Cookies Policy
Effective: 2026-05-02 · Last updated: 2026-05-02 · Next scheduled review: 2026-11-02
The short version. The OffCoder Website (offcoder.com) uses a small set of strictly-necessary cookies and equivalent client-side storage (localStorage) to keep you signed in to your account, remember your currency preference, and protect against CSRF. We do not run advertising cookies, fingerprinting, or third-party trackers. The OffCoder mobile app does not use cookies; it uses Android's secure storage for tokens.
1. What is a cookie
A "cookie" is a small text file that a website places on your device to remember information between requests or visits. "localStorage" and "sessionStorage" are similar mechanisms exposed by your browser. We use both, sparingly. This Policy refers to all of them collectively as "cookies".
2. Categories we use
2.1 Strictly necessary (cannot be disabled)
These are required to operate the Website's authenticated features (the /account dashboard and the checkout flow). If you block them, those pages will not function.
Note on the storage choice. Tokens are presently stored in localStorage rather than in HttpOnly cookies. We have made this trade-off deliberately: the Website does not embed third-party scripts in the authenticated views, ships a strict Content-Security-Policy with explicit allow-lists, and rotates refresh tokens on every refresh per the binding described in our Security page §3. We are aware that localStorage tokens are theoretically reachable by a successful cross-site-scripting (XSS) attack on the offcoder.com origin and that HttpOnly+Secure+SameSite=Strict cookies offer stronger defence-in-depth. We are evaluating a migration to HttpOnly cookies for the authenticated views. This Cookies Policy will be updated when that change ships.
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
offcoder_token | localStorage | Holds your access JWT after sign-in. Sent as Authorization: Bearer on API calls. | Until sign-out or 7 days, whichever is sooner |
offcoder_refresh | localStorage | Refresh token used to mint new access tokens without re-login. | 30 days |
2.2 Functional
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
offcoder_currency | localStorage | Remembers whether you toggled INR or USD on the pricing page. | 1 year (set on toggle) |
2.3 Analytics
The Website uses Cloudflare Web Analytics for aggregate visit metrics (page views, top pages, country, referrer, time-on-page). Cloudflare Web Analytics is a privacy-first product that does not set any cookies, does not write to localStorage, and does not use any persistent identifier. It sends a single beacon per page view containing the URL, referrer, and a coarse-grained timestamp; no user is profiled across sessions or sites. Because no cookies or storage are used, this analytics processing is not subject to the EU ePrivacy "cookie consent" requirement. We additionally use server-side request logs (containing IP and User-Agent) for security and capacity-planning purposes; that processing is described in our Privacy Policy and likewise does not involve cookies.
2.4 Advertising
None. We do not place advertising cookies, do not run remarketing pixels, and do not participate in cross-context behavioural advertising. We do not sell your data.
3. Third parties that may set cookies on related pages
- Cloudflare — our CDN may set anti-bot and DDoS-protection cookies (
__cf_bm,cf_clearance) under theoffcoder.comdomain. These are strictly necessary for bot mitigation and for protecting the site against denial-of-service abuse; they do not track you across other websites and are not used for analytics or advertising.__cf_bmhas a 30-minute lifetime.cf_clearance, where set, has a lifetime configured at the Cloudflare-zone level — Cloudflare's default is up to 30 days; we configure it on a per-incident basis no longer than necessary to satisfy the challenge. Governed by Cloudflare's own cookie policy. - Razorpay Checkout — when you complete a payment, the Razorpay Checkout widget (loaded from
checkout.razorpay.com) sets cookies under their own domain to protect against fraud and manage the payment session. Those cookies are governed by Razorpay's own cookie policy. - OAuth providers (Google, GitHub, etc.) — when you sign in via an OAuth provider, that provider may set or read cookies under their own domain as part of authenticating you. Those cookies are not set by us, are not readable by us, and are governed by the provider's own cookie policy.
4. The mobile app
The OffCoder Android application does not use HTTP cookies. Authentication tokens are stored in platform-encrypted storage backed by the Android Keystore, accessed via the platform's standard secure-storage APIs (currently the flutter_secure_storage wrapper, which delegates to Android's EncryptedSharedPreferences). App-side preferences (e.g. update-banner-dismissed timestamp, biometric-lock toggle) are stored in standard SharedPreferences on the device and never leave it. If iOS support ships, tokens will be stored in the iOS Keychain via the equivalent platform API, and this paragraph will be updated accordingly.
5. How to control cookies
You can clear cookies and localStorage from your browser settings at any time. Doing so will sign you out of /account and reset your currency toggle. Most browsers also let you block all cookies — do that and the Website's authenticated features will not work, but the public pages (home, pricing, legal) will continue to load.
The "Do Not Track" header, where supported by your browser, is honoured by us in the sense that we do not track you regardless. We have no third-party trackers to opt out of.
We also honour the Global Privacy Control (GPC) signal where transmitted by your browser, treating it as an opt-out signal for any data processing that would otherwise require an opt-out under CCPA / CPRA (and equivalent state privacy laws). Because we do not currently sell or share personal information for cross-context behavioural advertising and do not run targeted-advertising or sale-of-data flows, the practical effect of a GPC signal on our site is identical to our default behaviour today; the commitment becomes load-bearing if we ever introduce a category of processing that would be subject to opt-out.
6. Changes to this Policy
We may revise this Policy. The current version is always at this URL. Material changes are notified by an updated effective date.