Last updated: 2026-06-12 · v2026-06-12
Cookie Policy
This Cookie Policy explains what cookies and similar technologies are, which ones Sinapti uses (available at https://app.sinapti.com), for what purpose, and how you can accept, reject and withdraw your consent at any time.
This policy has been prepared following the Guidance on the use of cookies issued by the Spanish Data Protection Agency (AEPD) and the layered-information model.
What are cookies?
A cookie is a small text file that a website stores in your browser or device when you visit it. It allows the site to remember information about your visit, such as your login session or your preferences.
Alongside cookies, Sinapti uses other browser storage technologies that serve equivalent functions and which, for the purposes of this policy and of applicable law, receive the same treatment as cookies:
localStorage: stores small configuration values (for example, your theme preference or interface state) persistently in your browser.IndexedDB: a browser database that Sinapti uses to store locally the documents you edit (offline editing) and, optionally, data for advanced features such as semantic search.
Throughout this policy, the term "cookies" covers both cookies in the strict sense and these similar technologies.
Types of cookies by purpose
Technical or essential cookies (no consent required)
These are indispensable for the application to work and to provide the service you expressly request when you register, sign in and use Sinapti. They do not require your consent and cannot be disabled from the settings panel, because without them the service cannot be provided. They include:
- Authentication and session: keep your session securely logged in and protect forms against cross-site request forgery (CSRF) attacks. Managed by the authentication system (NextAuth/Auth.js).
- Cookie-consent record (
sinapti_consent_id): a technical cookie that links your decision about cookies to an identifier, so that we can demonstrate your consent or refusal (an obligation under data-protection law itself). - Theme and language preference: remember the appearance (light/dark/system) and language you have chosen. As they reflect an express user choice, they are considered technical under the AEPD Guidance.
- Interface state: remember display settings such as the sidebar state, applied filters, or notices you have already dismissed.
- Offline storage (Yjs / IndexedDB): stores the documents you edit locally to enable offline work and prevent the loss of changes.
Analytics cookies (consent required)
They allow us to measure and analyse, in aggregate, how the application is used (performance, errors, user-experience metrics) in order to improve it. They are only activated if you give your consent. If you do not, they are not loaded.
- OpenObserve RUM (Real User Monitoring): a user-experience analytics solution self-hosted by Sinapti (no data is shared with third parties for advertising purposes). It does not perform session replay.
Marketing or advertising cookies (consent required)
These would be used to display personalised advertising or to measure campaigns. Sinapti currently does not use any cookie in this category. We keep this section for information purposes in case any are added in the future, in which case your prior consent would be requested and this policy would be updated.
Detailed table of cookies and storage
| Name | Type / Purpose | Category | Duration | Ownership |
|---|---|---|---|---|
authjs.session-token / __Secure-authjs.session-token | Maintains the authenticated user session (JWT token) | Technical / essential | Session / until sign-out | First-party |
authjs.csrf-token / __Host-authjs.csrf-token | Protection against CSRF attacks on forms and actions | Technical / essential | Session | First-party |
authjs.callback-url / __Secure-authjs.callback-url | Handles redirection after sign-in | Technical / essential | Session | First-party |
authjs.pkce.code_verifier, authjs.state, authjs.nonce | Security of Google sign-in (OAuth/PKCE) | Technical / essential | Session (ephemeral, during login) | First-party |
sinapti_consent_id | Anonymous identifier that links and evidences your cookie decision (consent record) | Technical / essential | 13 months | First-party |
locale | Remembers the language chosen by the user | Technical / essential (user choice) | 12 months | First-party |
sinapti-theme (localStorage) | Remembers the theme preference (light/dark/system) | Technical / essential (user choice) | Persistent until cleared | First-party |
sinapti_cookie_consent (localStorage) | Stores your cookie decision in the browser so the banner is not shown again while it remains valid | Technical / essential | Up to 13 months / until cleared | First-party |
sinapti-sidebar-collapsed, sinapti-global-tags, calendar-prefs, sinapti-dismissals (localStorage) | Remember interface settings: sidebar, filters, calendar view and dismissed notices | Technical / essential (user choice) | Persistent until cleared | First-party |
sinapti-offline (IndexedDB) | Local storage of documents for offline editing (Yjs) and later synchronisation | Technical / functional | Persistent until cleared | First-party |
sinapti-embeddings (IndexedDB) | Local cache for semantic search (only if you enable that feature on the device) | Technical / functional | Persistent until cleared | First-party |
RUM SDK session cookie (OpenObserve) [SDK technical name] | Identifies the user-experience analytics session | Analytics | [duration: ___] (typically session / ~15 min of inactivity) | First-party (self-hosted) |
The authentication cookies carry the
__Secure-/__Host-prefix and thesecureattribute only in the production environment (HTTPS). Exact names may vary slightly depending on the version of the authentication library.
Legal basis
- Technical or essential cookies: their use relies on the exemption in Article 22.2 of the LSSI (Spanish Law 34/2002), as they are strictly necessary to provide the service expressly requested by the user. They do not require consent.
- Analytics and, where applicable, marketing cookies: the legal basis is your consent (Art. 22.2 LSSI and the General Data Protection Regulation – GDPR). You may freely grant or deny it, and withdraw it at any time without this affecting the essential functioning of the application.
How to accept, reject and withdraw consent
When you first access the application, Sinapti shows a cookie banner with clear information about its use. In that banner:
- You can Accept all cookies.
- You can Reject all non-essential cookies. Rejecting is as easy as accepting: both options are at the same level, with equal visibility, and neither is highlighted over the other.
- You can open the settings panel to decide granularly, per purpose (for example, to accept analytics but not other categories).
Until you make a decision, no non-essential cookie is installed.
To change your decision later, you can reopen the panel at any time through the "Cookie preferences" link available in the application footer. There you can review and modify your choices or fully withdraw your consent.
In addition, you can manage or delete cookies from your browser settings (Chrome, Firefox, Safari, Edge, etc.), as well as clear local storage (localStorage / IndexedDB). Please note that deleting technical cookies may prevent the application from working correctly (for example, by signing you out).
International transfers
The analytics cookies used by Sinapti rely on OpenObserve RUM, self-hosted by Sinapti on infrastructure located in the European Union (OVHcloud). Therefore, the use of cookies does not involve international transfers of data to third countries.
If third-party cookies entailing international transfers were added in the future, this would be expressly stated in this policy and, where applicable, the corresponding consent would be obtained with the safeguards required by the GDPR.
Retention of consent
Your cookie decision is retained for a maximum of 13 months, in line with the AEPD recommendation. Once that period elapses (recorded internally via an expiry date, expiresAt), or when this policy changes materially (controlled via a policy version), we will request your consent again by showing the banner once more.
Your consent will also be requested again if you clear your browser storage.
Changes to the cookie policy
We may update this Cookie Policy to reflect changes in the cookies we use, in the technology employed, or in applicable law. When changes are material, we will notify you by showing the banner again to obtain your consent anew. We recommend that you review this page periodically; the last-updated date and the current version appear in the header of this document.