Cookies Policy
Effective date: 2026-05-13 · Last updated: 2026-05-13
This Cookies Policy explains how FrameSight uses cookies and similar storage technologies on dashboard.framesight.io and related interfaces.
Under the ePrivacy Directive (2002/58/EC) and the French CNIL’s guidance, storing or reading information on a user’s terminal generally requires prior consent. Strictly necessary cookies are exempt from this consent requirement provided they are limited to the purposes listed in Article 82 of the French Loi Informatique et Libertés.
1. Consent banner: why we don’t show one
FrameSight currently uses only strictly necessary cookies: authentication session, cross-site request forgery protection, and the transient state required to complete an OAuth or magic-link sign-in. None of these are used for analytics, profiling, advertising, or any functionality outside what you explicitly request when you sign in.
For that reason we do not display a consent banner. Our audience-measurement tool (a self-hosted instance of Matomo) is deliberately configured to run without cookies and with IP anonymisation, which places it within the CNIL’s audience-measurement exemption: it sets nothing on your device and therefore does not change the above. If we ever introduce non-essential cookies (cookie-based analytics, A/B testing, marketing pixels), we will update this Policy and prompt you for explicit, granular consent before any such cookie is set.
2. Inventory of cookies we set
| Cookie | Purpose | Category | Duration | Domain |
|---|---|---|---|---|
authjs.session-token(or __Secure-authjs.session-token in production) | Authenticated session. Encodes a signed JWT identifying your account; required to load any authenticated page. | Strictly necessary | 30 days, or until sign-out / session revocation | dashboard.framesight.io |
authjs.csrf-token( __Host-authjs.csrf-token in production) | Cross-site request forgery (CSRF) protection on sign-in and sign-out POSTs. | Strictly necessary | Session (deleted when the browser closes) | dashboard.framesight.io |
authjs.callback-url | Tracks the page you were trying to access so we can redirect you back after a successful sign-in. | Strictly necessary | Session | dashboard.framesight.io |
authjs.pkce.code_verifier | PKCE code verifier for the OAuth 2.0 sign-in flow with Google or GitHub. Set only during the few seconds between clicking “Sign in with Google/GitHub” and the OAuth provider redirecting back to us. | Strictly necessary | 10 minutes, or until OAuth flow completes | dashboard.framesight.io |
authjs.state | OAuth 2.0 state parameter; prevents CSRF on the OAuth callback. | Strictly necessary | 10 minutes, or until OAuth flow completes | dashboard.framesight.io |
fs.org | Remembers which organisation you last switched to in the org picker, so the dashboard opens on the same context next time. | Strictly necessary (functional) | 1 year | dashboard.framesight.io |
We do not set advertising, analytics, retargeting, or fingerprinting cookies. For aggregate audience measurement we run a self-hosted, cookieless instance of Matomo on infrastructure we control (stats.explodingframe.com): it is configured to set no cookie, to anonymise IP addresses, and to perform no cross-site tracking, which keeps it within the CNIL exemption and outside the consent requirement. We do not use Google Analytics, Facebook Pixel, Hotjar, or any third-party telemetry SaaS.
3. Local storage and similar technologies
The dashboard uses the browser’s localStorage for small purely-cosmetic UI state (e.g. last collapsed section in a report, last sort order on a list). No personal data is stored. Clearing your browser’s local storage at any time has no impact on your account.
4. Third-party cookies (LemonSqueezy checkout)
When you click a checkout link to subscribe to a paid plan or purchase credits, your browser is redirected to LemonSqueezy’s checkout pages. While on those pages, LemonSqueezy may set cookies on its own domain (.lemonsqueezy.com) for fraud prevention and to maintain the checkout session. FrameSight has no control over those cookies and does not receive their values. Please refer to LemonSqueezy’s Cookie Policy for details.
Likewise, when you sign in with Google or GitHub, those providers set their own cookies on their own domains while you authenticate. We never read those cookies.
5. Refusing or deleting cookies
Because the cookies we set are strictly necessary, refusing them will prevent you from signing in or staying signed in to the service. You may nevertheless:
- Configure your browser to block cookies from
dashboard.framesight.io, in which case the sign-in page will reject your attempts. - Delete the cookies after sign-out using your browser’s standard controls.
- Use a private / incognito window: cookies will be automatically discarded when you close the window.
Browser-specific instructions: Chrome · Firefox · Safari · Edge
6. Changes to this Policy
We will update this page if the cookie inventory changes. If we ever introduce non-essential cookies, we will prompt you for consent BEFORE the cookie is set and will not consider continued navigation as consent.
7. Contact
Questions about cookies: privacy@explodingframe.com