Cookies Policy

1. What This Policy Covers

This policy explains how Coomerang uses cookies, localStorage, and similar browser storage technologies. These technologies can store information on your device or access information already stored on your device.

Coomerang currently uses these technologies for essential, security, authentication, preference, and editor functionality. We do not currently use advertising cookies, behavioural tracking cookies, or third-party analytics cookies.

2. Essential Cookies and Storage

We use essential storage to provide the service you request, keep you logged in, protect your account, prevent fraud and CSRF attacks, remember core preferences, and support the comic editor.

• x-csrf-token cookie: helps protect state-changing requests against CSRF attacks. This cookie is readable by the app because the service uses a double-submit CSRF pattern.
• __Host-sessionId or sessionId cookie: supports server-side sessions used for flows such as Google OAuth. In production this cookie is HTTP-only and secure.
• token and refreshToken in localStorage: keep your account session active until logout, expiry, or replacement.
• user in localStorage: stores a limited cached copy of your user profile for the app interface.
• userLanguage in localStorage: remembers your selected language.
• coomerang.showAIPanelButtons in localStorage: remembers whether AI panel buttons are shown in the editor.
• Editor and application state: local browser storage may be used to preserve in-progress editor state or preferences and reduce the risk of losing work.

3. Non-Essential Cookies

We do not currently set non-essential analytics, advertising, social media tracking, or behavioural profiling cookies. If we introduce non-essential storage in the future, we will update this policy and provide consent controls where required by law before enabling it.

4. Third-Party Services

Some third-party services may set their own cookies or use storage when you interact with them or when their resources are loaded.

• Stripe: payment checkout, subscription management, billing portal, fraud prevention, and payment security.
• Google: Google Sign-In if you use it, Google Fonts loaded by the frontend, and Google services used for moderation on the server side.
• Cloudflare: content delivery, media delivery, performance, and security.
• Didit: age verification when you start the mature-content verification flow.
• OpenAI: AI image generation and editing requests are sent server-side; OpenAI's own sites or services may have their own cookie practices if you visit them separately.

We do not permit third-party advertising networks or social media tracking pixels in the Coomerang frontend at this time.

5. Retention

• Session cookies generally expire when their configured session or maximum age ends. The OAuth session cookie is configured for up to 24 hours.
• Authentication tokens remain in browser storage until logout, expiry, replacement, or manual clearing.
• Preference values remain until you change them or clear browser storage.
• Local editor state may remain until it is saved, replaced, deleted by the app, or cleared by you.

6. Managing Cookies and Storage

You can clear or block cookies and localStorage in your browser settings. If you do, some Coomerang features may stop working properly, including login, account security, Google OAuth, subscriptions, age verification, and editor preferences.

7. Security

We use HTTPS, secure cookie settings in production, signed authentication tokens, CSRF protection, and access controls. JWTs are signed rather than encrypted, so they should not be copied, shared, or exposed.

8. Changes

We may update this Cookies Policy when our storage practices, providers, or legal obligations change. We will update the "Last updated" date and provide additional notice for material changes where appropriate.

9. Company Information

Coomerang is operated by Coomerang LTD, registered in England and Wales under company number 16557189, with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

10. Contact

Questions about cookies or browser storage can be sent through our Contact page or to [email protected] with the subject line "Cookies Policy Inquiry".