Cookie Policy

This Cookie Policy explains how ERMITS LLC (“ERMITS,” “we,” “our,” or “us”) uses cookies and similar technologies when you use our Services. This policy should be read in conjunction with our Privacy Policy.

1 What Are Cookies?

1.1 Definition

Cookies are small text files stored on your device (computer, tablet, smartphone) when you visit websites or use applications. Cookies enable websites to remember your actions and preferences over time.

1.2 Similar Technologies

This policy also covers similar technologies including:

• Local Storage: Browser-based storage (localStorage, IndexedDB)
• Session Storage: Temporary storage cleared when browser closes
• Web Beacons (Pixels): Small graphics that track page views
• SDKs: Software development kits for mobile applications
• Fingerprinting: Device and browser characteristic collection

2 How We Use Cookies

2.1 Cookie Categories

We use the following categories of cookies:

Essential Cookies (Always Active):

Required for basic service functionality:

• Authentication and session management
• Security and fraud prevention
• Load balancing and performance
• User preference storage (language, theme)

Performance Cookies (Optional):

Help us improve service performance:

• Page load time measurement
• Error tracking and debugging (Sentry)
• Feature usage analytics
• Service optimization

Analytics Cookies (Optional):

Help us understand how Services are used:

• User behavior patterns (PostHog with differential privacy)
• Popular features and pages
• User journey analysis
• Conversion tracking

Functional Cookies (Optional):

Enable enhanced functionality:

• Remember settings and preferences
• Personalize user experience
• Enable integrations with third-party services

3 Specific Cookies We Use

Note: Cookie names and specifics may change. This table represents typical cookies; actual implementation may vary by product.

4 Third-Party Cookies

4.1 Third-Party Service Providers

We use third-party services that may set cookies:

Supabase (Authentication & Database):

• Purpose: User authentication and session management
• Privacy: Essential for service functionality
• Control: Required for service use; cannot be disabled
• More info: https://supabase.com/privacy

Sentry (Error Tracking):

• Purpose: Monitor application errors and performance
• Privacy: Automatically scrubs PII from error reports
• Control: Can be disabled in privacy settings
• More info: https://sentry.io/privacy/

PostHog (Analytics):

• Purpose: Anonymous usage analytics with differential privacy
• Privacy: Cannot identify individual users
• Control: Can be disabled in privacy settings (opt-out)
• More info: https://posthog.com/privacy

Stripe (Payment Processing):

• Purpose: Payment processing and fraud prevention
• Privacy: Handles payment information securely
• Control: Required for payment functionality
• More info: https://stripe.com/privacy

Vercel (Hosting & CDN):

• Purpose: Content delivery and performance optimization
• Privacy: Standard web server logs
• Control: Required for service delivery
• More info: https://vercel.com/legal/privacy-policy

4.2 Third-Party Privacy

ERMITS is not responsible for third-party cookie practices. We encourage you to review third-party privacy policies. We contractually require third parties to:

• Use data only for specified purposes
• Comply with applicable privacy laws
• Implement appropriate security measures
• Respect user privacy choices

5 Cookies and Privacy-First Architecture

5.1 Minimal Cookie Use

Due to Privacy-First Architecture:

• No tracking cookies for advertising or marketing
• No cross-site tracking or profiling
• Minimal essential cookies only for functionality
• Local processing reduces need for server-side cookies
• Pseudonymized analytics cannot identify individual users

5.2 Data Minimization

Cookies are designed to collect minimum data necessary:

• No PII in cookies (names, emails, addresses not stored in cookies)
• Session tokens only for authentication
• Hashed identifiers for analytics (cannot be reverse-engineered)
• No sensitive data in cookies (passwords, financial info, CUI/FCI)

6 Your Cookie Choices

6.1 Cookie Consent

When you first visit ERMITS Services:

• Cookie Banner: You’ll see a cookie consent banner
• Granular Control: Choose which cookie categories to accept
• Default Settings: Only essential cookies enabled by default
• Change Anytime: Update preferences in Account Settings

6.2 Managing Cookie Preferences

Within ERMITS Services:

• Navigate to Account Settings → Privacy → Cookie Preferences
• Toggle categories on/off (except essential cookies)
• Save preferences (stored in essential consent cookie)

Browser Controls:

Most browsers allow cookie management:

• Block all cookies: May prevent service functionality
• Block third-party cookies: Reduces tracking
• Delete cookies: Clear existing cookies
• Incognito/Private mode: Cookies deleted when browser closes

Browser-Specific Instructions:

• Chrome: Settings → Privacy and Security → Cookies
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Cookies and Website Data
• Edge: Settings → Privacy, Search, and Services → Cookies

6.3 Opt-Out Tools

Analytics Opt-Out:

• Disable analytics cookies in Account Settings
• Use browser Do Not Track (DNT) signal (we honor DNT)
• PostHog opt-out: https://posthog.com/opt-out

Error Tracking Opt-Out:

• Disable performance cookies in Account Settings
• Sentry respects privacy settings

7 Do Not Track (DNT)

7.1 DNT Support

ERMITS respects browser Do Not Track signals:

• DNT Enabled: We disable optional analytics and performance cookies
• Essential Cookies Only: Authentication and security cookies remain active
• No Tracking: No behavioral tracking when DNT is enabled

7.2 Enabling DNT

To enable Do Not Track in your browser:

• Chrome: Not supported (use cookie controls instead)
• Firefox: Settings → Privacy & Security → Send websites a “Do Not Track” signal
• Safari: Preferences → Privacy → Website Tracking → Prevent cross-site tracking
• Edge: Settings → Privacy, Search, and Services → Send “Do Not Track” requests

8 Mobile Applications

For ERMITS mobile applications (if applicable):

Mobile SDKs:

• Similar functionality to cookies
• Device identifiers may be collected
• Opt-out available in app settings

Mobile Privacy Controls:

• iOS: Settings → Privacy → Tracking → Allow Apps to Request to Track (disable)
• Android: Settings → Privacy → Ads → Opt out of Ads Personalization

Note: ERMITS current products are web-based. Mobile-specific policies will be added if mobile apps are released.

9 Cookies and International Privacy Laws

9.1 GDPR Compliance (EU/UK/Swiss)

For users in the European Economic Area, United Kingdom, or Switzerland:

• Consent Required: We obtain consent before setting non-essential cookies
• Granular Control: You can accept/reject specific cookie categories
• Easy Withdrawal: Withdraw consent anytime in Account Settings
• Pre-Checked Boxes Prohibited: Cookie preferences start with only essential cookies enabled

9.2 CCPA Compliance (California)

For California residents:

• No Sale of Data: We do not sell personal information collected via cookies
• Opt-Out Rights: You can disable optional cookies anytime
• Disclosure: This policy discloses all cookies used

9.3 Other Jurisdictions

We comply with cookie laws in all jurisdictions where we operate, including:

• Canada’s PIPEDA
• Brazil’s LGPD
• Australia’s Privacy Act
• Other applicable data protection laws

10 Cookies and Security

10.1 Secure Cookie Practices

ERMITS implements secure cookie handling:

• Secure Flag: Cookies transmitted only over HTTPS
• HttpOnly Flag: Cookies inaccessible to JavaScript (prevents XSS attacks)
• SameSite Attribute: Cookies sent only to same-site requests (prevents CSRF)
• Encrypted Values: Sensitive cookie values are encrypted
• Short Expiration: Session cookies expire quickly

10.2 Cookie Security Risks

Be aware of cookie-related security risks:

• Session Hijacking: Attackers stealing session cookies
• XSS Attacks: Malicious scripts accessing cookies
• CSRF Attacks: Unauthorized actions using your cookies

Protect Yourself:

• Use strong, unique passwords
• Enable multi-factor authentication
• Log out when finished (especially on shared devices)
• Clear cookies on shared/public computers
• Keep browser and OS updated
• Use antivirus and security software

11 Local Storage and IndexedDB

11.1 Privacy-First Local Storage

ERMITS products extensively use browser local storage (localStorage, IndexedDB) for Privacy-First Architecture:

Purpose:

• Store assessment data locally (never transmitted to servers)
• Enable offline functionality
• Reduce server data storage
• Provide faster performance

Privacy Benefits:

• Data stays local: Your data remains on your device
• No server transmission: ERMITS doesn’t access local storage data
• User control: You can clear local storage anytime
• Encryption option: Sensitive data can be encrypted locally

11.2 Managing Local Storage

Clear Local Storage:

• Within Services: Account Settings → Data → Clear Local Data
• Browser Settings: Developer Tools → Application → Storage → Clear
• Warning: Clearing local storage deletes locally-stored assessments and data

Backup Local Data:

• Export data before clearing: Account Settings → Export Data
• Download JSON/CSV backups
• Store backups securely

12 Updates to This Cookie Policy

12.1 Policy Changes

We may update this Cookie Policy to reflect:

• New cookies or technologies
• Changes in legal requirements
• Service updates or new features
• User feedback

12.2 Notification

Material Changes:

• 30 days’ advance notice via email
• Updated cookie consent banner on first visit
• Opportunity to review and adjust preferences

Non-Material Changes:

• Update “Last Updated” date
• Effective immediately upon posting

13 Contact Information

Cookie Policy Questions:

Email: contact@ermits.com  Subject: “Cookie Policy Inquiry”

Cookie Preferences:

Account Settings → Privacy → Cookie Preferences

Data Protection Officer (EU/UK/Swiss):

Email: contact@ermits.com  Subject: “Cookie GDPR Inquiry”

Technical Support:

Email: contact@ermits.com