LegalCookie Policy
Cookie Policy
1. Who we are
This Cookie Policy explains how [PENDING: LEGAL_ENTITY_NAME] (Being Optimal, Site Nutrition) uses cookies, local storage, pixels/beacons, and similar technologies on beingoptimal.org and related product surfaces.
Controller details and contacts: Privacy Policy and Contact & Legal Notices. Privacy questions: [email protected].
2. What are cookies and similar technologies?
Cookies are small text files stored on your device by a website. Local storage / session storage can hold larger key-value data in the browser. Beacons / pixels are small requests that tell a server an event occurred (for example, a link click). Service workers and push subscriptions enable offline/PWA and notification features.
We use “cookies” in this policy as a convenient umbrella for these technologies unless a distinction matters.
3. How we use these technologies
3.1 Essential / strictly necessary
These are required to provide the service you request. They do not require consent under ePrivacy regimes that exempt strictly necessary cookies (counsel to confirm for each launch market).
| Technology | Provider / scope | Purpose | Typical duration |
|---|---|---|---|
| Authentication / session cookies | Authentication Provider (first-party or provider-controlled on auth domains) | Sign-in, session integrity, CSRF/session protection | Session or provider-defined persistent session |
| Environment / workspace selection cookie or storage | First-party Being Optimal | Remember which Environment (planning profile) is active | Session or longer preference lifetime |
| Security / load-balancing / edge cookies | CDN / Edge Network Provider, Hosting Provider | Deliver the site securely and reliably | Short-lived / provider-defined |
| Preference flags needed for core UX | First-party | Basic functional preferences required for the product shell | Varies |
Without essential auth cookies, signed-in planner features cannot work.
3.2 Functional preferences (often localStorage)
| Technology | Purpose | Notes |
|---|---|---|
| Theme preference (e.g., light/dark) | Remember UI theme | Typically localStorage, not a cookie |
| Dashboard UI state | Client-side layout/state for the planner | May be local until synced; not advertising |
| Help Center search index (Pagefind) | Client-side search over help content | Runs in the browser; search queries for help search do not leave the device (this promise does not apply to the AI assistant) |
3.3 Push notifications (optional)
If you enable browser notifications, your browser creates a Web Push subscription (VAPID). We store the subscription endpoint and related cryptographic keys server-side so we can deliver transactional or product notifications you opted into.
| Item | Detail |
|---|---|
| Technology | Browser Web Push / VAPID / Web Push |
| Third-party push SaaS | Not used (browser push only) |
| Control | Browser site settings + in-product notification preferences |
| Withdrawal | Disable notifications in browser/OS and/or product settings; deleting account should remove primary records subject to Privacy Policy caveats |
Push is optional and not required to browse public pages.
3.4 Outbound partner click beacon (first-party, pseudonymous)
When you click certain partner/affiliate or Certified brand outbound links, we may record a first-party analytics event (conceptually outbound_clicks) including fields such as brand id, destination URL, surface, and partner flag.
| Property | Our posture |
|---|---|
| User id on click row | Not stored |
| IP address | Used transiently for rate limiting; not stored on the click record |
| Purpose | Measure partner/affiliate performance; fraud/rate-limit protection |
| Character | Pseudonymous event — not designed to identify you in storage |
| Related policy | Advertising & Affiliate Disclosure |
This is not a third-party advertising cookie network.
3.5 Consent-gated first-party catalog analytics
We may collect first-party, self-hosted analytics about catalog interactions (for example, which foods users choose) when you have consented via in-product controls. These events are processed on our own infrastructure (not sold to ad networks) and retained as needed for product improvement (As needed for product improvement (first-party, pseudonymous)).
If we expand analytics in a way that introduces non-essential cookies or third-party trackers, we will update this policy and implement an appropriate consent banner where required.
3.6 What we do not use (current posture)
As of this draft, Being Optimal’s privacy posture is:
- No third-party advertising cookies or ad pixels
- No third-party session-replay products
- No third-party marketing analytics suites or error-tracking SaaS wired into the consumer app for behavioral tracking
- No CAPTCHA vendor cookies as a standard dependency
- Authentication Provider product telemetry intended to be minimized/disabled where configurable
Therefore: while this essential-only / first-party-only posture remains accurate, we do not display a multi-purpose cookie consent banner for non-essential third-party cookies. If that changes, we will ship a banner and update this policy.
Operator note: Engineering must keep live headers and third-party scripts consistent with this claim. If any non-essential third-party cookie is introduced, treat it as a material privacy change.
4. Cookie and storage inventory (summary)
Exact cookie names may change as the Authentication Provider or hosting stack updates. The categories and purposes below are controlling for disclosure.
4.1 Essential authentication
- Session and client trust cookies set by the Authentication Provider during sign-in and session refresh
- May be first-party on beingoptimal.org and/or on provider-controlled domains necessary for auth
- Contents typically include session identifiers — not your meal logs or health journal body text
4.2 First-party app
- Environment selection
- CSRF or similar protection tokens if used by app routes
- Feature flags required for routing
4.3 Local storage examples
- Theme
- Transient client planner state / unsaved edits (synced data also goes to the Database Provider when you save/sync)
- PWA-related caches via service worker (for performance/offline shells) — service workers must not incorrectly serve the marketing root inside the dashboard iframe (implementation detail; not a tracking feature)
4.4 Server-side identifiers related to clients
Not always “cookies,” but related:
| Record | Purpose |
|---|---|
| Push subscription rows | Deliver Web Push |
| Session/auth subject id | Account security and RLS |
| Pseudonymous outbound click rows | Partner measurement |
5. Legal bases (EEA/UK summary)
| Category | Typical basis |
|---|---|
| Strictly necessary cookies | Legitimate interests / exemption for transmission of a service requested by the user (ePrivacy); GDPR Art. 6(1)(b) or (f) as applicable |
| Optional push | Consent (browser permission + product opt-in) |
| Consent-gated first-party analytics | Consent where required; otherwise legitimate interests with opt-out if applicable |
| Pseudonymous outbound click logging | Legitimate interests (partner measurement, abuse prevention) with transparency; counsel to confirm |
Special-category health data is not placed in marketing cookies. Health data processing is described in the Privacy Policy.
6. Managing cookies and similar technologies
6.1 Browser controls
You can block or delete cookies via browser settings. Blocking essential authentication cookies will prevent sign-in and synced planner use.
6.2 Local storage
Browsers allow clearing site data (cookies + storage). Clearing storage may reset theme and local-only state and may sign you out.
6.3 Push
Use browser site settings → Notifications → block, and/or in-product notification preferences.
6.4 Analytics consent
Where we present an in-product analytics toggle, you may withdraw consent prospectively. Historical first-party analytics rows may be retained in aggregate/pseudonymous form as described in the Privacy Policy.
6.5 Do Not Track / GPC
We do not currently alter essential cookies based on legacy “DNT” headers. For US state opt-out signals (for example, Global Privacy Control) relevant to sale/share of personal information: our current model does not sell personal information and does not use third-party ad cookies; see Privacy Policy US annex. If our practices change, we will honor applicable browser signals as required by law.
7. Third-party cookies
7.1 Authentication Provider
Sign-in may involve cookies on Authentication Provider domains. Those cookies are essential to authentication. See the provider’s documentation via our Sub-processor List.
7.2 Community Platform Provider
If you visit the community host (https://community.beingoptimal.org), the Community Platform Provider may set its own essential session cookies for forum use. Community is a separate surface; review any cookie notice on that host if presented.
7.3 Embedded third parties
We aim not to embed third-party social, video, or advertising iframes that set tracking cookies on primary product pages. If a future embed requires it, we will update this policy and consent UX.
7.4 AI Model Providers
AI calls are server-side API requests, not browser cookies set by model vendors in your browser for advertising.
7.5 Reverse-Geocoding Provider
Location reverse-lookup is a server-side call with transient coordinates; it does not set a geolocation advertising cookie on your device.
8. Relationship to other documents
| Topic | Document |
|---|---|
| Full data practices | Privacy Policy |
| Partner links | Advertising & Affiliate Disclosure |
| Account terms | Terms of Service |
| Named vendors | Sub-processor List |
| Electronic notices | Electronic Communications |
9. Changes
We may update this Cookie Policy when our technologies change. Material changes (especially introducing non-essential third-party cookies) will be highlighted and, where required, accompanied by a consent mechanism and re-notice.
Version: 1.0.0-draft · Effective: 2026-07-13
10. Contact
[email protected] · [email protected] · [email protected] [PENDING: LEGAL_ENTITY_NAME] · [PENDING: REGISTERED_ADDRESS]
11. Document control
| Field | Value |
|---|---|
| Suite version | 1.0.0-draft |
| Effective date | 2026-07-13 |
| Session | legal-suite-20260713 |
| Status | Operator draft — counsel review required |
| Consent banner | Not required under current essential-only / no third-party non-essential cookie posture |