/1937, Art. 16.
Tor and high-risk reporters
The reporter channel works through Tor. When accessed over a .onion address (where offered by the Customer) no cookies are set on the reporter's browser; the session is kept entirely server-side and identified by a one-time bearer token entered by the reporter at sign-in.
Third-party content embedded in the marketing site
Where a marketing page embeds a video, code playground, or other third-party content, that embed is loaded lazily and only on explicit click of a "Load embed" button. This is the click-to-play pattern. No third-party cookies are set until the user activates the embed.
Do Not Track and Global Privacy Control
The marketing site sets no cookies regardless of DNT or GPC signals; there is nothing to disable. The application is auth-only and the cookies listed above are all strictly necessary. We honour GPC for any opt-out we would otherwise be required to provide.
How to manage cookies
You can delete or block cookies through your browser settings. For the application, doing so will sign you out. For the reporter channel, doing so within an active case will require you to re-enter your case code and secret to continue.
Why we do not show a cookie banner
Because we only use strictly necessary cookies, no prior consent is required under Art. 5(3) ePrivacy. We do not show a banner because doing so would be misleading: there is no non-essential storage to opt in or out of. This position aligns with the EDPB Guidelines 2/2023, paragraph 64.
Changes
When we add a strictly necessary cookie we update this page in the same week. When we add a non-essential cookie (we have no current plan to) we will introduce a proper consent flow first.