Back to Home

Cookie Policy

This page provides detailed information about the cookies used on the Cruvo platform website.
Last updated: 4 February 2026

Overview of Cookie Usage

Cruvo platform uses cookies for two primary purposes:

  1. User Authentication - Managed by Clerk authentication provider
  2. User Interface Preferences - Storing sidebar and other UI preferences

Important Note:

Our platform does not use tracking, analytics, or advertising cookies. All cookies are essential for the basic functionality of the service.

Cookies We Use

1. Authentication Cookies (Clerk)

Our platform uses Clerk (v6.29.0) for secure authentication. Clerk implements a dual-cookie model for enhanced security.

__session Cookie

  • Purpose: Stores JWT session token for authenticating API requests
  • Lifetime: 60 seconds (automatically refreshed by Clerk SDK)
  • Security: SameSite=Lax, Secure (in production)
  • Data: User ID, role information (if applicable), token metadata

Security Note: This cookie is not HttpOnly, but its 60-second lifetime significantly limits XSS-based token theft. Even if an attacker steals this token, it can only be used for a maximum of 60 seconds after the vulnerability is patched.

__client Cookie

  • Purpose: Long-lived session reference stored in Clerk Frontend API
  • Domain: Clerk Frontend API (e.g., clerk.your-app.com)
  • Lifetime: Equal to configured session lifetime (typically hours/days)
  • Security: HttpOnly, Secure, SameSite=Lax

Security Note: This is the primary defence against session token theft. Being HttpOnly and Secure, it is protected against:

  • XSS attacks (cannot be accessed by JavaScript)
  • MITM attacks (transmitted only over HTTPS)
  • CSRF attacks (SameSite=Lax prevents cross-site request forgery)

__client_uat Cookie

  • Purpose: "Updated At Timestamp" - Tracks when the Clerk client was last updated
  • Value: Unix timestamp (e.g., 1684631064)
  • Usage: Client state synchronisation, token refresh

__signed_in Cookie

  • Purpose: Simple boolean indicator for CSS styling purposes
  • Value: "true" (if signed in) or absent (if signed out)
  • Security Impact: None (visual only)

2. User Interface Cookies

sidebar_state Cookie

  • Purpose: Stores sidebar expanded/collapsed state across sessions
  • Value: "true" (expanded) or "false" (collapsed)
  • Lifetime: 7 days
  • Data: Simple boolean value, no user data or PII

3. Third-Party Cookies

_cfuvid Cookie (Cloudflare)

  • Provider: Cloudflare (Clerk's infrastructure provider)
  • Domain: .clerk.com, .dashboard.clerk.com
  • Purpose: Bot detection, rate limiting, CDN optimisation
  • Lifetime: Session-based

Why It's Required: Clerk uses Cloudflare for:

  • DDoS protection
  • Global CDN for faster authentication
  • Bot detection and prevention
  • Rate limiting for security

Cookie Summary Table

Cookie NameTypeLifetimePurpose
__sessionAuthentication60 secondsJWT session token
__clientAuthenticationSession lifetimeLong-lived session reference
__client_uatAuthenticationSession lifetimeClient state timestamp
__signed_inUISessionCSS styling indicator
sidebar_stateUI7 daysSidebar UI preference
_cfuvidThird PartySessionCloudflare security

Security and Privacy

Data Protection Measures

  1. No PII in Cookies by Default
    • Cookies do not store personally identifiable information
    • User ID is a random identifier (user_xxxxx)
    • Email addresses are not stored in cookies
  2. Encryption and Signing
    • All JWT tokens are cryptographically signed
    • Verified using Clerk's public keys (JWKS)
    • Tamper detection is built-in
  3. Secure Transmission
    • Production: All cookies use Secure flag (HTTPS only)
    • Development: HTTP allowed for localhost testing

Where Cookie Data is Automatically Redacted

  • Application logs
  • Error reports
  • Debug output
  • Monitoring systems

UK GDPR Compliance

Strictly Necessary Cookies (No Consent Required)

Under UK GDPR and the Privacy and Electronic Communications Regulations (PECR), the following cookies do not require explicit consent as they are strictly necessary for the basic functionality of the service:

  • __session, __client, __client_uat - Required for authentication
  • __signed_in - Strictly necessary for UI functionality
  • sidebar_state - Required UI preference for user experience

Managing Cookies

Your Rights

Users can:

  1. Delete Cookies: Via browser settings or by signing out
  2. View Cookie Data: Browser Developer Tools → Application → Cookies
  3. Opt Out: By blocking cookies (this will break authentication)

How to Delete Cookies

You can delete cookies from your browser settings:

  • Chrome: Settings → Privacy and security → Cookies and other site data
  • Firefox: Settings → Privacy & Security → Cookies and Site Data
  • Safari: Preferences → Privacy → Cookies and website data
  • Edge: Settings → Privacy, search and services → Cookies and site permissions

Warning:

If you block or delete cookies, you will not be able to use the platform as cookies are required for authentication. However, all our cookies are essential for service functionality and are not used for tracking or advertising purposes.

Data Retention

  • Session cookies: Deleted when browser closes or user signs out
  • Persistent cookies:
    • sidebar_state: 7 days
    • Session lifetime cookies: Configurable in Clerk Dashboard (default: 7 days)

References

External Documentation

Contact

If you have questions about our cookie policy, please visit our Contact page to get in touch with us.

Last Updated: 4 February 2026
Document Owner: Cruvo Engineering Team
Review Status: Pending legal review

Cookie Policy | Cruvo