Cookie Policy
Quick Summary
- Rakomi uses only strictly necessary cookies and web storage. We do not use tracking, analytics, or advertising cookies.
- Because all storage is strictly necessary for the service, no consent banner is required.
- We use two session cookies (
__ra_sessionfor the dashboard,__ra_sessionfor the accounts/consent UI), one preference cookie (rakomi-lang), and three localStorage items — all essential for service functionality. - No third-party cookies are set by Rakomi. All social login providers (Google, GitHub, Microsoft, Apple, Discord, Facebook, Slack, Twitter/X, GitLab, and LinkedIn) operate server-side (state stored in database, not cookies).
Effective Date: 2026-03-24 Version: 5
1. Legal Basis
This Cookie Policy is provided pursuant to:
- Art. 399 of Prawo komunikacji elektronicznej (PKE, Dz.U.2024.1221) — which replaced Art. 173 of Prawo telekomunikacyjne on November 10, 2024. Art. 399 governs all storage of information or access to information stored on terminal equipment (cookies, localStorage, sessionStorage, IndexedDB, Cache API, Service Workers).
- Art. 5(3) of the ePrivacy Directive (Directive 2002/58/EC as amended) — the EU-level framework transposed by PKE Art. 399.
Strictly necessary exemption: Art. 399 ust. 3 pkt 2 PKE exempts storage that is "niezbędne do świadczenia usługi" (strictly necessary for service delivery) from the consent requirement. All cookies and web storage used by Rakomi qualify under this exemption.
2. Cookies
2.1 Cookies Set by Rakomi
| Cookie Name | Purpose | Duration | Type | Strictly Necessary Justification |
|---|---|---|---|---|
__ra_session |
Dashboard session authentication. Contains encrypted session token for maintaining authenticated state across page loads. | Session (expires on browser close) or per session TTL | First-party, HTTP-only, Secure, SameSite=Lax | Without this cookie, users cannot maintain an authenticated session in the dashboard. Authentication is the core function of the service. |
__ra_session |
Accounts and consent UI session. Maintains the authenticated state during OAuth authorization flows (login, consent screen, grant management). | Session (expires on browser close) or 30 days if "remember me" is selected | First-party, HTTP-only, Secure, SameSite=Lax | Without this cookie, users cannot complete OAuth authorization flows or manage their consent grants. The login and consent screens are essential components of the authentication service. |
rakomi-lang |
Stores the user's preferred language (en or pl). Set with domain=.rakomi.com so the preference is shared between the landing page (rakomi.com) and the dashboard (dashboard.rakomi.com). Also mirrored to localStorage — see Section 3. |
1 year | First-party, JavaScript-accessible, SameSite=Lax | Required to preserve the user's explicit language choice across the landing page and dashboard. Without this cookie, a user who selected English would be redirected to Polish on every visit, and language changes made on the landing page would not be reflected in the dashboard. Contains no personal data — stores only en or pl. |
2.2 Cookies NOT Used by Rakomi
Rakomi does not set or use:
- Third-party tracking cookies — no analytics, advertising, or behavioural tracking.
- Analytics cookies — we do not use Google Analytics, Mixpanel, Amplitude, or similar.
- OAuth state cookies — OAuth state parameters are stored server-side in database tables (
google_oauth_statesfor Google,social_oauth_statesfor GitHub, Microsoft, Apple, Discord, Facebook, Slack, Twitter/X, GitLab, LinkedIn, and other social providers), not in cookies. - CSRF cookies — CSRF protection relies on the SameSite=Lax cookie attribute and token-based API authentication, not dedicated CSRF cookies.
- Preference cookies — beyond the strictly necessary items listed in this policy.
3. Web Storage (localStorage)
Art. 399 PKE covers all storage on terminal devices, not just cookies. The following localStorage items are used by the Rakomi dashboard. (Note: the rakomi-lang language preference is primarily stored as a cookie — see Section 2 — and mirrored to localStorage as a fallback for environments where cookies are unavailable.)
| Key | Purpose | Persistence | Strictly Necessary Justification |
|---|---|---|---|
ca_recent_tenants |
Stores a list of recently accessed tenants for the dashboard tenant switcher. | Persistent until cleared | Multi-tenant switching is a core dashboard function. Without this, users would need to search for their tenant on every page load, significantly degrading the usability of the multi-tenant authentication management interface. |
rakomi_last_tenant |
Stores the identifier of the last selected tenant. Used to auto-select the correct tenant context on dashboard load. | Persistent until cleared | Prevents re-authentication friction in multi-tenant contexts. When a user returns to the dashboard, this ensures they see the correct tenant's data without manual re-selection — essential for a service managing multiple authentication environments. |
ca_auth_event |
Cross-tab authentication state synchronisation. Ensures that login/logout events in one browser tab are reflected in other open tabs. | Persistent until cleared | Without cross-tab sync, a user could be logged out in one tab while appearing logged in in another, creating security inconsistencies and confusing behaviour. This is essential for maintaining coherent authentication state. |
rakomi-lang |
localStorage mirror of the rakomi-lang cookie (see Section 2). Serves as a fallback when cookies are unavailable (e.g., private browsing mode). |
Persistent until cleared | Fallback for cookie-based language preference. Ensures the language switcher functions correctly even when cookies are blocked. Contains no personal data — stores only en or pl. |
3.1 sessionStorage
Rakomi does not currently use sessionStorage for any data.
3.2 IndexedDB, Cache API, Service Workers
Rakomi does not currently use IndexedDB, Cache API, or Service Workers for storing personal data. If these technologies are adopted in the future, this policy will be updated accordingly.
4. How to Manage Cookies and Web Storage
Although Rakomi only uses strictly necessary storage, you can manage cookies and web storage through your browser settings:
- Google Chrome: Settings → Privacy and Security → Cookies and other site data
- Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data
- Apple Safari: Settings → Privacy → Manage Website Data
- Microsoft Edge: Settings → Cookies and site permissions
Note: Blocking or deleting Rakomi's session cookies (__ra_session, __ra_session) will log you out of the dashboard and accounts UI respectively. Clearing localStorage items will reset your tenant selection preferences.
5. Relationship to Privacy Policy
For comprehensive information about how CRE8EVE processes personal data, including data collected through cookies and web storage, please see our Privacy Policy.
Changes to This Policy
We will notify you of changes to this Cookie Policy by:
- Email to registered dashboard users (durable medium notification).
- Updated publication on this page.
If Rakomi introduces any non-essential cookies or web storage in the future (e.g., analytics), we will implement a consent mechanism before deployment and update this policy accordingly.
Previous versions are available upon request to dpo@rakomi.com.