Cookie Policy
Last reviewed: 2026-05-08 Cookie consent version: 1
Opbox uses a small number of cookies and equivalent client-side storage to keep you signed in, protect requests against forgery, and remember preferences. This page lists every cookie we set, what it is for, and how to change your decision.
Categories
We group cookies into four categories. Only strictly necessary cookies are set without your consent; everything else stays off until you opt in.
| Category | Consent required? | Default |
|---|---|---|
| Strictly necessary | No (PECR Reg. 6(4) exemption) | Always on |
| Functional | Yes | Off until accepted |
| Analytics | Yes | Off until accepted (none in use today) |
| Marketing | Yes | Off until accepted (none in use today) |
Strictly necessary
These cookies are required for Opbox to operate. Without them you cannot sign in or submit any form.
| Cookie | Purpose | Lifetime |
|---|---|---|
next-auth.session-token / __Secure-next-auth.session-token | Authenticated session | Up to 12 hours |
next-auth.csrf-token / __Host-next-auth.csrf-token | NextAuth CSRF guard for sign-in | Session |
next-auth.callback-url / __Secure-next-auth.callback-url | Post-login redirect target | Session |
csrf-token | App-level CSRF double-submit token | Up to 12 hours |
__Host-sso-oidc-state | OIDC PKCE state during SSO redirect | 10 minutes |
opbox_cookie_consent | Stores your cookie consent decision so we do not re-prompt | 12 months |
All of the above are HttpOnly and Secure in production, with SameSite=Lax or SameSite=Strict.
Functional
User-experience preferences. Off by default; turn them on from the banner or Settings → Cookies.
| Storage | Purpose | Lifetime |
|---|---|---|
information-theme (localStorage) | Persists your theme choice (light, dark, neon, ember, ocean, system) | Until you clear browser storage |
opbox-fonts (localStorage) | Persists your custom font stack | Until you clear browser storage |
We treat persistent localStorage the same as cookies under PECR/GDPR. Writes are gated on your consent; reads of an already-stored value are not.
Analytics
None today. Opbox does not currently embed any analytics or session-replay tooling. If we introduce analytics in the future, this page will be updated before the loader ships and your existing consent will be re-prompted.
Marketing
None today. Opbox is B2B SaaS with no in-product marketing pixels, retargeting tags, or conversion trackers.
Your choices
You have three options when the banner appears, all of equal visual weight:
- Accept all — turns on functional, analytics, and marketing categories.
- Reject non-essential — leaves only strictly necessary cookies enabled.
- Customize — choose categories individually.
You can change your decision at any time:
- Signed in: go to Settings → Cookies.
- On public pages: click Cookie preferences in the footer.
Resetting your preferences re-shows the banner so you can make a fresh choice.
When we re-prompt
We re-show the banner when:
- You have no consent cookie yet.
- We materially change what cookies we use or why (we increment the consent version).
- The stored cookie is malformed.
- You explicitly reset your preferences.
We do not re-prompt on sign-in, sign-out, route changes, or language changes.
Legal basis
- Strictly necessary cookies are set under PECR Reg. 6(4) and do not require consent.
- All other categories rely on your explicit opt-in under PECR and GDPR Art. 6(1)(a).
- The
decidedAttimestamp insideopbox_cookie_consentis our record of consent under GDPR Art. 7(1).
Contact
For questions or to exercise your data-subject rights, contact privacy@opbox.app.