Cookie Notice
⚠️ DRAFT — NOT LEGAL ADVICE. This document was generated to scope compliance work and MUST be reviewed and adapted by qualified counsel licensed in each operating jurisdiction (US, Brazil, Mexico, India) before any reliance or publication. Bracketed [PLACEHOLDERS] require confirmation.
Document version: [DRAFT v0.1 — YYYY-MM-DD to be set on counsel sign-off]
1. About this notice
This Cookie Notice explains how [8x LEGAL ENTITY NAME, a Delaware corporation] ("8x," "we," "us") uses cookies and similar browser-storage technologies on the 8x web platform (the "Platform"). It supplements, and should be read together with, our rep & applicant privacy notice (see privacy-notice-reps.md).
Scope of users. The Platform is used by sales representatives engaged as independent contractors and by applicants who sign up to be considered as such. This notice addresses the cookies set in those users' browsers when they access the Platform. It does not address prospects' personal data (prospects do not visit the Platform); for how 8x handles prospect personal data, see privacy-notice-prospects.md and the cold-call disclosure (see call-recording-disclosures.md).
Summary. 8x uses only first-party cookies that are strictly necessary or functional to run the Platform. We do not use analytics cookies, advertising cookies, or any third-party tracking technologies. Because no non-essential trackers are present, no cookie consent banner is required today (see Section 4). This notice exists to provide transparency about the cookies we do set.
Controller and contact. The controller responsible for the personal data processed via these cookies is [8x LEGAL ENTITY NAME, a Delaware corporation], [REGISTERED ADDRESS]. For privacy questions, contact [DPO/PRIVACY CONTACT NAME] at privacy@8x.social (proposed role address).
2. What cookies are
A cookie is a small text file stored in your browser when you visit a website. Cookies can be:
- First-party (set by the site you are visiting — here, the 8x Platform) or third-party (set by another domain). 8x sets only first-party cookies.
- Session (deleted when you close your browser) or persistent (stored until they expire or you delete them).
- Strictly necessary / essential (required for the site to function and for you to log in securely), functional (remember your preferences or context), analytics (measure usage), or advertising (track you for marketing). 8x uses only strictly necessary and functional cookies.
Some of the values below use the __Host- prefix. This is a security hardening measure: a __Host--prefixed cookie is sent only over HTTPS, scoped to the exact origin that set it, and cannot be set or overwritten by subdomains. It does not make the cookie a tracker.
3. Cookies we use
All cookies listed below are first-party and set by the 8x Platform itself. We do not knowingly set any third-party, analytics, or advertising cookies.
| Cookie | Category | Purpose | Set by | Duration |
|---|---|---|---|---|
| Supabase authentication session cookies | Strictly necessary (essential) | Keep you securely logged in. These cookies carry your authenticated session so the Platform knows who you are on each request and can enforce access controls. Without them you cannot sign in or use the Platform. | 8x (via our authentication provider, Supabase — see sub-processors.md) | Session / per the auth session lifetime [CONFIRM exact max-age] |
__Host-8x_view_as_rep | Functional / essential to an administrative feature | Records that an authorized 8x administrator is using the "view as rep" impersonation tool to see the Platform as a particular representative would. It is set only when an admin activates that feature and governs which view is rendered. It is not a tracking or profiling cookie. | 8x | Session / cleared when impersonation ends [CONFIRM exact lifetime] |
__Host-displayLocale | Functional | Remembers your selected display language / locale preference (i18n) so the interface renders in your chosen language across visits. | 8x | Persistent [CONFIRM exact max-age] |
__Host-li_oauth_state | Strictly necessary (security) — NOT ACTIVE | A CSRF anti-forgery state value reserved for LinkedIn OAuth/OIDC sign-in. This flow is not live. LinkedIn OAuth is currently a non-functional stub (it returns an HTTP 501 and does not run), so this cookie is not set in normal use today. It is documented here for transparency and will become active only if and when LinkedIn sign-in is enabled, at which point it will be set transiently during the sign-in handshake and discarded immediately afterward. | 8x | Transient (during a sign-in handshake) — not currently issued |
[DECISION REQUIRED]: Confirm the exact cookie names and max-age / expiry values against the live build before publication, and confirm that the Supabase auth session is implemented purely as first-party cookies on the 8x origin (no third-party Supabase-domain cookie is set in the user's browser). Update this table to match the live site.
4. No analytics, no advertising, no consent banner required
We have reviewed the technologies in use on the Platform and confirm the following as of the version date above:
- No analytics cookies or analytics scripts (e.g., no Google Analytics or equivalent) are present.
- No advertising, marketing, retargeting, or cross-site tracking technologies are present.
- No third-party trackers, social-media pixels, fingerprinting, or data-broker tags are present.
- All cookies we set are first-party and fall into the strictly necessary or functional categories described in Section 3.
Because we use only strictly necessary and functional first-party cookies and set no non-essential tracking technologies, a cookie consent banner is not required today. This notice is provided as a disclosure to keep you informed.
Jurisdiction-specific note. Cookie/consent rules differ by market:
- EU / UK (ePrivacy): Storing or reading information on a user's device generally requires prior consent except for cookies that are strictly necessary to provide the service the user has requested. The functional cookies above (locale preference, impersonation) are arguably non-essential under a strict ePrivacy reading. EU/UK IS in scope — GDPR and the ePrivacy Directive apply (there is no EU-exclusion gate; see privacy-notice-reps.md, "International transfers" / territorial scope). Counsel must therefore reassess whether
__Host-displayLocaleand__Host-8x_view_as_reprequire prior consent under ePrivacy, and a consent mechanism must be added if so. [DECISION REQUIRED — confirm the functional-cookie consent mechanism for EU/UK users.] - US (CCPA/CPRA): The cookies above do not involve a "sale" or "sharing" of personal information and include no advertising/analytics trackers; no opt-out signal handling is triggered by our current cookie use. We will draft and maintain a CCPA-ready disclosure in privacy-notice-reps.md regardless. [Confirm CCPA applicability thresholds.]
- Brazil (LGPD), Mexico, India (DPDP): None of these regimes is engaged by a non-tracking, essential/functional first-party cookie set in the manner described, beyond the general transparency obligation that this notice satisfies. [CONFIRM WITH MEXICAN COUNSEL] for any Mexico-specific aviso de privacidad cross-reference requirements.
5. Our commitment if this changes
If 8x ever introduces an analytics cookie, an advertising or marketing tracker, a third-party tag, fingerprinting, or any other non-essential cookie or tracking technology, we will, before deploying it:
- Update this Cookie Notice to describe the new technology, its purpose, the recipient, and its duration; and
- Implement an appropriate consent mechanism (e.g., a cookie consent banner with granular opt-in and the ability to withdraw consent) wherever consent is required by applicable law, and honor opt-out preferences where opt-out is the applicable standard.
We will not set non-essential trackers without first putting the required notice and (where applicable) consent controls in place.
6. Managing cookies
Because we use only essential and functional first-party cookies, the Platform may not behave correctly if you block or delete them — in particular, blocking the authentication session cookies will prevent you from logging in.
You can control or delete cookies through your browser settings. Most browsers let you view stored cookies, delete them, and block cookies from specific sites. See your browser's help documentation (Chrome, Firefox, Safari, Edge) for instructions. Note that clearing cookies will sign you out and reset your saved locale preference.
7. Open verification items (to resolve before publication)
The following must be confirmed against the live production deployment before this notice is published:
- [Verify no Vercel edge platform cookies on the live site.] Confirm that our hosting provider (Vercel — see sub-processors.md) does not set any edge/platform cookies (e.g., load-balancing, geolocation, or preview/protection cookies) in end-user browsers on the production site. If any such cookie is set, add it to the Section 3 table with its category, purpose, and duration, and reassess Section 4.
- Confirm the exact cookie names,
__Host-prefixing,Secure/SameSiteattributes, and max-age values for every cookie in Section 3 (see [DECISION REQUIRED] in Section 3). - Confirm whether the Supabase auth session is delivered entirely as first-party cookies on the 8x origin, with no third-party Supabase-domain cookie in the browser.
- Confirm whether LinkedIn OAuth/OIDC has been activated; if so, move
__Host-li_oauth_statefrom "NOT ACTIVE" to active status and update Section 3 accordingly (see sub-processors.md). - Re-run this review whenever a new front-end dependency, tag manager, embed, or third-party script is added to the Platform.
Cross-references: privacy-notice-reps.md · privacy-notice-prospects.md · sub-processors.md