OneFintel is designed to be GDPR-safe by default. The marketing website (onefintel.com) ships zero cookies on first load and uses no third-party advertising trackers. The portal and the live demo require a small number of strictly-necessary cookies to work — they are listed below.
1. Strictly-necessary cookies (no consent required)
- sb-access-token / sb-refresh-token — set by Supabase Auth after sign-in. Keeps you logged in. First-party, HTTP-only, Secure, SameSite=Lax. Lifetime: 1 hour (access) / 60 days (refresh).
- onefintel_csrf — CSRF token for billing and account actions. Session cookie only.
- onefintel_demo — tracks the 2-use limit of the live demo against your verified lead record. Lifetime: 12 months.
- __cf_bm (Cloudflare) — bot-management cookie set by our edge provider on suspicious requests. Lifetime: 30 minutes.
2. Cookies we do not use
- No Google Analytics, Facebook Pixel, LinkedIn Insight, or comparable behavioural trackers.
- No retargeting or advertising cookies.
- No persistent cookies on the public marketing website.
3. Server-side analytics
We use server-side analytics on aggregate HTTP logs only. These do not place a cookie on your browser and do not identify you as an individual.
4. Embedded widgets on customer sites
When OneFintel widgets are embedded on a customer's own site, no cookies are set on that site by OneFintel. If a customer chooses to add their own analytics, that is governed by their cookie policy, not ours.
5. Managing cookies
You can clear or block cookies in your browser settings. Blocking the strictly-necessary ones above will sign you out of the portal and reset your demo usage count. We will not surface a cookie banner where the law does not require one (the UK ICO and most EU DPAs accept that strictly-necessary cookies do not need consent).