Cookie Policy
What we use, why, and how to control it. No third-party tracking in the MVP.
Draft template — not legal advice
This document is a starting-point template generated for the MoldLean launch. Before publishing or relying on it commercially, have it reviewed by a qualified attorney in your jurisdiction. Dates and versions below are placeholders.
This Cookie Policy explains what cookies and similar technologies are, which ones MoldLean uses, why, and how you can control them. It supplements our Privacy Policy.
1. What are cookies?
Cookies are small text files that a website asks your browser to store on your device. “Similar technologies” include localStorage, sessionStorage and IndexedDB — technically not cookies but treated equivalently in this Policy.
2. Cookies and storage used by MoldLean
We use the strict minimum required to make the Service work. As of the effective date no third-party analytics, advertising or behavioural tracking is in place.
2.1 Strictly necessary — authentication and security
| Name | Storage | Purpose | Lifespan |
|---|---|---|---|
ml_access_token | localStorage | Keeps you signed in across page loads in the same tab | 24h sliding |
ml_refresh_token | httpOnly cookie | Silent refresh of the access token | 30 days sliding |
ml_csrf | httpOnly, SameSite=Strict | CSRF protection on authenticated mutations | Session |
ml_locale | First-party cookie | Remembers your language preference (EN / ES) | 1 year |
ml_theme (future) | First-party cookie | Remembers light / dark theme preference | 1 year |
These are strictly necessary within the meaning of the EU ePrivacy Directive (PECR). Consent is not required for these.
2.2 Cookies and storage we do NOT use
- Third-party analytics cookies (Google Analytics, Mixpanel, Segment, PostHog, etc.).
- Advertising or remarketing cookies (Facebook Pixel, Google Ads, etc.).
- Cross-site behavioural tracking.
- Session replay tools (FullStory, LogRocket, etc.).
- Heatmap or scroll-tracking tools.
If we add any of the above we will update this Policy with at least 30 days notice, deploy a consent banner that allows accept / reject / fine-tune choices, and honour your decision.
3. Third-party tooling that may set cookies
| Provider | When | What it does |
|---|---|---|
| Paddle | During checkout, only when you initiate a purchase | Fraud prevention, session on Paddle-hosted checkout |
| Cloudflare | Every request to our domains | DDoS protection, bot management, edge routing |
| Sentry | Only on opt-in feedback report | Associates the report with the session that produced the error |
4. How to control cookies and stored data
You can control or delete cookies and stored data through your browser settings.
4.1 Clear MoldLean storage manually
- Sign out of the Service (recommended).
- Open developer tools (F12 in most browsers).
- Go to Application → Storage → Local Storage (Chrome / Edge) or Storage → Local Storage (Firefox).
- Right-click the
https://app.moldlean.comorigin and select Clear. - Do the same under Cookies.
Alternatively use Settings → Privacy → Clear browsing data and limit the time range to “Last 24 hours” if you only want to clear MoldLean.
4.2 Browser-specific links
5. Do Not Track
We do not perform cross-site tracking so the DNT signal has no practical effect today. If we add analytics in the future we will honour DNT as equivalent to a “reject all” consent choice.
6. Global Privacy Control (GPC)
We honour the GPC signal as a request to opt out of any “sale” or “sharing” of personal information for cross-context behavioural advertising. As we do not engage in such processing, the signal currently has no practical effect.
7. Changes to this Policy
For material changes (such as introducing a new category of cookies) we will give at least 30 days notice by email and in-app banner.
8. Contact
- privacy@moldlean.com — privacy and cookie questions
- support@moldlean.com — general help