Cookie Policy
Last updated: 24 February 2026
The short version:
- We only use strictly necessary cookies for authentication. No marketing, advertising, or tracking cookies.
- We use Umami for privacy-friendly analytics. Umami does not use cookies and does not track individual users.
- No cookie consent banner is needed because we do not set any non-essential cookies.
1. What Are Cookies?
Cookies are small text files that websites place on your device (computer, phone, or tablet) when you visit them. They are widely used to make websites work, improve performance, and provide information to the site owners.
Under the UK Privacy and Electronic Communications Regulations (PECR) and the ePrivacy Directive, cookies that are “strictly necessary” for the operation of a website do not require user consent. All cookies used by WhatsMyArc fall into this category.
2. Cookies We Use
All cookies on WhatsMyArc are set by our authentication system (NextAuth.js). They are essential for signing in and maintaining your session. We do not set any cookies ourselves beyond what the authentication library requires.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| session-token | Stores your encrypted login session so you stay signed in across pages. Contains no readable personal data. | 30 days | Strictly necessary |
| csrf-token | Protects against cross-site request forgery attacks during sign-in and sign-out. | Session | Strictly necessary |
| callback-url | Remembers where to redirect you after signing in. | Session | Strictly necessary |
| pkce.code_verifier | Used during the secure sign-in exchange (PKCE). Deleted after sign-in completes. | 15 minutes | Strictly necessary |
| state | Prevents tampering during the sign-in redirect. Deleted after sign-in completes. | 15 minutes | Strictly necessary |
In production (HTTPS), these cookies use security prefixes (__Secure- or __Host-) and are marked HttpOnly, Secure, and SameSite=Lax. This means they cannot be accessed by JavaScript and are only sent over encrypted connections.
3. Cookies We Do Not Use
WhatsMyArc does not use:
- Marketing or advertising cookies
- Analytics cookies (our analytics tool is cookieless)
- Social media tracking cookies or pixels
- Third-party cookies of any kind
- Fingerprinting or similar tracking technologies
4. Analytics (Cookieless)
We use Umami, a privacy-friendly, open-source analytics tool. Umami is configured to:
- Not use cookies — no data is stored on your device for analytics purposes.
- Respect Do Not Track (DNT) — if your browser sends a DNT signal, Umami will not collect any data from your visit.
- Collect no personal data — analytics are aggregated and anonymous. No individual users can be identified.
- Run on our own infrastructure — Umami is self-hosted, not a third-party SaaS service. Your data is not shared with any analytics company.
5. Browser-Side Storage
In addition to cookies, websites can store small amounts of data using browser storage APIs. WhatsMyArc uses sessionStorage in one place: to remember where to return you after completing a payment. This data:
- Is automatically deleted when you close the browser tab
- Is never sent to our servers
- Contains only a page URL (no personal information)
We do not use localStorage, IndexedDB, or any other persistent browser storage.
6. Third-Party Services
WhatsMyArc communicates with a small number of external services, none of which set cookies on your device:
- Authentication server — our own SSO service that handles sign-in. Sets the authentication cookies listed in Section 2.
- Stripe — payment processing. You are redirected to Stripe's website to complete payment. Stripe has its own privacy policy and may set cookies on its own domain during checkout.
- AI providers (OpenAI, Anthropic) — process your interview answers server-side. These services never interact with your browser directly.
Social sharing buttons (X, Facebook, LinkedIn, WhatsApp) are simple links that open in a new tab when you click them. No social media SDKs, tracking pixels, or third-party scripts are loaded from these services.
7. Managing Cookies
You can delete or block cookies through your browser settings. However, if you block the strictly necessary cookies listed above, you will not be able to sign in to WhatsMyArc.
Instructions for managing cookies in common browsers:
8. Changes to This Policy
We may update this Cookie Policy from time to time. Any changes will be posted on this page with an updated “last updated” date.
9. Contact
For any questions about our use of cookies:
Email: [email protected]