Cookie Policy

This policy explains what CorperaHQ stores in your browser when you visit corperahq.com, the application surfaces (master.corperahq.com, panel.corperahq.com, erp.corperahq.com), and our public API at api.corperahq.com.

For privacy-policy fundamentals — what personal data we collect server-side and why — see the Privacy Policy. For our data-processing role when you're a customer organisation, see the Data Processing Agreement.

Most of what we store on your device lives in localStorage, not traditional HTTP cookies. The privacy and consent regulations that cover “cookies” (e.g. ePrivacy, GDPR) apply to both — they cover any client-side storage that's not strictly necessary for the service the user requested. So this policy treats them as one category.

These are required for the site / app to work. They are exempt from consent under ePrivacy because you explicitly asked for the page they support. We use them regardless of your cookie-banner choice.

• Theme (corperahq_themein localStorage) — remembers your light / dark / system preference so the site doesn't flash on every visit.
• Cookie-consent choice (corperahq_cookie_consentin localStorage) — remembers that you accepted or declined the banner, so we don't show it again.
• Sign-in session (humvora_master_token / equivalent in localStorage on the app surfaces) — short-lived JWT that keeps you signed in until you log out. Rotates on every authenticated call.
• Comparator-tier choice (corpera-compare-tierin localStorage on the marketing site) — remembers the team-size pill you picked on the comparison section so you don't lose it on refresh.
• Rate-limit + abuse cookies — the public API uses short-lived HTTP cookies to throttle automated form spam. These do not identify you and expire within minutes.

You can clear these any time from your browser's storage panel. Doing so will log you out of the app and reset your preferences.

We'd like to know which pages people find useful and which fall flat. If we enable analytics in the future, we will:

• Only enable it for visitors who actively pick Accept on the consent banner.
• Use a privacy-preserving provider with IP truncation and no cross-site tracking.
• Update this policy and the banner copy before it starts collecting data, with at least 14 days' notice.

At the time of this update, analytics is notactive. You can verify this by opening your browser's network tab and noticing the absence of third-party tracking requests.

When you interact with certain bits of the marketing page (e.g. clicking the team-size pills on the comparison section), the site fires a small POST /public/events request to our own API recording the event kind and a sanitised payload. This is server-side only, attached to your IP for abuse-prevention, and not joined with personal data. We use it to understand which parts of the marketing page operators find useful.

Records expire after 90 days via a database TTL index. If you object to this specific telemetry, write to hello@corperahq.com — we'll add an opt-out and apologise for the friction.

Our infrastructure providers may set strictly-necessary technical cookies of their own (e.g. load-balancing, DDoS challenge cookies) when serving the site. These do not track you across sites.

• Vercel — marketing-site hosting (challenge cookies on edge requests).
• Cloudflare — DDoS mitigation on the API, when active.
• AWS — application hosting; no end-user cookies are set by AWS directly.

We do not use Google Analytics, Meta Pixel, LinkedIn Insight, Hotjar, FullStory, Segment, or any other third-party advertising / cross-site analytics tracker.

• Decline the banner.Click “Decline” on the cookie banner. We'll remember that choice via a single localStorage entry and will not activate optional analytics for you in the future.
• Browser controls. Most browsers let you block cookies and localStorage per-site under Settings → Privacy. Blocking strictly- necessary storage will break sign-in and theme persistence.
• Clear it.Open your browser's developer tools, go to Application / Storage → Local Storage → corperahq.com, and delete the entries. This logs you out and resets the banner.
• Global signals. We honour Sec-GPC (Global Privacy Control). Sending the signal is treated as a Decline for non-essential storage.

When we change this policy materially (e.g. adding a new category of storage, enabling analytics), we will:

• Update the “Last updated” date above;
• Show the cookie banner again so you can re-decide;
• Note the change in the in-app changelog at /changelog.

Questions about what we store, what we don't, or how to delete it should go to hello@corperahq.com. For data-subject requests under GDPR / similar laws, see the Privacy Policy.