Legal
Cookie Policy
This Cookie Policy explains how DocFlow uses cookies and similar technologies for security, preferences, analytics, and limited marketing measurement.
Last updated: June 24, 2026
Consent management requirement
DocFlow must use a consent management platform, such as Cookiebot, Osano, or a compliant lightweight in-house CMP, before loading non-essential cookies for users in jurisdictions that require consent. Only essential cookies may be enabled by default. Functional, analytics, and marketing cookies must be grouped by category with clear opt-in controls and a visible way to change preferences later.
Engineering note: the cookie consent banner and preference center still need implementation. Until the CMP is live, analytics and marketing cookies should remain disabled by default.
Cookie categories
| Category | Examples | Purpose | Duration | Consent rule |
|---|---|---|---|---|
| Essential | docflow_session, csrf_token, auth_state | Login state, CSRF protection, GitHub OAuth flow, and security controls | Session to 24 hours | Always on; required to provide the service |
| Functional | config_lang, theme_pref, docs_style_pref | Remember interface preferences and documentation style choices | Up to 12 months | Optional where required by law |
| Analytics | _ga, _gid, privacy-safe product analytics identifiers | Traffic analytics, product performance, funnel analysis, and reliability improvement | Up to 13 months | Opt-in where required; disabled if declined |
| Marketing | _fbp or similar ad conversion cookies on paid landing pages only | Ad conversion measurement and remarketing for marketing pages | Up to 90 days | Opt-in only; never required for core service |
How consent should work
- Show a cookie banner before non-essential cookies load.
- Provide category-level choices for essential, functional, analytics, and marketing cookies.
- Set essential cookies as always on and keep all other categories off until consent is given where required.
- Provide equal access to accept, reject, and customize choices.
- Respect browser Do Not Track signals by not loading non-essential cookies when DNT is enabled.
- Keep a footer entry for cookie settings so users can withdraw or change consent later.
- Do not reduce core DocFlow functionality if a user declines analytics or marketing cookies.
Page-level loading rules
Public marketing pages
Essential and functional cookies may load; analytics and marketing cookies require opt-in where required.
Pricing and feature pages
Analytics may load only after consent where required; marketing cookies should not load unless the page is part of a paid campaign.
GitHub App authenticated pages
Essential and functional cookies only by default; no third-party analytics cookies unless separately disclosed and consented.
Install and configuration pages
Essential cookies only unless the user has already granted consent for another category.
Third-party cookies
Analytics or marketing providers, such as Google Analytics or Meta Pixel, may set cookies only after the required consent has been collected. Third-party cookies are not required to use DocFlow core GitHub documentation automation. Payment processors and GitHub may set their own cookies when you interact with their hosted pages or services; those cookies are governed by the relevant third-party policies.
Cookie updates
We review the cookie list at least quarterly and update this policy when cookie categories, vendors, or purposes change. If we add a new non-essential category or materially change tracking behavior, the CMP should request consent again where required.
AI-generated content disclaimer
DocFlow uses large language models to generate documentation drafts. AI-generated documentation may contain inaccuracies, omissions, outdated information, or inappropriate language. You must review all generated documentation before committing it to your repository.