Cookie Policy

What cookies we use

Shop-OS uses only strictly necessary cookies. These are required for the service to function and cannot be disabled.

Session cookies

When you sign in to Shop-OS, Auth.js sets a session cookie to keep you authenticated. This cookie expires after 24 hours (8 hours for admin users). It contains no personally identifiable information beyond an encrypted session token.

CSRF tokens

Auth.js also sets a CSRF token cookie to protect against cross-site request forgery attacks. This is a security requirement and cannot be disabled.

No consent banner needed

Because we set only strictly necessary cookies, we are not required under PECR to show a cookie consent banner. If we introduce analytics or marketing cookies in future, we will update this policy and introduce a consent mechanism.

Contact

For any questions about cookies, contact privacy@shop-os.app.