Cookie Policy

Last updated: 9 May 2026 · Version 1.0

The French version (Politique relative aux cookies) is the legally binding version. This English translation is provided for convenience. In case of discrepancy, the French version prevails.

This policy describes the cookies and similar storage technologies used by Ovarli. It complements our Privacy Policy.

1. What is a cookie

A cookie is a small text file placed by a website on your browser. The term "cookie" is used here in its broad sense, also covering equivalent technologies such as the browser's localStorage and sessionStorage. These mechanisms let a site remember information between visits or during navigation.

2. Our approach

Ovarli takes a minimalist approach: no cookie or storage technology is enabled without necessity. As of today, Ovarli uses no third-party audience measurement, marketing or advertising tracker. The structure of our consent banner (Essential / Audience measurement / Marketing) is implemented in advance for the day we enable such tools, so that we honor your choice from the very first deployment.

3. Cookies and storage in use today

3.1 Strictly necessary (always on)

These items are essential to the operation of the service. They cannot be disabled without preventing normal use of Ovarli. They rely on the performance of the contract (article 6(1)(b) GDPR) and do not require prior consent.

• ovarli_token (HTTP httpOnly cookie, 15-minute lifetime): short-lived authentication token that keeps you signed in for the session. Renewed automatically via the refresh cookie below.
• ovarli_refresh (HTTP httpOnly cookie, 7-day lifetime, path /api/auth/refresh): refresh token that lets us extend your session without asking for your credentials again. Stored only by the browser, never accessible to the page's JavaScript.
• ovarli_csrf (HTTP cookie, 15-minute lifetime): cross-site request forgery (CSRF) protection token. Sent by the browser on every state-changing request, the server verifies the match.
• ovarli_totp_challenge (HTTP httpOnly cookie, 5-minute lifetime, path /api/auth): present only while you enter a 2FA code. Identifies the ongoing challenge to verify your 6-digit code.
• ovarli_locale (localStorage): your preferred language (FR/EN/DE/IT), shared between the landing site and the application.
• ovarli_theme (localStorage): your light or dark theme choice.
• ovarli_cookie_consent (localStorage): records your cookie consent choice so you are not prompted again on every visit. Contains the categories accepted (Essential, Analytics, Marketing), a timestamp and a version number. If we change our policy, the version number is bumped and your consent is requested again.
• bgt_token (localStorage, being phased out): legacy authentication token kept on the browser, retained briefly for sessions opened before the move to the httpOnly cookies above. Will be removed in a future release.
• Reverse proxy: no HTTP cookie is set by our reverse proxy. Access logs (IP address, user-agent, timestamp, HTTP code) are kept 30 days server-side, distinct from browser cookies.

3.2 Audience measurement (not active)

No analytics tool (Google Analytics, Plausible, PostHog, Matomo, etc.) is installed today. If we enable one in the future, its loading will be strictly conditioned on your explicit consent via the cookie banner. This policy will then be updated to detail the provider, data collected, retention and legal basis.

3.3 Marketing and advertising (not active)

No marketing, retargeting or advertising tracker (Meta Pixel, Google Ads, etc.) is installed today, and we have no immediate intention of adding any. Should this change, your explicit consent would be required before any loading.

3.4 Third-party cookies (limited)

• Google OAuth: if you choose "Continue with Google", Google may set its own cookies on the accounts.google.com subdomain at the moment of authentication. These cookies are not accessible to Ovarli and are governed by Google's privacy policy.
• Stripe: if billing is enabled on your account, Stripe may set its cookies at checkout. These cookies are not accessible to Ovarli and are governed by Stripe's privacy policy.
• Sentry: Sentry, used for production error tracking, does not use browser cookies. Error events are transmitted directly via HTTP requests with an anonymized payload (see Privacy Policy section 5).

4. How to manage your preferences

You can review and change your preferences at any time:

• On your first visit: a banner appears at the bottom of the page with three choices: Accept all, Decline all, Customize. Customize opens a per-category detailed window.
• From the landing site: "Cookie preferences" link in the footer (Legal section).
• From the application: Profile → "Privacy" section → "Cookie preferences" button.
• Via your browser: you can delete the localStorage of the ovarli.app domain at any time using your browser's tools. This will sign you out and request your consent again on the next visit.

5. Consequences of declining

Declining non-essential categories does not affect your experience today, since no tool is currently active in those categories. Declining strictly necessary cookies (by manual removal in the browser) will sign you out and force you to sign in again, with no other consequence.

6. Amendments

We update this policy in case of technical or legal evolution, in particular when we enable a new tool. The version number and the date of last update are shown at the top of this page. Any material change triggers a new consent request via the banner.

7. Contact

For any question, write to hello@ovarli.app.

Drafted by the Ovarli team based on the FADP, the GDPR and the ePrivacy Directive 2002/58/EC. A professional legal review is recommended before any broader public launch. To report inaccuracies, write to hello@ovarli.app.