Cookie Policy
Last updated: 2026-04-21 · Effective: 2026-04-21
This Cookie Policy explains which cookies and similar technologies Norden Vision OÜ sets on nordenagent.com and why. Read it alongside our Privacy Policy.
Under EU law (GDPR + ePrivacy), we only set cookies that are strictly necessary without your consent. For anything else (e.g., product analytics if we ever add them), we will ask for opt-in consent and make the choice reversible in-app.
1. What is a cookie?
A cookie is a small text file stored by your browser on your device. Similar technologies include localStorage, sessionStorage, and IndexedDB, which work the same way legally even though the browser stores them slightly differently. Unless we specify otherwise below, references to “cookies” include these.
2. Strictly necessary
Required for authentication, security, and basic site operation. These do not require your consent.
| Name | Purpose | Duration | Set by |
|---|---|---|---|
sb-access-token | Supabase session access token (short-lived JWT) | 1 hour | nordenagent.com |
sb-refresh-token | Supabase session refresh token | 30 days | nordenagent.com |
ref | Affiliate attribution. Stores the referral code from /r/[code] so a later signup credits the right affiliate. | 30 days | nordenagent.com |
cookie-consent | Records that you’ve seen and acknowledged the cookie notice, so we don’t show it again. | 12 months (localStorage) | nordenagent.com |
whatsNewLastSeen | Stores the last changelog entry you viewed, so the “What’s new” dot only pulses on genuinely new entries. | Persistent (localStorage) | nordenagent.com |
3. Functional / third-party
Set by third parties we integrate with for specific, user-initiated features. Scope is limited and the vendors’ own privacy policies govern these cookies.
| When it’s set | Provider | Purpose | More info |
|---|---|---|---|
| Checkout & billing portal | Stripe | Fraud prevention, session, payment-method tokenization. Strictly necessary for card entry to work. | stripe.com/cookies |
| Affiliate payouts (Stripe Connect onboarding) | Stripe | Same as above, inside the hosted Connect onboarding flow. | stripe.com/cookies |
4. Analytics and advertising
We do not currently set any analytics or advertising cookies. If we add product analytics (e.g. PostHog) in the future, we will: (a) update this policy, (b) show an explicit opt-in banner on first visit, and (c) default new visitors to “rejected” until they affirmatively accept. Our internal product-analytics events (logged server-side in usage tables) do not rely on cookies; they are tied to your authenticated session.
5. Multi-factor authentication
When you sign in and your session is at AAL1 but you have an enrolled TOTP factor, your Supabase session cookies above are used to remember the partial sign-in and to redirect you to the MFA challenge page. No separate “remember this device” cookie is set in v1 — every sign-in re-challenges until the Supabase session expires.
6. Your controls
- Clear cookies and site data at any time via your browser settings.
- Clearing authentication cookies signs you out.
- Clearing the
refcookie ends any in-flight affiliate attribution. - Use “Do Not Track” or privacy extensions — we do not use tracking cookies, so they won’t have much to block.
7. Changes
If we add new cookies or change existing ones, we will update this page and bump the version date at the top. Material changes (e.g., introducing analytics cookies) will trigger an in-product notice and a fresh consent request where legally required.