Browser Storage Policy
This policy covers all technologies used to store information in your browser — localStorage, sessionStorage, and HTTP cookies. We primarily use localStorage and sessionStorage; we do not use HTTP cookies for session management. We do use a small set of analytics cookies set by Google Analytics 4 — these are disclosed in Sections 1.1, 1.2 and 3.2 below.
1. What We Store and Why
1.1 Application (app.sofibia.com)
The following items are stored when you log in to the Sofibia application:
| Key | Storage | Duration | Purpose | Category |
|---|---|---|---|---|
authToken | localStorage | 15 min (auto-expires) | JWT access token for API authentication | Strictly Necessary |
refreshToken | localStorage | 30 days | Refresh token to obtain new access tokens without re-login | Strictly Necessary |
user | localStorage | Until logout | Cached user profile (name, email, role) to reduce API calls | Strictly Necessary |
tenant | localStorage | Until logout | Cached organization context for multi-tenant routing | Strictly Necessary |
themeMode | localStorage | Persistent | UI colour theme preference (light/dark). No personal data. | Preference |
chipStyle | localStorage | Persistent | UI chip display preference. No personal data. | Preference |
sidebarCollapsed | localStorage | Persistent | Navigation sidebar collapsed state. No personal data. | Preference |
i18nextLng | localStorage | Persistent | Selected interface language (en, uk). No personal data. | Preference |
authToken | sessionStorage | Session (tab) | Temporary JWT during support-staff impersonation. Cleared on tab close. | Strictly Necessary |
user | sessionStorage | Session (tab) | Temporary user context during impersonation. Cleared on tab close. | Strictly Necessary |
tenant | sessionStorage | Session (tab) | Temporary tenant context during impersonation. Cleared on tab close. | Strictly Necessary |
isImpersonating | sessionStorage | Session (tab) | Flag indicating active support-staff impersonation session. | Strictly Necessary |
oauth_return_path | sessionStorage | Until OAuth completes | Return URL after Google OAuth login. Cleared automatically. | Strictly Necessary |
oauth_auth_result | sessionStorage | Until OAuth completes | OAuth callback state during Google login handshake. Cleared automatically. | Strictly Necessary |
privacyNoticeVersion | localStorage | Persistent | Records the version of the privacy notice you dismissed. No personal data. | Strictly Necessary |
_ga | cookie | 13 months | Google Analytics — distinguishes anonymous visitors. Set when you are signed in to the application; not set on the public feedback form (/f/*). | Analytics |
_ga_CC8G95CMWB | cookie | 13 months | Google Analytics — stores session state for our property. Same scope as _ga. | Analytics |
1.2 Marketing Website (sofibia.com)
The marketing website reads your JWT token from localStorage (read-only) to determine whether to show the "Log in" or "Go to account" button. No token is sent to any third party. The site stores privacyNoticeVersion in localStorage when you dismiss the privacy notice.
We also use Google Analytics 4 on the marketing website to measure aggregate traffic (visits, country, traffic source). This sets two first-party cookies — _ga and _ga_CC8G95CMWB — described in the table in Section 1.1 and in Section 3.2 below.
1.3 No Behavioural Advertising
We use Google Analytics 4 for aggregate usage measurement only (visits, country, traffic source, navigation paths inside the dashboard). We do not use browser storage for cross-site advertising, retargeting, or behavioural ad profiling, and no third-party advertising networks set storage on our domains. Google Analytics is configured without Google Signals and without advertising features, and IP addresses are anonymized.
Google Analytics is not loaded on the public feedback form (sofibia.com/f/*): Respondents who only submit a feedback form receive no analytics cookies from us.
2. Strictly Necessary Storage
All authentication and session items are strictly necessary for the Service to function. Under Article 5(3) of the EU ePrivacy Directive, strictly necessary storage does not require your consent. Preference items (theme, language) are low-risk, non-personal, and directly serve the functionality you selected. Analytics cookies (Section 1.1) are not strictly necessary; we rely on legitimate interest (GDPR Art. 6(1)(f)) for aggregate, anonymized usage measurement and do not use them for advertising.
3. Third-Party Storage
3.1 Google OAuth
If you choose to sign in with Google, Google may set its own cookies and localStorage items as part of the OAuth 2.0 flow. This is governed by Google's Privacy Policy.
3.2 Google Analytics 4
We use Google Analytics 4 (Google Ireland Limited / Google LLC) to understand aggregate usage of the marketing website and the application dashboard. The _ga and _ga_CC8G95CMWB cookies are set as first-party cookies on the sofibia.com domain. We send Google: the URL you are viewing, your approximate location derived from a truncated IP address (full IP is not stored), basic device and browser information, and the names of in-app actions (e.g. "feedback form created"). We do not send your name, email, feedback content, or any other identifying information. This is governed by Google's Privacy Policy.
4. Your Controls
4.1 Clearing Storage
You can clear all localStorage and sessionStorage data at any time through your browser's developer tools or privacy settings. Effect: clearing storage will log you out. No other functionality is affected.
- Chrome / Edge: F12 → Application → Storage → Local Storage → right-click → Clear
- Firefox: Settings → Privacy & Security → Cookies and Site Data → Manage Data → Remove sofibia.com
- Safari: Settings → Privacy → Manage Website Data → Remove sofibia.com
4.2 Logging Out
Logging out revokes your refresh token server-side and clears all authentication data from localStorage and sessionStorage.
4.3 Private / Incognito Mode
In private mode, localStorage and sessionStorage are cleared when you close the private window. No persistent session data is retained.
5. Contact
Questions about our browser storage practices:
Email: privacy@sofibia.com
Website: sofibia.com