Cookie Policy

How we use cookies and local storage on the Milanse platform

Last updated: March 8, 2026Effective: March 8, 2026

We use NO advertising cookies and NO third-party tracking. Only essential, security, preference, and first-party analytics cookies are used to operate and improve the Platform.

1. What Are Cookies?

Cookies are small text files that a website or application places on your device (browser or mobile) when you visit or use it. They allow the Platform to remember information about your session, preferences, and activity. In addition to cookies, we also use localStorage (a browser-based storage mechanism) and sessionStorage to store certain data locally on your device. Throughout this policy, "cookies" refers collectively to all such client-side storage mechanisms.

2. Our Approach to Cookies

Milanse is built on a privacy-first principle. We use only the minimum cookies necessary to operate the Platform securely, authenticate users, remember preferences, and understand how the Platform is used at an aggregated level. We do not participate in any cross-site advertising or behavioural tracking ecosystem.

We do NOT use third-party advertising cookies, ad networks, or tracking pixels of any kind. We do NOT sell or share cookie data with advertisers. Our cookie use is strictly limited to making the Platform work securely and to understanding how it is used so we can improve it.

3. Types of Cookies We Use

We categorise our cookies into four types. All types except Essential Cookies can be managed or opted out of (see Section 6):

Type	Purpose	Examples	Duration	Required?
Essential / Strictly Necessary	Required for the Platform to function. These cannot be disabled without breaking authentication, security, and session continuity.	Session token (auth_token), CSRF token, device fingerprint, language preference (NEXT_LOCALE), onboarding step state	Session to 30 days	Yes — cannot opt out
Security	Detect suspicious activity, prevent CSRF attacks, enforce rate limits, and flag unusual login patterns.	CSRF_token, device_id, login_attempt_count	Session to 90 days	Yes — cannot opt out
Preference / Functional	Remember your UI choices such as sidebar collapsed state, theme (if applicable), notification preferences, and search filter state.	ui_sidebar_collapsed, last_active_tab, filter_state	Up to 1 year	No — can opt out (may affect UX)
Analytics (First-Party)	Understand how users navigate the Platform at an aggregated, anonymised level. No personally identifiable information is sent to analytics tools. Used solely for improving the Platform.	page_views, feature_usage_events (anonymised)	Up to 2 years	No — can opt out

4. Essential & Security Cookies in Detail

These cookies are technically necessary and cannot be turned off:

Authentication Token (auth_token)

A JWT (JSON Web Token) stored in an HttpOnly, Secure, SameSite=Strict cookie. This is how we keep you logged in across page loads. It expires after 15 minutes; a separate refresh token (in a separate HttpOnly cookie) is used to silently renew it. We never expose your auth token to JavaScript — it is server-only accessible to prevent XSS theft.

Refresh Token

A long-lived token (30 days) stored in an HttpOnly, Secure cookie, used to obtain new auth tokens without requiring you to log in again. This is rotated on every use to prevent replay attacks.

CSRF Token

A Cross-Site Request Forgery protection token that ensures form submissions and API mutations originate from legitimate Platform pages, not malicious third-party sites.

Device Fingerprint (device_id)

A pseudonymous identifier generated from your browser/device characteristics, used to detect suspicious concurrent sessions and unusual login patterns. This is NOT used for cross-site tracking.

Language Preference (NEXT_LOCALE)

Stores your preferred language (currently English only; Hindi, Gujarati, and Marathi planned). Without this cookie, the Platform may not display in your preferred language.

5. Analytics Cookies

We use first-party analytics to understand Platform usage and improve the user experience. These analytics:

•Are first-party only — no Google Analytics, Meta Pixel, or third-party analytics scripts are used.
•Collect fully anonymised, aggregated data about page navigation and feature usage.
•Do NOT collect or transmit personally identifiable information.
•Do NOT track you across other websites.
•Data is stored on our own servers and is never shared with advertisers or third parties.
•You can opt out of analytics cookies without affecting the core functionality of the Platform.

6. Third-Party Cookies

The Platform uses a small number of third-party integrations that may set their own cookies. These are strictly limited to operational purposes:

We do not control these third-party cookies and they are governed by the respective third parties' privacy policies. We do not receive the data collected by these cookies.

Third Party	Purpose	Their Privacy Policy
Cloudflare	DDoS protection, CDN, and bot management. Cloudflare may set __cf_bm and similar cookies for security purposes.	cloudflare.com/privacypolicy
Razorpay	Payment processing. When you visit the payment page, Razorpay's checkout may set session cookies for payment security.	razorpay.com/privacy
Cloudflare Turnstile	CAPTCHA challenge on registration and login forms to detect bot traffic. May set a cookie to remember a successful challenge.	cloudflare.com/privacypolicy

7. Managing Your Cookie Preferences

You have several options to control cookies:

Browser Settings

All modern browsers allow you to view, delete, and block cookies. Instructions for common browsers:

-Chrome: Settings → Privacy and Security → Cookies and other site data
-Safari: Settings → Safari → Privacy → Block All Cookies
-Firefox: Settings → Privacy & Security → Enhanced Tracking Protection
-Edge: Settings → Privacy, search, and services → Cookies

Impact of Blocking Cookies

If you block Essential or Security cookies, you will not be able to log in or use the Platform. If you block Preference cookies, the Platform will not remember your UI settings between sessions. If you block Analytics cookies, your usage will not be counted in our aggregated statistics — this has no functional impact on your use of the Platform.

Mobile App

The mobile application uses AsyncStorage and SecureStore (on React Native builds) instead of browser cookies. You can clear this data by logging out, clearing app cache in your device settings, or uninstalling the application.

8. Do Not Track

Some browsers send a "Do Not Track" (DNT) signal. We respect DNT signals where technically feasible. When we detect a DNT signal, we disable all non-essential analytics cookies for that session. We never use tracking-based advertising regardless of DNT status.

9. Cookie Retention

Cookies and local storage data are retained for the following periods:

•Session cookies: Deleted when you close your browser.
•Authentication cookies: Expire after 15 minutes (auth token) or 30 days (refresh token).
•Preference cookies: Retained for up to 1 year or until you clear them.
•Analytics cookies: Retained for up to 2 years in anonymised, aggregated form.
•Security cookies (device fingerprint): Retained for up to 90 days.

10. Changes to This Cookie Policy

We may update this Cookie Policy from time to time. Material changes will be notified via in-app banner and email. The date at the top of this page reflects when it was last revised. Continued use of the Platform after any changes constitutes acceptance of the revised Cookie Policy.

11. Contact Us

For questions about our use of cookies or to exercise your data rights, contact us at privacy@milanse.com or write to our Data Protection Officer at dpo@milanse.com. We respond to all privacy inquiries within 15 business days.

This document was last updated on March 8, 2026. If you have questions about this document, please contact us at legal@matrimony.com.