Cookie Policy
Effective Date: April 7, 2026 | Last Updated: April 7, 2026
1. Introduction
This Cookie Policy explains how CutoffIQ LLC ("CutoffIQ," "we," "us," or "our") uses cookies and similar tracking technologies when you visit or use the CutoffIQ platform at cutoffiq.com and related subdomains (the "Service"). This policy should be read alongside our Privacy Policy.
By continuing to use the Service, you consent to the use of cookies as described in this policy, subject to your ability to control cookie preferences as outlined below.
2. What Are Cookies?
Cookies are small text files that are placed on your device (computer, tablet, or mobile phone) when you visit a website. They are widely used to make websites work more efficiently, provide a better user experience, and supply information to website operators. Cookies may be "session" cookies (which expire when you close your browser) or "persistent" cookies (which remain on your device until they expire or you delete them).
3. Types of Cookies We Use
3.1 Strictly Necessary Cookies (Essential)
These cookies are required for the Service to function and cannot be disabled. They enable core functionality such as authentication, session management, and security.
| Cookie Name | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
next-auth.session-token | CutoffIQ | Stores the encrypted JWT session token for authenticated users. Contains user identity, role, and session metadata. Required for login persistence and role-based access control. | 30 days (or until logout) | HTTP, Secure, HttpOnly, SameSite=Lax |
__Secure-next-auth.session-token | CutoffIQ | Production variant of the session token with the __Secure- prefix, ensuring the cookie is only sent over HTTPS connections. | 30 days (or until logout) | HTTP, Secure, HttpOnly, SameSite=Lax |
next-auth.csrf-token | CutoffIQ | Cross-Site Request Forgery (CSRF) protection token. Prevents unauthorized form submissions and state-changing requests from malicious third-party sites. | Session | HTTP, SameSite=Lax |
next-auth.callback-url | CutoffIQ | Stores the redirect URL during the OAuth authentication flow (e.g., Google sign-in) so users are returned to the correct page after authentication. | Session | HTTP, SameSite=Lax |
3.2 Functional Cookies
These cookies enable enhanced functionality and personalization, such as remembering your preferences. The Service currently does not use functional cookies beyond essential session management. If functional cookies are introduced (e.g., theme preferences, language settings), this section will be updated.
3.3 Analytics Cookies
The Service does not currently use analytics cookies or third-party analytics services (such as Google Analytics). If analytics cookies are introduced in the future, we will:
- Update this Cookie Policy with specific cookie details;
- Obtain your consent before setting non-essential analytics cookies (where required by law);
- Provide a cookie consent mechanism allowing you to opt in or opt out;
- For Children's accounts, analytics cookies will not be set without parental consent and will be limited in scope consistent with COPPA requirements.
3.4 Advertising/Marketing Cookies
CutoffIQ does not use advertising or marketing cookies. We do not serve advertisements, engage in behavioral advertising, or allow third-party ad networks to place cookies on the Service. This is especially important given that our user base includes children under 13.
4. Third-Party Cookies
4.1 Google OAuth
When you use "Sign in with Google," Google may set its own cookies during the authentication flow. These cookies are governed by Google's Cookie Policy. CutoffIQ does not control these cookies. The Google OAuth cookies are used only during the authentication process and are not used by CutoffIQ for tracking or advertising purposes.
4.2 Hosting Infrastructure
Our hosting provider (Railway) may set infrastructure-level cookies for load balancing, DDoS protection, or other operational purposes. These are essential to service delivery and are not used for tracking.
5. Local Storage and Similar Technologies
In addition to cookies, the Service may use browser local storage and session storage for client-side state management. These are used for:
| Technology | Purpose | Data Stored |
|---|---|---|
| Local Storage (Zustand) | Client-side state persistence for UI preferences and cached progress data | Level selection, position preferences, UI state |
| Session Storage | Temporary data for the current browser session | In-progress quiz state, form data |
Local storage and session storage data remains on your device and is not transmitted to our servers unless explicitly submitted (e.g., quiz answers upon submission).
6. Managing Your Cookie Preferences
6.1 Browser Settings
Most web browsers allow you to manage cookies through browser settings. You can typically:
- View cookies stored on your device;
- Delete individual or all cookies;
- Block cookies from specific or all websites;
- Set your browser to notify you when a cookie is set.
Instructions for managing cookies in common browsers:
6.2 Impact of Disabling Cookies
Essential cookies cannot be disabled without losing access to the Service. If you block or delete the session-related cookies listed in Section 3.1, you will be unable to log in or maintain an authenticated session. The Service requires these cookies to function.
6.3 Cookie Consent Banner
If we introduce non-essential cookies in the future (analytics, functional, or marketing), we will implement a cookie consent banner that:
- Appears on your first visit and clearly describes each cookie category;
- Allows granular opt-in/opt-out for each non-essential category;
- Remembers your preferences for subsequent visits;
- Complies with GDPR consent requirements (for EEA/UK users) and other applicable cookie consent laws;
- Does not set non-essential cookies before obtaining consent.
7. Cookies and Children
For accounts identified as belonging to children under 13:
- Only strictly necessary cookies (authentication, CSRF protection) are set;
- No analytics, functional, or marketing cookies are or will be set without verified parental consent;
- Local storage usage is limited to essential UI state necessary for the Service to function;
- We comply fully with COPPA requirements regarding persistent identifiers for children.
8. Data Retention for Cookies
| Cookie Category | Maximum Retention |
|---|---|
| Session Cookies | Deleted when you close your browser |
| Authentication Cookies (JWT session token) | 30 days or until logout, whichever is sooner |
| CSRF Token | Deleted when you close your browser |
| Local Storage Data | Persistent until cleared by the user or the application. No sensitive Personal Information is stored in local storage. |
9. GDPR and Cookie Compliance
For users in the European Economic Area (EEA), United Kingdom, and Switzerland:
- Strictly necessary cookies are set under the "legitimate interests" exemption and do not require consent under the ePrivacy Directive (Directive 2002/58/EC, as amended);
- Non-essential cookies (if introduced) will only be set after obtaining your explicit, informed, freely given, and specific consent, as required by GDPR Article 6(1)(a) and the ePrivacy Directive;
- You may withdraw consent at any time by adjusting your cookie preferences or browser settings;
- Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.
10. CCPA and Cookie Compliance
For California residents:
- We do not sell personal information collected through cookies;
- We do not use cookies for cross-context behavioral advertising;
- We do not share cookie-derived data with third parties for their own marketing purposes;
- Essential cookies constitute "business purpose" processing under the CCPA.
11. Changes to This Cookie Policy
We may update this Cookie Policy to reflect changes in our practices or for regulatory compliance. When we make material changes, we will:
- Update the "Last Updated" date;
- Notify you through the Service or via email for significant changes;
- Reset cookie consent preferences if new cookie categories are introduced, requiring you to re-confirm your choices.
12. Contact Us
If you have questions about this Cookie Policy or our use of cookies, contact us at:
CutoffIQ LLCEmail: [email protected]
Subject Line: "Cookie Policy Inquiry"