Cookie Policy
This policy explains how RequireFlow uses cookies and similar technologies, and how you can manage them under UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
1. What are cookies?
Cookies are small text files placed on your device when you visit a website. We also use similar technologies such as localStorage and session storage for the same purposes.
2. Categories we use
| Category | Purpose | Set without consent? |
|---|---|---|
| Strictly necessary | Authentication, session security, load balancing, CSRF protection. | Yes |
| Analytics | Aggregated usage statistics to help us improve the platform. | No — opt-in |
| Marketing | Measure campaign effectiveness and ad attribution. | No — opt-in |
3. Cookie details
The table below lists every cookie and similar storage item RequireFlow may set on your device, the category it belongs to, the data controller, its retention period, and its purpose.
3.1 Strictly necessary
| Name | Provider | Type | Retention | Purpose |
|---|---|---|---|---|
| sb-access-token | RequireFlow / Lovable Cloud | HTTP cookie | Session | Holds your short-lived authentication token so you stay signed in. |
| sb-refresh-token | RequireFlow / Lovable Cloud | HTTP cookie | 30 days | Renews your access token without forcing you to sign in again. |
| rf.cookie-consent.v1 | RequireFlow | localStorage | 12 months | Stores your cookie-banner choices (analytics / marketing on or off). |
| rf.consent-snapshot.v1 | RequireFlow | localStorage | 12 months | Mirror of your latest Terms / Privacy / DPA / Marketing decisions for fast UI restore. |
3.2 Analytics (opt-in)
| Name | Provider | Type | Retention | Purpose |
|---|---|---|---|---|
| _rf_analytics_id | RequireFlow (first-party) | HTTP cookie | 13 months | Aggregated, IP-anonymised usage statistics. Only set after analytics consent is granted. |
3.3 Marketing (opt-in)
| Name | Provider | Type | Retention | Purpose |
|---|---|---|---|---|
| _rf_attribution | RequireFlow (first-party) | HTTP cookie | 90 days | Attributes new sign-ups to the marketing channel that referred them. Only set after marketing consent is granted. |
4. How consent is stored and managed
We treat cookie consent as a first-class, audited decision under UK GDPR Article 7 (consent) and the Privacy and Electronic Communications Regulations (PECR).
- Default state. Until you make a choice, only strictly-necessary cookies are set. Analytics and marketing categories are off.
- Granular choice. The cookie banner lets you accept all, reject non-essential, or set each category independently with equal-weight buttons (no "dark patterns").
- Local storage. Your choice is saved in your browser under the key
rf.cookie-consent.v1with a version number, decision timestamp, and one boolean per category. No personal identifier is stored. - Server log (signed-in users). When you accept the Terms, Privacy Policy, DPA or change your marketing preference, an append-only row is written to our
user_consentstable including the document version, the policy URL, your user agent, and the timestamp. We never overwrite or delete history. - Withdrawal. You can change or withdraw any non-essential consent at any time from the button below, the "Cookie preferences" link in the footer, or the legal sidebar. Withdrawal takes effect immediately and is logged the same way as granting consent.
- Re-prompt on policy change. If we materially update the Terms, Privacy Policy or DPA, you will be asked to re-accept the new versions on your next sign-in. Old consent rows remain in the log as evidence.
- Browser controls. You can also block or delete cookies via your browser settings, but doing so may break authentication and other essential features.