Get started free
Cookies

What we set, why, and how to refuse

A short list of cookies on this site. No advertising, no profile building, no data sold. You can change your mind at any time from the footer.

Open cookie preferences Read the privacy policy
EU-hosted analytics No advertising cookies No cross-site tracking Change your mind anytime

Last updated: 2026-05-15

In one paragraph: This site (norcube.com) sets two kinds of cookies. Strictly necessary ones (your consent choice, basic CDN security) — always on; we cannot offer a working website without them. Analytics ones (one PostHog cookie, EU-hosted in Frankfurt) — only set if you click Accept on the banner. There are no advertising cookies, no profile building, no data sold. You can change your mind at any time using the "Cookie preferences" link in the footer.

A cookie is a small text file a website asks your browser to store. Your browser sends it back to that website on every subsequent request, which lets the site remember things between visits (your login, your language, your consent choice, that you have been here before, …).

The EU's ePrivacy Directive (the so-called "Cookie Law") requires us to be upfront about what cookies we set and to get your consent for anything beyond strictly necessary.

# Cookies on the marketing site (norcube.com)

Strictly necessary — always on

Cookie Provider Purpose Expiry
cc_cookie Norcube (Jetlio, s.r.o.) Remembers which cookie categories you accepted, so the banner does not reappear 6 months
__cf_bm Cloudflare Distinguishes humans from bots at the CDN edge — required for security 30 minutes
_cfuvid Cloudflare Lets Cloudflare apply rate-limit rules per session — security Session

These cookies are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive because they are strictly necessary to deliver the service you asked for (i.e. to securely serve a webpage).

Analytics — only set if you click Accept

Cookie Provider Purpose Expiry
ph_phc_uZoPx…_posthog PostHog (EU-hosted, Frankfurt) A random visitor identifier (distinct_id) plus minimal session info, so we can see which pages help readers and where they get stuck 12 months

PostHog is configured with auto-capture disabled and session recordings disabled — we only capture page views and the consent decision itself. The PostHog cookie does not contain your name, email, IP address, or any direct identifier; just a random ID. We hold the EU-hosted PostHog instance under a Data Processing Agreement, listed on the subprocessors page.

If you click Decline, no analytics cookie is ever set, and no analytics data is sent to PostHog.

# Cookies in the product (app.norcube.com)

When you log in to the Norcube application, one additional cookie is set:

Cookie Provider Purpose Expiry
jds_refresh_token Norcube Keeps you signed in. Holds a signed refresh token (JWT). Set as HttpOnly + Secure + SameSite=Lax, so JavaScript cannot read it and other origins cannot send it. 24 hours (re-issued on each refresh)

This cookie is strictly necessary: without it you cannot stay signed in. It is not used for analytics or marketing in any way.

Product analytics in the app does not use cookies or local storage. Our analytics tool (PostHog, EU-hosted) is configured in memory-only mode inside app.norcube.com, so event data is held in the JavaScript runtime only and nothing is written to your browser's terminal equipment. This keeps in-app analytics outside the scope of the ePrivacy "cookie law" (Art. 5(3)) — no separate consent banner is needed for it. The processing itself runs under our legitimate interest in improving the product (GDPR Art. 6(1)(f)), and you can object via the Disable product analytics toggle in account settings.

The product also stores small amounts of UI state in localStorage (your last-opened project, table sort order, etc.). These are stored locally in your browser, never sent to a server, and you can clear them via your browser's "clear site data" tool.

# How we protect cross-origin requests (no third-party CSRF tokens)

We don't set additional CSRF-token cookies. Instead we use two GDPR/ePrivacy-friendly browser features:

  • The refresh-token cookie is SameSite=Lax, so a third-party site cannot cause your browser to send it on a state-changing POST it didn't initiate
  • Sensitive endpoints (such as the CLI-token exchange) additionally require a custom HTTP header that browsers will not send cross-origin without an explicit CORS preflight

This achieves the same protection as a CSRF token without adding more cookies.

# Cookies we deliberately don't use

  • Advertising / retargeting cookies (Google Ads, Meta Pixel, LinkedIn Insight, …)
  • Marketing-automation cookies (HubSpot, Marketo, Pardot, …)
  • Cross-site tracking cookies of any kind
  • Browser fingerprinting libraries
  • Session-replay tools that record actual mouse / keyboard input
  • A/B-testing or personalisation cookies on the marketing site

# How to change your mind

  • Re-open the banner: click "Cookie preferences" in the footer of any page on this site. You will see the same choices as the first time, with your current state pre-selected
  • Browser controls: every modern browser lets you clear cookies for a single site. After clearing, the banner will appear again on your next visit
  • Do Not Track: if your browser sends the DNT: 1 header, our analytics tool is configured to respect it and will not capture data even if you previously accepted

Clearing cookies on the product domain (app.norcube.com) will log you out.

# How we keep this page accurate

When we change which cookies are set (adding, removing, or replacing), we:

  1. Update the table above and the "Last updated" date
  2. Update the consent banner so new categories require fresh consent
  3. Notify enterprise customers who have a notice clause in their contract

We will never silently start setting a new tracking cookie.

// tick. tick. tick.
0 ticks since founding