1. What Are Cookies?
Cookies are small text files stored on your device that contain information about your interaction with our website. They are essential tools for web security and functionality. HelixAI uses cookies exclusively for necessary, security-critical functions.
2. Why We Use Cookies
All cookies used by HelixAI are strictly necessary for the platform to function properly. We do NOT use:
- Third-party tracking cookies
- Analytics or marketing cookies
- Advertising or advertising preference cookies
- Non-essential or convenience cookies
3. HelixAI Cookies
HelixAI uses exactly four cookies, all strictly necessary for authentication, session management, and security. None of these cookies track your behavior across other sites or serve advertising purposes.
| Cookie Name |
Purpose |
Duration |
| session |
Signed session token (email, tenant ID, role) |
1 hour |
| access_token |
JWT for secure API authentication |
1 hour |
| refresh_token |
Renews access tokens without re-authentication |
7 days |
| csrf_token |
CSRF attack prevention |
1 hour |
4. Cookie Details and Flags
Session Cookie ("session")
- Contains a signed session token with user email, tenant ID, and user role
- HttpOnly flag prevents JavaScript access (XSS protection)
- Secure flag ensures transmission only over HTTPS
- SameSite=Lax prevents cross-site request forgery attacks
- Maximum age: 1 hour (requires re-authentication after session expiry)
Access Token Cookie ("access_token")
- Contains a JSON Web Token (JWT) for secure API authentication
- Used for backend requests and API authorization
- HttpOnly, Secure, and SameSite=Lax flags applied
- Maximum age: 1 hour for security and token rotation
Refresh Token Cookie ("refresh_token")
- Used to obtain new access tokens without requiring re-authentication
- Enables seamless session continuity and improved user experience
- HttpOnly, Secure, and SameSite=Lax flags applied
- Maximum age: 7 days; tokens must be refreshed for longer sessions
CSRF Token
- Generated per session to prevent Cross-Site Request Forgery
- Validated on all POST, PUT, and DELETE requests
- Token expiry: 1 hour
- Ensures requests originate from legitimate user sessions
5. Consent and GDPR Transparency
Since all HelixAI cookies are strictly necessary and essential for service functionality, a consent banner is not strictly required under GDPR. However, HelixAI is committed to GDPR transparency and provides this policy to inform users about our cookie usage. Users are not required to consent to these cookies to use the service, but disabling them will prevent HelixAI from functioning.
6. How to Manage Cookies in Your Browser
Most browsers allow you to control cookie settings. You can typically:
- View all stored cookies on your device
- Delete cookies individually or in bulk
- Block new cookies from being set
- Enable "Private" or "Incognito" browsing to avoid persistent cookies
Important: Disabling cookies will prevent HelixAI from functioning properly. Session authentication, CSRF protection, and API authorization all depend on these cookies. We recommend keeping cookies enabled for HelixAI.
7. Contact Information
If you have questions about this Cookie Policy, our use of cookies, or your privacy, please contact us:
This Cookie Policy is part of the HelixAI legal framework and should be read in conjunction with our Terms of Service, Privacy Policy, and Acceptable Use Policy.
↑ Back to top