Cookie policy
Last updated: 2026-04-22
Draft notice: these terms are a working draft authored by the AccessiFlow team. They have not yet been reviewed by a lawyer qualified in your jurisdiction. Before production launch we will publish reviewed versions and notify existing customers of any material changes. Questions: legal@accessiflowfiji.com.
Short version
- The widget you embed on your sites sets no cookies. It stores visitor preferences in
localStorageon the visitor’s own device. - The AccessiFlow marketing site and dashboard use a small number of cookies for essential functions (sign-in, CSRF protection). We do not use analytics or advertising cookies.
What the widget stores
On your visitors’ devices, the widget uses two localStorage keys:
| Key | Contents | Purpose |
|---|---|---|
accessiflow:prefs:<siteKey> | Visitor’s selected prefs (font size, contrast, etc.) | Remember adjustments between page loads |
accessiflow:manifest:<siteKey> | Cached signed manifest, up to 1 hour | Avoid refetching config on every page load |
A short-lived sessionStorage key also holds a random session id, hashed before being sent in the heartbeat beacon.
localStorage and sessionStorage are not cookies under most legal definitions (e.g. ePrivacy), but they do live on the visitor’s device until cleared. Some jurisdictions require consent for non-essential storage; because our storage is strictly functional (remembering user-requested adjustments), the “strictly necessary” exemption typically applies. Check with your own counsel for the jurisdiction you operate in.
What the marketing site + dashboard set
| Cookie | Purpose | Lifetime |
|---|---|---|
authjs.session-token | Signed-in session (HttpOnly, SameSite=Lax) | 30 days |
authjs.csrf-token | CSRF protection for sign-in forms | Session |
authjs.callback-url | Post-login redirect target | Session |
Tracking and advertising
We do not set any third-party cookies. No Google Analytics, Meta Pixel, LinkedIn Insight, or advertising trackers. We use Umami (self-hosted, cookie-free) for aggregate traffic on the marketing site — it works without any identifier stored on the visitor’s device.
Control
You can clear site data from your browser at any time (DevTools → Application → Storage on Chromium, similar on Firefox / Safari). Clearing localStorage resets widget preferences; clearing cookies signs you out of the dashboard.
Contact
Questions: privacy@accessiflowfiji.com.