DOCFLO
LEGAL_DOCUMENT

Cookie
Policy

LAST_UPDATED: 22 FEB 2026EFFECTIVE: 22 FEB 2026

DocFlo uses only strictly necessary, first-party cookies. No advertising, analytics, or tracking cookies of any kind. This page explains exactly what we use and why.

01

What Are Cookies?

A cookie is a small text file stored on your device when you visit a website. Your browser sends it back on each subsequent visit, allowing the site to remember information like your session. DocFlo uses only strictly necessary, first-party cookies — the minimum required to run the service.

BY LIFESPAN

Session (deleted on close) or persistent (set expiry date)

BY ORIGIN

First-party (set by this site) or third-party (set by another domain)

BY PURPOSE

Strictly necessary, functional, analytics, or advertising

02

Types of Cookies

STRICTLY NECESSARY● USED

Required for the website to function. Cannot be switched off without breaking core features. Do not require consent under the ePrivacy Directive.

FUNCTIONAL / PREFERENCE○ NOT USED

Remember choices like language or theme. Not required for basic operation. Require consent.

PERFORMANCE / ANALYTICS○ NOT USED

Collect usage data to improve the site (Google Analytics, Mixpanel, Hotjar etc.). Require consent.

ADVERTISING / TARGETING○ NOT USED

Track behaviour across sites to serve personalised ads (Meta Pixel, Google Ads, LinkedIn Tag etc.). Require explicit consent.

03

Cookies We Use — Full Reference

Every cookie set by docflo.app, with full technical attributes. All are strictly necessary and first-party.

NAME
DURATION
HTTPONLY / SECURE / SAMESITE
PURPOSE
next-auth.session-token
30 days (rolling)
Yes / Yes / Lax
Holds your encrypted session after sign-in. Identifies you on each request without re-auth. Contains only an opaque signed reference — no personal data in the value itself.
next-auth.csrf-token
Session
Yes / Yes / Strict
Cross-Site Request Forgery token pair. Protects form submissions and API mutations from being triggered by malicious third-party pages. Regenerated on each sign-in.
next-auth.callback-url
Session
Yes / Yes / Lax
Stores the redirect URL after sign-in completes (e.g. the protected page you were trying to reach).
anon_id
90 days
No / Yes / Lax
Random UUID for non-signed-in visitors. Used exclusively to enforce per-user rate limits on free tools. Cannot be linked to any personal data.
HTTPONLY

When Yes — cookie cannot be read by JavaScript, protecting session tokens from XSS.

SECURE

When Yes — only sent over HTTPS, never plain HTTP.

SAMESITE=STRICT

Only sent for same-site requests. SAMESITE=LAX also sent on top-level navigations. Both prevent CSRF.

04

Local Storage We Use

We also use browser localStorage for one item. Unlike cookies, local storage is never sent to the server — it stays entirely in your browser.

KEY
VALUE
DURATION
PURPOSE
docflo_cookie_consent
“1”
Until site data cleared
Records that you dismissed the cookie notice so it does not reappear on every visit.

Clear it anytime: DevTools → Application → Local Storage → docflo.app → delete docflo_cookie_consent. The notice will reappear on your next visit.

05

Legal Basis (ePrivacy Directive & GDPR)

Cookie use in the EU/EEA is governed by the ePrivacy Directive (2002/58/EC), implemented in national law (e.g. PECR in the UK). Strictly necessary cookies are exempt from the consent requirement — they are essential for a service explicitly requested by the user.

next-auth cookies

Required to provide the authenticated session you explicitly requested by signing in. Without these, sign-in is technically impossible.

anon_id

Required to enforce fair-use rate limits that allow us to offer free PDF tools without abuse — an operational necessity.

docflo_cookie_consent

Required to avoid showing the cookie notice on every page visit — a basic, expected user experience.

No consent gate needed

Because all our cookies are strictly necessary, we are not required to obtain consent before setting them. The cookie notice is shown for transparency only. If we ever add non-essential cookies in the future, we will implement a full consent management platform (CMP) before deploying them.

06

What We Do Not Use

Google Analytics / Google Tag Manager
Meta Pixel / Facebook tracking
LinkedIn Insight Tag
Twitter/X or TikTok pixels
Hotjar, FullStory, Clarity (session recording)
Mixpanel, Amplitude, Segment (analytics)
Intercom, Drift (chat widgets with cookies)
Affiliate or performance marketing pixels
Third-party CDN tracking cookies
Browser / device fingerprinting
Cross-site tracking of any kind
Retargeting or remarketing systems
07

First-Party vs Third-Party Cookies

● FIRST-PARTY (WHAT DOCFLO USES)

Set by the domain you are visiting (docflo.app). Only docflo.app can read them. Cannot track you across other websites.

○ THIRD-PARTY (NOT USED)

Set by a domain different from the one you are visiting. Can track behaviour across multiple sites. DocFlo sets zero third-party cookies.

While sub-processors like Stripe may set their own cookies when you visit their own sites directly, they set no cookies on docflo.app itself.

08

Managing & Deleting Cookies

BROWSER SETTINGS

View, delete, and block cookies via your browser's built-in settings. See Section 09 for step-by-step instructions per browser.

SITE-SPECIFIC DELETION

Most browsers let you delete data for a specific site only. Chrome/Edge: Settings → Privacy → Site Settings → search docflo.app → Delete.

PRIVATE / INCOGNITO MODE

Cookies are session-only in private mode — deleted when you close the window. Session cookies still work during your visit.

BROWSER EXTENSIONS

Extensions like uBlock Origin or Privacy Badger can block specific cookies. Since DocFlo has no third-party cookies, their effect is limited.

09

Browser-Specific Instructions

GOOGLE CHROMEOFFICIAL GUIDE →
  1. 1⋮ Menu → Settings → Privacy and security → Cookies and other site data
  2. 2Click "See all site data and permissions" → search docflo.app → trash icon
  3. 3Or: Settings → Privacy → Clear browsing data → Cookies and other site data
MOZILLA FIREFOXOFFICIAL GUIDE →
  1. 1≡ Menu → Settings → Privacy & Security
  2. 2Under "Cookies and Site Data" → click Manage Data → search docflo.app → Remove
  3. 3Or: Clear Data → tick Cookies and Site Data → Clear
SAFARI (MACOS)OFFICIAL GUIDE →
  1. 1Safari menu → Settings → Privacy tab
  2. 2Click "Manage Website Data…" → search docflo.app → Remove
  3. 3Ensure "Prevent cross-site tracking" is enabled (on by default)
SAFARI (IOS / IPADOS)
  1. 1Settings app → Safari → Advanced → Website Data
  2. 2Search docflo.app → swipe left to delete
  3. 3Or: tap "Remove All Website Data" to clear everything
MICROSOFT EDGEOFFICIAL GUIDE →
  1. 1… Menu → Settings → Cookies and site permissions → Manage and delete cookies
  2. 2Click "See all cookies and site data" → search docflo.app → Remove
  3. 3Or: Ctrl+Shift+Delete → tick Cookies → Clear now
BRAVE
  1. 1≡ Menu → Settings → Privacy and security → Clear browsing data
  2. 2Tick "Cookies and other site data" → Clear data
  3. 3Or: click the Brave shield icon on docflo.app → Advanced controls → Clear site cookies
10

Impact of Blocking Cookies

COOKIE BLOCKED
IMPACT
next-auth.session-token
Unable to stay signed in. Redirected to sign-in page on every request. Paid plan features inaccessible.
next-auth.csrf-token
Sign-in fails with a CSRF error. Cannot sign in at all.
next-auth.callback-url
After sign-in you are redirected to the homepage instead of your intended page. Minor inconvenience only.
anon_id
Rate-limit system treats every request as a new visitor. Free quota may be exhausted immediately. Signing in removes this issue.
docflo_cookie_consent
Cookie notice banner reappears on every visit. No other functional impact.
11

Frequently Asked Questions

Do I need to accept cookies to use DocFlo?

For anonymous use (processing PDFs without an account), only anon_id is set. For authenticated use, the NextAuth cookies are also required. All are strictly necessary — there is no consent gate to pass through.

Does DocFlo track me across other websites?

No. All DocFlo cookies are first-party and scoped to the docflo.app domain. They cannot be read by other websites. We have no advertising network relationships and no tracking pixels.

Are my uploaded PDFs associated with a cookie?

For authenticated users, operations are linked to your account. For anonymous users, operations are counted against your anon_id for rate-limiting only. File contents are never stored — deleted immediately after processing.

I see a cookie from a different domain on docflo.app. Why?

DocFlo sets no third-party cookies. If you observe one from another domain, please report it to privacy@docflo.app with the cookie name and domain so we can investigate.

Why doesn't DocFlo use analytics?

We made a deliberate product decision to avoid third-party analytics platforms that harvest user data. We operate on minimum data collection, and usage analytics fall outside that minimum.

Will you add more cookies in the future?

If we ever introduce non-essential cookies, we will: (1) update this policy before deploying them, (2) implement a consent management platform, and (3) notify registered users by email.

12

Changes & Contact

We may update this policy when we change our cookie usage or when laws change. Material changes will be reflected in an updated “Last updated” date. Registered users will be notified by email where required. Your continued use of DocFlo after any changes constitutes acceptance.

PRIVACY EMAILprivacy@docflo.app
WEBSITEhttps://docflo.app

We respond to all cookie and privacy enquiries within 72 hours.