Cookie Policy
This Cookie Policy explains what cookies and similar storage technologies Nova8 uses on its website at https://nova8.dev and in the Nova8 web application, why we use them, and how you can control them. It is a companion to our Privacy Policy.
1. What is a cookie?
A cookie is a small text file a website stores in your browser. It lets the site remember information between visits or between pages within the same visit. “Similar technologies” in this policy means anything functionally equivalent — localStorage, sessionStorage, IndexedDB, and HTTP-only authentication tokens stored on your device.
2. The cookies and storage we use
Nova8 uses a deliberately small set of first-party storage items. We do not set advertising cookies, retargeting pixels, social-media tracking pixels, or third-party analytics that fire before you sign in.
2.1 Strictly necessary
These are required for the Services to work and cannot be turned off. No consent is required for them under EU/UK law because the Services would not function without them.
| Name | What it does | How long it lasts |
|---|---|---|
x-auth-token (HTTP header + browser storage) |
Identifies your authenticated session so the application can fetch your projects. Without it you cannot stay signed in. | Until you sign out or until you clear your browser storage. |
nova8.theme (localStorage) |
Remembers whether you chose light or dark mode. | Until you clear your browser storage. |
nova8.last-project (localStorage) |
Remembers which project you had open last so we can take you back to it on next sign-in. | Until you clear your browser storage. |
| CSRF token (request header) | Protects state-changing requests from cross-site request forgery. | Re-issued on every authenticated request. |
2.2 Functional
These remember preferences you have set. They are first-party and do not track you across other sites.
| Name | What it does | How long it lasts |
|---|---|---|
nova8.preferred-model (localStorage) |
Remembers your last-selected build-agent model and effort level so the composer opens to the right defaults. | Until you clear your browser storage. |
nova8.dock-state (localStorage) |
Remembers whether you collapsed or expanded the project workspace dock. | Until you clear your browser storage. |
nova8.dismissed-banners (localStorage) |
Tracks which in-product banners and tips you have dismissed so we do not show them again. | Until you clear your browser storage. |
2.3 Performance and analytics
We log server-side telemetry (request paths, response codes, latencies, error stack traces) to keep the platform fast and reliable. This telemetry uses your IP address and user-agent string as described in our Privacy Policy, but it is processed on our own infrastructure — we do not embed third-party analytics tags such as Google Analytics, Mixpanel, Segment, Amplitude, or Heap.
2.4 Stripe (payments only)
If you visit the Billing page or open the checkout flow, Stripe loads on the page and may set the following first- and third-party cookies for fraud-prevention and to keep your checkout session intact. These cookies are set under Stripe’s own privacy policy (see stripe.com/privacy) and are required for secure card processing. They are not set on any page that does not load Stripe.
| Name | Set by | What it does | How long it lasts |
|---|---|---|---|
__stripe_mid |
js.stripe.com |
Long-lived machine identifier used by Stripe’s fraud-detection system (Stripe Radar) to recognise repeat browsers across payment attempts. | Up to 1 year. |
__stripe_sid |
js.stripe.com |
Short-lived session identifier used by Stripe Radar to correlate the events of a single checkout session. | 30 minutes. |
m |
m.stripe.com |
Stripe’s persistent device identifier for fraud detection across sites that use Stripe. | Up to 2 years. |
cid |
m.stripe.network |
Correlates the loaded Stripe checkout iframe with the parent page during a payment attempt. | Session. |
3. Third-party authentication providers
If you choose to sign in with Google or with Apple, those providers may set their own cookies on the sign-in screen they host. Those cookies are governed by Google’s and Apple’s privacy policies, not ours.
| Provider | What we redirect to | What is set | Reference |
|---|---|---|---|
| Google Sign-In | accounts.google.com |
Google session cookies (SID, HSID, SSID, NID, etc.) on the Google domain during the OAuth handshake. Nova8 only receives an authorisation code or ID token from Google and stores no Google cookies on our domain. |
policies.google.com/technologies/cookies |
| Sign in with Apple | appleid.apple.com |
Apple ID session cookies on the Apple domain during the OAuth handshake. Nova8 only receives Apple’s identity token and stores no Apple cookies on our domain. | apple.com/legal/privacy |
After the redirect completes, the only Nova8 cookie set on our origin is the x-auth-token session cookie described in Section 2.1.
4. How to control cookies
- Block all cookies in your browser. Every modern browser lets you block cookies and clear stored data. Doing so will sign you out of Nova8 and may break parts of the dashboard that rely on remembered preferences.
- Sign out. Signing out clears your authentication token. You can also clear individual
nova8.*entries from your browser’s developer tools at any time.
4.1 Browser-specific instructions
Each major browser publishes its own help page on managing cookies and site data. The links below open in a new tab.
- Google Chrome. support.google.com/chrome/answer/95647
- Mozilla Firefox. support.mozilla.org — cookies
- Apple Safari (macOS). support.apple.com/guide/safari/sfri11471
- Apple Safari (iOS / iPadOS). support.apple.com/HT201265
- Microsoft Edge. support.microsoft.com — delete cookies
- Brave. support.brave.com — cookies and site data
4.2 Global Privacy Control (GPC) and Do Not Track (DNT)
GPC. Nova8 reads the Sec-GPC: 1 request header. Where applicable law (currently the California CPRA, Colorado CPA, and Connecticut CTDPA, among others) treats GPC as a valid opt-out signal for the “sale” or “sharing” of personal information, we treat it as such automatically — even though, as explained in our Privacy Policy, Nova8 does not in fact sell or share personal information for cross-context behavioural advertising on any tier. We do not require you to be signed in for GPC to be respected; the signal is honoured for the browser session that sends it.
DNT. Major browsers have largely deprecated the older DNT: 1 header because there is no industry-wide consensus on what websites should do when they receive it. Nova8 does not embed third-party advertising or cross-site tracking, so DNT does not change anything we do; we treat DNT: 1 as equivalent to GPC for the limited purposes described above.
4.3 EU / UK consent
Because we set no non-essential cookies that require prior consent, we do not show a consent banner. If we ever introduce non-essential cookies (for example, an opt-in product analytics tag), we will add a banner asking for your consent before any such cookie is set.
5. Changes to this policy
We will update this Cookie Policy if we add, remove, or materially change a cookie or storage item. The “Last updated” date at the top of this page always reflects the most recent version.
6. Contact
Questions about cookies or storage on Nova8? Email [email protected].