Cookie Policy
govlox.ai · Last updated: 13 May 2026 · Version 1.0
Summary
The govlox.ai marketing site sets no cookies and uses no client-side storage of its own. Across the broader GovLoX domain estate, two strictly-necessary storage entries exist; neither is used for analytics, advertising, or tracking. (1) Signed-in users of the platform at acme.govlox.ai have one authentication cookie (__Secure-authjs.session-token) scoped to .govlox.ai, used solely to maintain the signed-in session. (2) Anonymous visitors who open the chat widget at chat.govlox.ai and accept its consent prompt have one sessionStorage entry (gvxConsent), used solely to avoid re-prompting within the same browsing session. Full technical detail below; you can verify everything using your browser's developer tools.
1. The short version
- The marketing pages set no cookies or storage of their own — govlox.ai, /privacy.html, /cookies.html, and /scorecard are all storage-free
- No localStorage, no IndexedDB anywhere — none of our domains persist anything to disk
-
One authentication cookie (
__Secure-authjs.session-token) set by acme.govlox.ai for signed-in platform users; scoped to.govlox.ai— details in Section 3.1 -
One
sessionStorageentry (gvxConsent) set by chat.govlox.ai when you open the chat and accept the consent prompt — details in Section 3.2
2. What we do not use
Across govlox.ai and its subdomains, we have deliberately chosen not to use any of the following:
- First-party cookies for analytics, advertising, profiling, A/B testing, marketing, or any purpose other than authenticating signed-in platform users (the one authentication cookie at acme.govlox.ai is documented in full in Section 3.1)
- Third-party cookies of any kind (no embeds, no widgets, no social media buttons that report back)
-
Persistent
localStorageorIndexedDBon any page or subdomain - Analytics platforms (Google Analytics, Plausible, Matomo, Fathom, etc.)
- Tracking pixels, advertising networks, retargeting tags
- Browser fingerprinting or device identification
- Third-party fonts loaded from CDNs (we self-host Inter from our own server)
3. The storage entries we use
We use exactly two client-side storage entries across our domains. Both are strictly necessary; neither is used for analytics, advertising, or tracking. Each has a different purpose, different scope, and different lifecycle — full technical specs below.
3.1 Authentication cookie — signed-in platform users
If you sign in to the GovLoX platform at acme.govlox.ai, one HTTP cookie is set by our authentication service. Because the cookie's Domain attribute is scoped to .govlox.ai (the leading dot is significant), your browser will send it on every request to acme.govlox.ai, govlox.ai, and chat.govlox.ai while you remain signed in. The marketing site (govlox.ai) and the chat service do not read or act on this cookie; only the platform at acme.govlox.ai does.
| Property | Value |
|---|---|
| Storage type | HTTP cookie (RFC 6265) |
| Name | __Secure-authjs.session-token |
| Set by | NextAuth.js on acme.govlox.ai during sign-in |
| Domain | .govlox.ai (leading dot — sent to acme.govlox.ai, govlox.ai, chat.govlox.ai, and any other govlox.ai subdomain) |
| Purpose | Maintain your authenticated session on the GovLoX platform |
| HttpOnly | Yes — not readable from JavaScript; only sent in HTTP request headers by the browser |
| Secure | Yes — only transmitted over HTTPS connections |
| SameSite | Lax — sent on top-level navigations; not sent on cross-site iframe requests or third-party fetches |
| Persistence | Session by default (deleted when you close the browser). Persistent only if you tick "Remember me" at sign-in. |
| Personal data | Yes — tied to your authenticated user identity. The token value is opaque; only the platform server can decode it. |
| Cleared when | You sign out, the cookie expires, you close the browser (for session cookies), or you clear cookies in your browser settings |
| Legal basis | Strictly necessary for a service explicitly requested by the user (ePrivacy Directive 2002/58/EC Art. 5(3) exemption; PECR Reg. 6(4)(b) equivalent). Required to provide the platform service you signed in to use. |
3.2 Chat consent flag — anonymous chat users
If you open the GovLoX Chat widget (the small circular button that may appear in the bottom-right of some of our pages) and click the consent prompt's OK button, one sessionStorage entry is created in your browser. Here is the complete technical specification:
| Property | Value |
|---|---|
| Storage type | window.sessionStorage (Web Storage API) |
| Key | gvxConsent |
| Value | "1" (literal string) |
| Origin (scope) | https://chat.govlox.ai only; not accessible to govlox.ai or any other domain |
| Set when | After you click OK on the consent prompt that appears the first time you open the chat in a tab |
| Cleared when | Automatically when you close the tab (default sessionStorage lifecycle — no code on our end persists it) |
| Purpose | Avoid re-prompting you for consent every time you open the chat panel within the same browsing session |
| Personal data | None. The value is a constant "1"; no identifier, no IP, no fingerprint, no timestamp |
| Transmitted to server | No. It is read and written only by JavaScript running in your browser; it is never sent to our server |
| Legal basis | Strictly necessary for a service explicitly requested by the user (ePrivacy Directive 2002/58/EC Art. 5(3) exemption; PECR Reg. 6(4) equivalent). No additional consent required. |
If you decline the consent prompt, nothing is stored and the chat does not initialise. You can also disable sessionStorage entirely in your browser settings — the chat will simply re-prompt you each time you open it.
4. How to verify this in your browser
Every claim on this page is independently verifiable. Here is how:
- Open govlox.ai in a fresh browser tab.
- Open your browser's developer tools (F12 in most browsers, or right-click → Inspect).
- In the Application tab (Chrome/Edge) or Storage tab (Firefox/Safari), expand Cookies, Local Storage, Session Storage, and IndexedDB. You will see they are all empty for
govlox.ai. - If a chat bubble appears in the bottom-right corner, click it. The chat opens in an iframe served from
chat.govlox.ai. A consent prompt appears. - Before clicking OK, check Session Storage for
chat.govlox.ai— still empty. - Click OK on the consent prompt. Refresh the Session Storage view. You will now see exactly one entry: key
gvxConsent, value1. - Close the tab. Re-open
chat.govlox.ai: the entry is gone, and the consent prompt re-appears. - If you have signed in to
acme.govlox.ai, you can also verify the authentication cookie. Visitacme.govlox.aiwith devtools open and expand Cookies for.govlox.ai. You will see one entry:__Secure-authjs.session-token. The HttpOnly column will be checked — its value cannot be read from any govlox.ai page's JavaScript. Sign out, refresh, and the cookie is gone.
5. Why we publish this even though we use almost nothing
A standalone cookie/storage policy is uncommon for a site that sets no cookies. We publish it for three reasons:
- Transparency. We govern AI agents for a living; our own technical choices about visitor data should be as auditable as the systems we ask our customers to govern.
- Honesty about edge cases. We do use two strictly-necessary storage entries: an authentication cookie for signed-in platform users, and a sessionStorage flag for the chat widget's consent prompt. A privacy notice that said "no client-side storage of any kind" would be misleading; we would rather disclose both, explain why each is needed, and give you the tools to verify them.
- Procurement readiness. Many enterprise procurement and legal-review processes require a named cookie policy. This page exists in part so checklists pass without anyone needing to ask us a question.
6. Changes to this policy
We may update this policy from time to time. The date at the top of this page will reflect the most recent revision. If a future change introduces a new cookie or storage entry, it will be added to the table in Section 3 along with its purpose, lifecycle, and legal basis before it appears in production.
7. Questions
For any questions about this policy or our broader privacy posture, contact our Data Protection Officer:
Barry Cook
Data Protection Officer, Data Privacy Analytics
Geneva, Switzerland
Our full Privacy Notice covers data we collect via server logs, email correspondence, and your GDPR rights.