Skip to content
Being Optimal
Trust CenterPrivacyTermsPlans

Legal / Cookie Policy

Cookie Policy

Version 1.0.0-draft · Effective 2026-07-13 · Operator [PENDING: LEGAL_ENTITY_NAME]

Operator draft — not legal advice; counsel review required before relying on this text.

At a glance

  • We use essential cookies and similar technologies so you can sign in, stay signed in, and run the app.
  • Theme and some UI preferences may live in localStorage (not cookies).
  • Optional browser push uses Web Push / VAPID subscription data if you enable notifications.
  • Partner outbound clicks may be recorded as pseudonymous first-party events (no user id stored on the click row).
  • We do not currently use non-essential third-party advertising or analytics cookies — so no cookie-consent banner is required while that remains true.
  • Consent-gated first-party catalog analytics (if enabled) is not third-party adtech; we will update this policy if that changes.

The full terms below control.

Contents

  1. 1. Who we are
  2. 2. What are cookies and similar technologies?
  3. 3. How we use these technologies
  4. 3.1 Essential / strictly necessary
  5. 3.2 Functional preferences (often localStorage)
  6. 3.3 Push notifications (optional)
  7. 3.4 Outbound partner click beacon (first-party, pseudonymous)
  8. 3.5 Consent-gated first-party catalog analytics
  9. 3.6 What we do
  10. 4. Cookie and storage inventory (summary)
  11. 4.1 Essential authentication
  12. 4.2 First-party app
  13. 4.3 Local storage examples
  14. 4.4 Server-side identifiers related to clients
  15. 5. Legal bases (EEA/UK summary)
  16. 6. Managing cookies and similar technologies
  17. 6.1 Browser controls
  18. 6.2 Local storage
  19. 6.3 Push
  20. 6.4 Analytics consent
  21. 6.5 Do Not Track / GPC
  22. 7. Third-party cookies
  23. 7.1 Authentication Provider
  24. 7.2 Community Platform Provider
  25. 7.3 Embedded third parties
  26. 7.4 AI Model Providers
  27. 7.5 Reverse-Geocoding Provider
  28. 8. Relationship to other documents
  29. 9. Changes
  30. 10. Contact
  31. 11. Document control

1. Who we are

This Cookie Policy explains how [PENDING: LEGAL_ENTITY_NAME] (Being Optimal, Site Nutrition) uses cookies, local storage, pixels/beacons, and similar technologies on beingoptimal.org and related product surfaces.

Controller details and contacts: Privacy Policy and Contact & Legal Notices. Privacy questions: [email protected].


2. What are cookies and similar technologies?

Cookies are small text files stored on your device by a website. Local storage / session storage can hold larger key-value data in the browser. Beacons / pixels are small requests that tell a server an event occurred (for example, a link click). Service workers and push subscriptions enable offline/PWA and notification features.

We use “cookies” in this policy as a convenient umbrella for these technologies unless a distinction matters.


3. How we use these technologies

3.1 Essential / strictly necessary

These are required to provide the service you request. They do not require consent under ePrivacy regimes that exempt strictly necessary cookies (counsel to confirm for each launch market).

Technology Provider / scope Purpose Typical duration
Authentication / session cookies Authentication Provider (first-party or provider-controlled on auth domains) Sign-in, session integrity, CSRF/session protection Session or provider-defined persistent session
Environment / workspace selection cookie or storage First-party Being Optimal Remember which Environment (planning profile) is active Session or longer preference lifetime
Security / load-balancing / edge cookies CDN / Edge Network Provider, Hosting Provider Deliver the site securely and reliably Short-lived / provider-defined
Preference flags needed for core UX First-party Basic functional preferences required for the product shell Varies

Without essential auth cookies, signed-in planner features cannot work.

3.2 Functional preferences (often localStorage)

Technology Purpose Notes
Theme preference (e.g., light/dark) Remember UI theme Typically localStorage, not a cookie
Dashboard UI state Client-side layout/state for the planner May be local until synced; not advertising
Help Center search index (Pagefind) Client-side search over help content Runs in the browser; search queries for help search do not leave the device (this promise does not apply to the AI assistant)

3.3 Push notifications (optional)

If you enable browser notifications, your browser creates a Web Push subscription (VAPID). We store the subscription endpoint and related cryptographic keys server-side so we can deliver transactional or product notifications you opted into.

Item Detail
Technology Browser Web Push / VAPID / Web Push
Third-party push SaaS Not used (browser push only)
Control Browser site settings + in-product notification preferences
Withdrawal Disable notifications in browser/OS and/or product settings; deleting account should remove primary records subject to Privacy Policy caveats

Push is optional and not required to browse public pages.

3.4 Outbound partner click beacon (first-party, pseudonymous)

When you click certain partner/affiliate or Certified brand outbound links, we may record a first-party analytics event (conceptually outbound_clicks) including fields such as brand id, destination URL, surface, and partner flag.

Property Our posture
User id on click row Not stored
IP address Used transiently for rate limiting; not stored on the click record
Purpose Measure partner/affiliate performance; fraud/rate-limit protection
Character Pseudonymous event — not designed to identify you in storage
Related policy Advertising & Affiliate Disclosure

This is not a third-party advertising cookie network.

3.5 Consent-gated first-party catalog analytics

We may collect first-party, self-hosted analytics about catalog interactions (for example, which foods users choose) when you have consented via in-product controls. These events are processed on our own infrastructure (not sold to ad networks) and retained as needed for product improvement (As needed for product improvement (first-party, pseudonymous)).

If we expand analytics in a way that introduces non-essential cookies or third-party trackers, we will update this policy and implement an appropriate consent banner where required.

3.6 What we do not use (current posture)

As of this draft, Being Optimal’s privacy posture is:

  • No third-party advertising cookies or ad pixels
  • No third-party session-replay products
  • No third-party marketing analytics suites or error-tracking SaaS wired into the consumer app for behavioral tracking
  • No CAPTCHA vendor cookies as a standard dependency
  • Authentication Provider product telemetry intended to be minimized/disabled where configurable

Therefore: while this essential-only / first-party-only posture remains accurate, we do not display a multi-purpose cookie consent banner for non-essential third-party cookies. If that changes, we will ship a banner and update this policy.

Operator note: Engineering must keep live headers and third-party scripts consistent with this claim. If any non-essential third-party cookie is introduced, treat it as a material privacy change.


4. Cookie and storage inventory (summary)

Exact cookie names may change as the Authentication Provider or hosting stack updates. The categories and purposes below are controlling for disclosure.

4.1 Essential authentication

  • Session and client trust cookies set by the Authentication Provider during sign-in and session refresh
  • May be first-party on beingoptimal.org and/or on provider-controlled domains necessary for auth
  • Contents typically include session identifiers — not your meal logs or health journal body text

4.2 First-party app

  • Environment selection
  • CSRF or similar protection tokens if used by app routes
  • Feature flags required for routing

4.3 Local storage examples

  • Theme
  • Transient client planner state / unsaved edits (synced data also goes to the Database Provider when you save/sync)
  • PWA-related caches via service worker (for performance/offline shells) — service workers must not incorrectly serve the marketing root inside the dashboard iframe (implementation detail; not a tracking feature)

4.4 Server-side identifiers related to clients

Not always “cookies,” but related:

Record Purpose
Push subscription rows Deliver Web Push
Session/auth subject id Account security and RLS
Pseudonymous outbound click rows Partner measurement

5. Legal bases (EEA/UK summary)

Category Typical basis
Strictly necessary cookies Legitimate interests / exemption for transmission of a service requested by the user (ePrivacy); GDPR Art. 6(1)(b) or (f) as applicable
Optional push Consent (browser permission + product opt-in)
Consent-gated first-party analytics Consent where required; otherwise legitimate interests with opt-out if applicable
Pseudonymous outbound click logging Legitimate interests (partner measurement, abuse prevention) with transparency; counsel to confirm

Special-category health data is not placed in marketing cookies. Health data processing is described in the Privacy Policy.


6. Managing cookies and similar technologies

6.1 Browser controls

You can block or delete cookies via browser settings. Blocking essential authentication cookies will prevent sign-in and synced planner use.

6.2 Local storage

Browsers allow clearing site data (cookies + storage). Clearing storage may reset theme and local-only state and may sign you out.

6.3 Push

Use browser site settings → Notifications → block, and/or in-product notification preferences.

6.4 Analytics consent

Where we present an in-product analytics toggle, you may withdraw consent prospectively. Historical first-party analytics rows may be retained in aggregate/pseudonymous form as described in the Privacy Policy.

6.5 Do Not Track / GPC

We do not currently alter essential cookies based on legacy “DNT” headers. For US state opt-out signals (for example, Global Privacy Control) relevant to sale/share of personal information: our current model does not sell personal information and does not use third-party ad cookies; see Privacy Policy US annex. If our practices change, we will honor applicable browser signals as required by law.


7. Third-party cookies

7.1 Authentication Provider

Sign-in may involve cookies on Authentication Provider domains. Those cookies are essential to authentication. See the provider’s documentation via our Sub-processor List.

7.2 Community Platform Provider

If you visit the community host (https://community.beingoptimal.org), the Community Platform Provider may set its own essential session cookies for forum use. Community is a separate surface; review any cookie notice on that host if presented.

7.3 Embedded third parties

We aim not to embed third-party social, video, or advertising iframes that set tracking cookies on primary product pages. If a future embed requires it, we will update this policy and consent UX.

7.4 AI Model Providers

AI calls are server-side API requests, not browser cookies set by model vendors in your browser for advertising.

7.5 Reverse-Geocoding Provider

Location reverse-lookup is a server-side call with transient coordinates; it does not set a geolocation advertising cookie on your device.


8. Relationship to other documents

Topic Document
Full data practices Privacy Policy
Partner links Advertising & Affiliate Disclosure
Account terms Terms of Service
Named vendors Sub-processor List
Electronic notices Electronic Communications

9. Changes

We may update this Cookie Policy when our technologies change. Material changes (especially introducing non-essential third-party cookies) will be highlighted and, where required, accompanied by a consent mechanism and re-notice.

Version: 1.0.0-draft · Effective: 2026-07-13


10. Contact

[email protected] · [email protected] · [email protected] [PENDING: LEGAL_ENTITY_NAME] · [PENDING: REGISTERED_ADDRESS]


11. Document control

Field Value
Suite version 1.0.0-draft
Effective date 2026-07-13
Session legal-suite-20260713
Status Operator draft — counsel review required
Consent banner Not required under current essential-only / no third-party non-essential cookie posture

Content hash: c3bfc189fbe8… · Built 2026-07-15

← Back to Legal hub

© 2026 Being Optimal · Planning context, not medical advice.

Legal hub · Terms · Privacy · Cookies · Medical disclaimer · Contact