RU

Cookies Policy

Last updated:

This document lists every cookie and similar technology (localStorage) that Health OS uses. We use no analytics cookies, no advertising cookies, and no cross-site tracking.

1. What are cookies

Cookies are small text files stored by your browser so that a website can remember state between requests (for example, that you are logged in). localStorage is a similar mechanism, but data stays only in the browser and is not sent to the server.

2. Cookies we use

  • Name: connect.sid
  • Domain: os.health-os.app
  • Purpose: stores the session identifier after you sign in with Google OAuth. Without it, staying logged in is impossible.
  • Attributes: HttpOnly, Secure, SameSite=Lax
  • Lifetime: 30 days (refreshed on activity)
  • Legal basis: performance of contract (Art.6(1)(b) GDPR). No consent is required for strictly necessary cookies.

2.2. Cloudflare cookies (infrastructure)

Cloudflare (our CDN and bot protection) may set operational cookies (__cf_bm, cf_clearance) only on the health-os.app domain (public landing) to protect it from attacks. The application at os.health-os.app talks directly to EU infrastructure and does not set Cloudflare cookies. These cookies are not used for analytics or advertising. See Cloudflare Cookie Policy.

3. What we store in localStorage

  • bioforge-theme — your selected UI theme (matrix / anthropic / dracula / arctic-clinical). Never sent to the server.
  • analytics-optout — set to 1 when you toggle off “Share anonymous usage data” in Settings → Privacy & Analytics. Read at page load on both os.health-os.app and health-os.app to skip PostHog initialization. Stored per origin; clearing browser storage re-enables analytics (unless Do Not Track is on).

localStorage is not a cookie, but we list it here for completeness.

4. What we do NOT use

  • No analytics cookies. PostHog is configured in cookie-less mode — the session identifier lives in page memory only and is not persisted between visits.
  • No advertising cookies. We do not serve ads and do not integrate with ad networks.
  • No tracking pixels (Facebook Pixel, Google Ads, etc.).
  • No cross-site tracking.

5. Third-party cookies during login

When you sign in via Google OAuth, you temporarily interact with accounts.google.com. Google may set its own cookies on that domain. This is governed by Google’s Privacy Policy.

6. How to control cookies

  • Disable in browser: you can disable cookies in your browser settings. In that case, signing in to Health OS will not work — the session cookie is strictly necessary.
  • Clearing: deleting cookies for os.health-os.app signs you out.
  • Do Not Track: we respect the DNT: 1 signal, but it does not affect the session cookie (it is required for the service to function).

7. Changes

If we add new cookies (e.g. for a paid tier or new integrations), we will update this document and bump updatedAt. Material changes will be announced in-app.

8. Contact

Questions: [email protected].