← Back to app

Cookie Policy

Last updated: 20 May 2026

Short version. The only cookies Knowledge sets are the strictly necessary ones required to keep you signed in and protect against CSRF. No advertising cookies. No third-party analytics inside the authenticated app. Because only strictly necessary cookies are set today (ePrivacy Directive Art. 5(3) exception / French LCED Art. 82), no consent banner is shown. If we add a non-essential cookie or analytics tag in the future, a consent banner will appear at the same time.

1. What cookies are

Cookies are small text files a website asks your browser to keep so it can recognise you on a later request — for example, to keep you signed in. Similar client-side storage like localStorage is treated as a cookie equivalent under EU/UK ePrivacy law; we treat it the same way here.

2. Cookies we set

Strictly necessary — always on

Required for the site to work. They cannot be disabled without breaking sign-in. No consent required under ePrivacy Directive Art. 5(3) / French LCED Art. 82.

  • PHP session cookie — identifies your browser to the server while you are signed in. HttpOnly, Secure, SameSite=Lax. Expires when the browser session ends or after the inactivity timeout (default 14 days, configurable per workspace).
  • CSRF token — stored inside the session and echoed in a hidden form field on admin pages. Protects against forged state-changing requests.
  • OIDC state & nonce — short-lived session values used during the Microsoft sign-in handshake.

Local storage we set (treated like cookies for consent purposes)

The browser app uses localStorage to remember your preferences across visits — current view tab, sidebar collapsed state, selected search filters, your last selected model, the current conversation thread id. These keys never contain personal data beyond what you typed yourself, and they only exist on your own device.

Third-party (payment)

When you reach the billing step, Stripe's hosted Checkout may set its own cookies inside the Stripe iframe to detect fraud. Those cookies are controlled by Stripe and governed by Stripe's privacy policy. We do not place those cookies and we cannot read them.

3. What we do not use

  • No advertising or retargeting cookies.
  • No cross-site tracking pixels.
  • No social-plugin cookies (no Facebook/Twitter "like" pixels, no LinkedIn Insight Tag).
  • No A/B-testing platforms that set fingerprint cookies.
  • No fingerprinting libraries.
  • No third-party analytics inside the authenticated app.

If we ever introduce a privacy-preserving analytics tag on the public marketing pages, we will (a) use a cookieless server-side counter where possible, or (b) present a consent banner with Reject given the same prominence as Accept. This page will be updated at the same time and the consent cookie name will be bumped so every browser is re-prompted.

4. Manage cookies in your browser

  • Chrome: Settings → Privacy & security → Cookies and other site data
  • Firefox: Settings → Privacy & Security → Cookies and Site Data
  • Safari: Settings → Privacy → Manage Website Data
  • Edge: Settings → Cookies and site permissions

If you clear or block the session cookie you will be signed out and will have to log in again. Some features that rely on CSRF protection may stop working until you do.

5. Changes

If we add a new cookie or analytics provider we update this page, bump the consent-cookie version (so every browser is re-prompted), and where the law requires we will ask for fresh consent before any new cookie is set.

6. Contact

Questions about cookies? Email privacy@olyteck.com.