Cookie policy
Last updated: 2026-04-24
Cairn uses only strictly-necessary cookies. Under PECR these don't require consent — they're essential to the service operating securely. We don't set tracking, advertising, or analytics cookies.
Cookies we set
| Name | Purpose | Lifetime | Type |
|---|---|---|---|
| cairn_session | Authenticates the operator's session via a HMAC-signed token containing user ID, email, name, and tenant ID. No tracking. | 8 hours | Strictly necessary |
| cairn_oauth_state | Short-lived OAuth state + PKCE verifier set during the Microsoft sign-in redirect. Prevents CSRF on the callback. | 10 minutes | Strictly necessary |
What we don't do
- No third-party advertising cookies.
- No marketing pixels, fingerprinting, or session-replay.
- No analytics SDKs (Google Analytics, Mixpanel, etc.).
- No cross-site tracking.
If we ever introduce non-essential cookies, we'll add a consent banner that blocks them until you opt in, and update this page.