Octuo legal index

Octuo Cookie Policy

Version: 1Effective: 2026-05-06Last updated: 2026-05-06

Octuo Cookie Policy

Octuo uses a small set of cookies and browser-storage entries. This document lists each one. There is no cookie consent banner because we do not use any tracking, advertising, or analytics cookies; only essential cookies needed to run the Service. EU users: this falls under the "strictly necessary" exemption in the ePrivacy Directive.

This policy is part of the Privacy Policy.

1. Cookies (octuo.tutuo.ai)

Name Purpose Type Lifetime Set by
__Host-octuo_jwt Session authentication (JWT in HttpOnly cookie) Strictly necessary 1 hour (access); 7 days (refresh) Octuo backend

Notes:

  • The __Host- prefix forces Secure + Path=/ and prevents Domain attribute, which means the cookie cannot be set on subdomains and cannot leak to non-HTTPS pages.
  • The cookie is HttpOnly, so JavaScript cannot read it (defense against XSS-based session theft).
  • The cookie is SameSite=Lax, so it is not sent on cross-site POST requests (defense against CSRF on state-changing endpoints).

2. Browser localStorage / sessionStorage

Key Purpose Lifetime
octuo.ui.locale Your language preference (en-US, zh-CN, etc.) Until you clear browser storage
octuo.ui.theme Light/dark theme preference (when picker ships) Until you clear browser storage

These keys are written by the Web client locally; they are never sent to our servers. Clearing them resets your preferences to defaults.

3. Third-party cookies

We do not load:

  • Google Analytics, Plausible, or any other web-analytics provider.
  • Facebook Pixel, Twitter Pixel, LinkedIn Insight Tag, or any other ad-network tracker.
  • Intercom, Drift, or other live-chat widgets.
  • Hotjar, FullStory, or other session-replay tools.

The only third-party JavaScript loaded is from Stripe (Stripe.js) only on the billing surfaces that need it (Customer Portal launch, Checkout redirect). Stripe sets its own cookies on stripe.com and js.stripe.com to prevent payment fraud; those cookies are governed by Stripe's privacy policy. We do not load Stripe.js on pages where you are not actively using billing features.

4. Apple and macOS clients

The Octuo macOS app uses the system Keychain to store authentication tokens (instead of cookies). The iOS app likewise uses the iOS Keychain. These are not browser cookies but serve the same session purpose.

5. Do Not Track

Because Octuo does not track you for advertising or analytics purposes, there is nothing for "Do Not Track" to disable. We respect your DNT signal in spirit by not tracking in the first place.

6. Changes

We may add a cookie if a future feature needs one. Each addition will be reflected in this document with the next version bump. We commit to never add a tracking, advertising, or third-party-analytics cookie without surfacing a consent banner. If we do, this policy will list it explicitly here.

7. Contact

Cookie questions: privacy@tutuo.ai.