Cookie Policy

A cookie is a small text file a website stores in your browser. Okto's use of cookies is intentionally minimal — we don't run advertising or third-party analytics on the verification flow.

1. Cookies on the guest verification flow

None. The guest flow (the screens where you scan your document and take a selfie) does not set any cookies. Your session token lives in the URL while the flow is active; nothing is persisted in your browser after you close the tab.

2. Cookies on the Okto admin dashboard

The dashboard (logged-in interface for hospitality partners) sets:

• sb-access-token / sb-refresh-token — Supabase authentication. HTTP-only, SameSite=Lax, Secure. Necessary for the dashboard to function (legal basis: Art. 6(1)(b) GDPR — contract performance, the user is logging into an account they own).
• __vercel-... — Vercel's edge-network routing cookies. Necessary for load balancing.

Neither cookie is used for tracking or profiling.

3. Cookies we do not set

• No advertising cookies.
• No third-party analytics (no Google Analytics, no Plausible, no Mixpanel).
• No social-network embedded buttons.
• No retargeting pixels.

If we ever add product analytics we will update this page and (where consent is required by ePrivacy Directive Art. 5(3)) display a banner before any non-essential cookie is set.

4. Controlling cookies

Browser settings let you block or delete cookies. Blocking Supabase's authentication cookies will prevent the dashboard from working; the guest flow itself is unaffected since it uses no cookies.

5. Changes

Updates to this policy will be published on this page. If we introduce a category of cookies that requires consent, the change will roll out together with a consent prompt.