Cookie Policy

Cookie Policy v1.0 · Effective: April 25, 2026 · Last updated: April 25, 2026

Short version: we use only first-party essential cookies that the site needs to work (no third-party trackers, no advertising cookies, no analytics). When you accept the banner, your consent is recorded locally in your browser and — for audit purposes — anchored in our tamper-evident BLAKE3 audit chain so that we can demonstrate to a Romanian or EU supervisory authority exactly when, from where, and on what configuration consent was given.

1. What is a cookie

A cookie is a small text file that a website stores in your browser so the site can remember information about you (preferences, language, session, consent state) across page loads. Some cookies are essential — without them the site cannot function. Others are optional and used for analytics, advertising, or third-party integrations. We use only the essential category.

2. Cookies set on auth.caitech.ro

Cookie / storage key	Purpose	Type	Duration
`cai_cookie_consent_v1` (localStorage)	Records that you accepted the cookie banner — prevents re-prompting on every page load.	Essential, first-party, no PII	Until you clear browser storage
`session` (HttpOnly, Secure, SameSite=Strict)	Authenticated session for the admin areas of the service. Set only after a successful CAI-AUTH login.	Essential, first-party, no PII beyond session ID	15 minutes idle / 24 hours max
`X-Request-Id` (response header, not a cookie)	Per-request correlation identifier for support and incident response.	Diagnostic, transient	Single request

No Google Analytics. No Facebook Pixel. No advertising tags. No fingerprinting libraries. No cross-domain trackers. The Chrome extension and the Android app similarly do not embed any third-party SDK that performs behavioural profiling.

3. Audit of your consent

Current state (v0.17.2.3): when you accept the cookie banner, your choice is stored only in your own browser's localStorage under the key cai_cookie_consent_v1. No copy is sent to or recorded by our server. You can clear it at any time from your browser settings; on the next visit the banner will reappear.

Because the consent record is local to your device, we cannot reconstruct it on a supervisory authority's request — but neither can we be compelled to disclose it, since it does not exist on our infrastructure. Your consent is recorded in a way that you alone control.

Roadmap: a server-side BLAKE3 tamper-evident Merkle audit chain (timestamp, path, referrer, truncated User-Agent, salted-hashed IP, consent category, banner version) is planned for a future release. Until that ships, the section above describes the entire current cookie-consent handling. Questions: office@caitech.ro.

4. Audit of access by source (ALL endpoints)

Beyond cookies, every request that reaches the CAI-AUTH service — landing page, download links, API endpoints, admin console — is logged with: timestamp, path, response code, response time, truncated User-Agent, hashed source IP, X-Request-Id correlation token. The same is true for the Chrome extension's calls to its update channel and the Android app's calls to the FCM push registration endpoint. We use this access log strictly to:

Detect abuse (rate-limiting, brute-force, scanning)
Diagnose support tickets ("why did my download fail at 14:32?")
Demonstrate, to an auditor, that no unauthorised access has occurred
Comply with retention obligations under DORA Art. 17 (financial customers) and HIPAA §164.312(b) (healthcare customers)

We do not resell, share, or repurpose this access log. It is not used to build user profiles, infer interests, target advertising, or train AI models.

5. Your choices

Browser controls. You can clear the cai_cookie_consent_v1 entry from localStorage at any time (DevTools → Application → Storage). The banner will reappear and you can re-decide.
Block cookies entirely. If your browser blocks all cookies, the banner stays hidden but the site still works in read-only mode (downloads, public pages). The authenticated admin area requires the session cookie — you cannot use it without enabling cookies for our domain.
Global Privacy Control (GPC). We honour the GPC signal: if your browser sends it, we treat the visit as do-not-record for the optional analytics tier (which is currently empty anyway).
Right to access & deletion. Email office@caitech.ro with proof of association (the IP-hash neighbourhood you visited from + approximate date) and we will return or delete records within 30 days, per GDPR Art. 15 / 17.

6. Updates to this policy

We will update this Cookie Policy whenever we add, remove, or change cookies. The current version and effective date appear at the top. If a change is material (e.g. we ever introduce optional analytics or third-party cookies), we will re-prompt you for consent.

7. Contact

Cookie or privacy queries: office@caitech.ro
Postal: CAI Technology S.R.L., Str. Victor Brauner 34, Bucharest, Romania
Supervisory authority: ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal

← Back to home