Cookie & Local Storage Policy — ORBIT
Operator: Joshua Kaen Bentley ("we," "us," "our") Effective date: 27 June 2026 Contact: hello@tekanology.com Governing law: Australia
1. What This Policy Covers
This policy explains how ORBIT ("the Service," "the app") uses browser storage technologies — including HTTP cookies, HTML5 localStorage, and sessionStorage — when you use our web application.
We have written this policy to reflect what the app actually does today, not generic boilerplate. The short version: ORBIT does not use cookies for logging you in, and we do not use any analytics, tracking, or advertising cookies. The only browser storage we rely on is the minimum needed to keep you signed in. Details below.
This policy should be read alongside our Privacy Policy and Terms of Service, which cover how we handle personal data more broadly.
2. What We Actually Use
2.1 Sign-in tokens in browser storage (strictly necessary)
To keep you signed in, the web client stores your session tokens in your browser. This is not done with cookies — it is done using the browser's localStorage or sessionStorage:
- The session is saved as a single entry under the key
orbit_tokens. - That entry contains two tokens: a short-lived access token (a JWT, valid for ~15 minutes) and a longer-lived refresh token (valid up to 30 days, rotated each time it is used, and revoked when you log out or change your password).
- These tokens are sent to our API in an
Authorization: Bearerheader on each request — they are not transmitted automatically as cookies.
Where the session is stored depends on your "stay logged in" choice when you sign in:
| Your choice | Where it's stored | What happens |
|---|---|---|
| "Stay logged in" / remember me checked | localStorage |
Persists across browser restarts until you log out |
| "Stay logged in" unchecked | sessionStorage |
Cleared automatically when you close the tab |
Only one of these holds your session at a time. When you log out (or an automatic token refresh fails), the app clears both stores.
Security note (plain English): Because the refresh token is held in browser storage, it can in principle be read by JavaScript running on the page. This is a known trade-off compared with
httpOnlycookies, and we disclose it here for transparency. Please keep your device secure and log out on shared computers. See our Privacy Policy for more.
2.2 Cookies set by us
We do not set any first-party cookies for authentication. Your hosting platform, reverse proxy, or content-delivery network may set basic technical cookies (for example, for load balancing or denial-of-service protection); if and when we deploy such infrastructure, it will be limited to strictly necessary operation.
2.3 Analytics cookies
None. We do not use Google Analytics or any other web-analytics cookie or tracker.
2.4 Advertising / tracking cookies
None. We do not use advertising cookies, retargeting pixels, social-media tracking tags, or cross-site trackers. We do not sell or share personal information for cross-context behavioral advertising.
2.5 Third-party services and storage
Some third-party services we integrate with may set their own cookies or storage on their own pages, outside the ORBIT app — and that storage is governed by their policies, not ours:
- Payment processing (Stripe, e.g. Stripe): If and when paid campaigns go live, card payment is handled on the processor's own hosted checkout. That checkout may set cookies for fraud prevention and to operate the payment flow. We do not control those cookies. See Stripe's cookie/privacy notice.
- Connected publishing platforms (Facebook / Instagram, Pinterest, your WordPress site): When you choose to connect one of these accounts, the connection ("OAuth") sign-in happens on that platform's website, which may set its own cookies. We only receive and store the access tokens needed to publish content you approve.
We do not place these third-party cookies ourselves, and connecting these accounts is entirely optional and user-initiated.
3. Categories of Storage and Which Apply to Us
Browser storage is commonly grouped into the following categories. Here is which apply to ORBIT:
| Category | What it means | Used by ORBIT? |
|---|---|---|
| Strictly necessary / essential | Required to provide a service you actively asked for (e.g. keeping you logged in). Cannot be switched off without breaking the app. | Yes — only the orbit_tokens session storage described in Section 2.1. |
| Functional / preferences | Remembers choices like language or timezone for convenience. | Not currently stored in the browser. Your locale and timezone are saved to your account on our server, not as a browser cookie. |
| Analytics / performance | Measures how visitors use the site. | No. |
| Advertising / targeting | Builds profiles to show ads or track across sites. | No. |
Only the strictly necessary category applies to us today.
4. Legal Basis and Consent
Under the EU/UK ePrivacy rules (the "Cookie Law," as implemented in the UK by PECR) and the GDPR/UK GDPR, and under California's CCPA/CPRA:
- Strictly necessary storage does not require prior consent. Storing your sign-in tokens is exempt because it is essential to deliver the logged-in service you actively requested. Our legal basis under GDPR Art. 6(1)(b) is performance of the contract (providing your account and keeping you signed in).
- Non-essential cookies (analytics, advertising) require opt-in consent in the EU/UK before they are set. Because we currently use none, there is nothing for you to consent to — so the app does not display a cookie consent banner.
- Under CCPA/CPRA, we do not "sell" or "share" personal information for cross-context behavioral advertising, and we use no advertising trackers, so no "Do Not Sell or Share My Personal Information" cookie control is required for the storage described here.
If we ever introduce analytics or advertising cookies, we will first present an appropriate consent mechanism (e.g. a consent banner with granular opt-in for EU/UK users, and applicable opt-out controls for California users) and update this policy before such cookies are set.
5. How to Control or Clear Your Stored Data
You are always in control of browser storage on your own device:
- Log out of ORBIT — this clears your session tokens from both
localStorageandsessionStorage. - Choose "don't stay logged in" at sign-in — your session is then kept only in
sessionStorageand is erased when you close the tab. - Clear site data manually via your browser settings:
- Chrome/Edge: Settings → Privacy and security → Clear browsing data → "Cookies and other site data," or use DevTools → Application → Storage → Clear site data.
- Firefox: Settings → Privacy & Security → Cookies and Site Data → Manage Data → remove ORBIT's entry.
- Safari: Settings → Privacy → Manage Website Data → select ORBIT → Remove.
- Block cookies/storage entirely in your browser settings. Please note: if you block or clear the
orbit_tokensstorage, you will be signed out and will need to log in again, because that storage is essential to keeping you authenticated.
Clearing browser storage does not delete your account or the data held on our servers. To exercise data-subject rights (access, deletion, etc.) over server-side personal data, see our Privacy Policy or contact us at hello@tekanology.com.
6. Changes to This Policy
We may update this policy as the Service evolves — for example, if we add analytics, deploy hosting infrastructure that sets technical cookies, or enable live payments. When we make material changes (especially anything that introduces non-essential cookies), we will update the Effective date above and, where required by law, obtain your consent before the new cookies are set.
7. Contact
Questions about this Cookie & Local Storage Policy, or about browser storage in ORBIT, can be sent to:
Joshua Kaen Bentley Email: hello@tekanology.com available on request
For EU/UK users: contact hello@tekanology.com (ORBIT does not target EU/UK users and has not appointed a representative).