Cookie policy

Last updated: 2026-04-24

Cairn uses only strictly-necessary cookies. Under PECR these don't require consent — they're essential to the service operating securely. We don't set tracking, advertising, or analytics cookies.

Cookies we set

NamePurposeLifetimeType
cairn_sessionAuthenticates the operator's session via a HMAC-signed token containing user ID, email, name, and tenant ID. No tracking.8 hoursStrictly necessary
cairn_oauth_stateShort-lived OAuth state + PKCE verifier set during the Microsoft sign-in redirect. Prevents CSRF on the callback.10 minutesStrictly necessary

What we don't do

  • No third-party advertising cookies.
  • No marketing pixels, fingerprinting, or session-replay.
  • No analytics SDKs (Google Analytics, Mixpanel, etc.).
  • No cross-site tracking.

If we ever introduce non-essential cookies, we'll add a consent banner that blocks them until you opt in, and update this page.