/cookie policy
one cookie. that's it.
last updated: february 2026 · UK PECR & EU ePrivacy compliant
tl;dr
We use a single strictly-necessary cookie that keeps you logged in. We don't use Google Analytics, Mixpanel, Hotjar, ad-network pixels, or any third-party tracking. If we ever did, this page would have a consent toggle. It doesn't.
what we set
| name | purpose | duration | category |
|---|---|---|---|
| access_token | Keeps you logged in. Short-lived JWT, HttpOnly + Secure. | 15 minutes | strictly necessary |
| refresh_token | Renews your session when access_token expires. HttpOnly + Secure. | 30 days | strictly necessary |
localStorage / sessionStorage
We also use small amounts of browser storage (not cookies, but worth disclosing):
- jv_cookie_notice_dismissed_v1 — remembers you closed the cookie banner.
- vault_unlocked_once — skips the unlock splash on subsequent dashboard visits within the same browser session.
- jv_ai_consent_v1 — remembers your one-time consent to send job-ad text and CV bullets to the Vault Coach AI.
third-party cookies
When you do specific actions, these third-party cookies may be set by their own domains (not by us):
- Stripe — sets fraud-prevention cookies on its own checkout pages when you upgrade to Premium / Unlimited. See stripe.com/privacy.
- Cloudflare — sets a security cookie (__cf_bm) to mitigate bot attacks across the jobvault.co.uk domain.
disabling cookies
Strictly-necessary cookies are required for the app to work — if you block access_token and refresh_token, you won't be able to log in. All major browsers let you disable cookies in settings; we recommend doing so per-site rather than globally.
See also our Privacy Policy and Terms of Service.