COOKIE POLICY
Last updated May 10, 2026
CheckInOS uses cookies and similar technologies to run and secure our service and, where enabled, to understand website usage. This policy explains what we use, why we use it, and your choices.
1. WHAT COOKIES ARE
Cookies are small text files stored on your device by websites. We also use browser/device storage technologies (such as localStorage) that are not cookies but may store similar settings on your device.
2. LEGAL FRAMEWORK: EPRIVACY RULES AND GDPR/UK GDPR BASES
For cookies and similar storage technologies, we apply consent or exemption rules under applicable ePrivacy-style requirements (for example, strictly necessary technologies may be used without consent where legally exempt; optional analytics require consent where required).
Separately, for any personal data processed via those technologies, we rely on GDPR/UK GDPR legal bases as applicable, including contract necessity, legitimate interests, consent (for optional analytics), and legal obligations.
3. COOKIE AND STORAGE TABLE
| Category | Provider/Technology | Typical identifiers | Purpose | Consent position | Typical retention |
|---|---|---|---|---|---|
| Strictly Necessary (Authentication & Security) | Auth.js / NextAuth (runtime-managed) | Session token, CSRF token, callback URL cookies (names may vary by runtime/prefixes such as __Secure- or __Host-) | Keep users signed in, secure sessions, prevent CSRF, complete auth redirects | Used without consent where legally exempt as strictly necessary | Session and/or limited configured durations |
| Optional Analytics | Vercel Analytics (if enabled) | Analytics identifiers / event-related storage as configured | Understand aggregate usage and improve product performance | Consent-first where legally required (including EEA/UK) | Provider/config dependent; limited and periodically refreshed |
| Local browser storage (non-cookie) | CheckInOS app localStorage | attendee-filters-${eventId}, resetOnboarding | Save filter preferences and onboarding reset state | Subject to the same consent/exemption rules that apply to device storage technologies where legally required | Until cleared by user/browser or overwritten by app logic |
4. THIRD PARTIES AND SUBPROCESSOR CONTEXT
Depending on features used, relevant providers include: Vercel, Supabase, Upstash, Resend, Google OAuth, Microsoft Entra ID.
Where a provider sets or reads cookies or similar storage, those technologies should be reflected in our cookie disclosures and consent tooling, as applicable. Providers may act as processors or independent controllers depending on the specific function (for example, identity providers during sign-in).
5. MANAGING PREFERENCES
- Use our consent controls (where provided) to accept or reject optional technologies.
- Change browser settings to block/delete cookies and clear site data.
- Clear site
localStorageentries in your browser. - Log out to end active sessions (subject to session expiry rules).
Blocking strictly necessary cookies may prevent sign-in or core functionality.
6. INTERNATIONAL DATA TRANSFERS
Some providers may process data outside your country. Where required, we use appropriate transfer safeguards (such as contractual measures). International transfers may still involve residual risk due to differences in local legal regimes.
7. UPDATES TO THIS POLICY
We may update this policy to reflect legal, technical, or product changes. We will publish the updated version on this page and revise the "Last updated" date.
8. THIRD-PARTY SERVICE AVAILABILITY AND CONTROLS
We take reasonable steps to configure cookie and storage controls, but some functions depend on third-party services, browser behavior, and device settings that are not fully under our control. As a result, availability or effectiveness of certain controls may vary by provider, browser, or environment.
Nothing in this policy limits rights that cannot be limited under applicable law, including statutory data protection rights.
9. CONTACT
For privacy or cookie questions, contact events@checkinos.com.