Cookie Policy
Last updated · 2026-05-12
This page lists, one by one, the cookies and local-storage items used by HypomoneLab. Our policy is deliberately minimal: only what's strictly necessary for the app to work. We don't use analytics, we don't run ads, we don't embed third-party pixels or trackers.
Under the GDPR and Spain's LSSI, strictly necessary cookies are exempt from the prior-consent requirement. We still show a one-time notice on your first visit explaining the policy, which you confirm with a single click.
1. What cookies and storage we use
| Name | Type | Purpose | Origin | Lifetime |
|---|---|---|---|---|
auth_token | HTTP cookie (httpOnly, Secure, SameSite=Lax) | Signed JWT that keeps your session active across requests. Without it we can't know it's you. | First-party (HypomoneLab) | 15 minutes (auto-refreshed) |
refresh_token | HTTP cookie (httpOnly, Secure, SameSite=Lax) | Lets us renew your session without re-asking for your password when the JWT expires. | First-party (HypomoneLab) | 30 days or until sign-out |
endurance.cookie-ack | localStorage | Remembers that you acknowledged the cookie notice so we don't show it again. | First-party (HypomoneLab) | Until you clear your browser storage |
endurance.readiness-snooze | localStorage | If you snooze the daily readiness survey, stores the date until which it won't reappear. | First-party (HypomoneLab) | Renewed each time you snooze again |
__cf_bm (when applicable) | HTTP cookie (httpOnly, Secure, SameSite=None) | Cloudflare bot-mitigation cookie. Set briefly in response to suspicious traffic. Does not identify the user. | Third-party (Cloudflare) | 30 minutes |
2. What we do NOT use
- Google Analytics, Plausible, Fathom, Matomo or any other web-analytics tool.
- Meta Pixel, Google Ads, TikTok Pixel or any advertising pixel.
- Hotjar, FullStory, Microsoft Clarity or any session-replay service.
- Embedded social-network cookies (Like buttons, Disqus comments, etc.).
- Affiliate or re-targeting cookies.
3. How can I delete or block them?
If you want to review or remove our cookies:
- Signing out removes the auth cookies (
auth_tokenandrefresh_token). - The localStorage keys (
cookie-ack,readiness-snooze) can be removed from your browser settings. - You can block all cookies in your browser, but the app won't be able to keep you signed in.
Official privacy-settings links for common browsers:
4. Changes to this policy
If we ever add any non-essential cookie or tracking technology — which is not on our roadmap today — we will update this table before activating it and ask for your consent again.
More on data handling in general: see the Privacy Policy.