Cookie Policy
GABFORGE UNLIMITED. Hosted at gabforge.com/legal/cookies.
1. At a glance
| Question | Answer |
|---|---|
| Do you use advertising cookies? | No. Never. |
| Do you use analytics cookies (Google Analytics, Mixpanel, etc.)? | No. |
| Do you use tracking cookies? | No. |
| So what cookies do you use? | Essential cookies for login / session, and preference cookies for things like your theme. Listed in §3. |
| Do you show a cookie banner? | No — because we don't use any cookies that would require one under EU/UK law. See §8. |
| Do payment providers set cookies during checkout? | Yes — Razorpay does, on its own domain. Governed by its policy. We don't read or share them. |
| How do I delete cookies? | Through your browser settings. §6 has links per browser. |
| Who do I contact? | privacy@ on the TLD you used. §9. |
2. What cookies are
Cookies are small text files a website asks your browser to store on your device. When your browser sends a request back to the site, it includes the cookies the site previously set. Cookies are how websites remember things like "this browser is already logged in" or "this user prefers dark mode."
Cookies have:
- A name (e.g.,
gf-corporate-session). - A value (usually an opaque token the server can verify).
- A scope — which domain can read it. A cookie scoped to
.gabforge.aicannot be read by.gabforge.inor any non-GabForge site. - A lifetime — a "session" cookie disappears when you close your browser; a "persistent" cookie has an expiry date.
- Flags —
httpOnly(unreadable from JavaScript),Secure(only sent over HTTPS),SameSite(restricts cross-site sending).
GabForge uses only httpOnly + Secure + SameSite=Lax for session cookies, per our security baseline in Three_Auth_Design.
3. Cookies we use
We use two categories only: essential (without them, the site cannot function) and preference (UI choices you've made).
3.1 Product TLDs — gabforge.ai, gabforge.live, gabforge.in
| Cookie | Purpose | Category | Scope | Lifetime |
|---|---|---|---|---|
__gfsess_ai |
Product session cookie after login on .ai |
Essential | .gabforge.ai |
Up to 30 days (idle timeout 7 days) |
__gfsess_live |
Product session cookie after login on .live |
Essential | .gabforge.live |
Up to 30 days |
__gfsess_in |
Product session cookie after login on .in |
Essential | .gabforge.in |
Up to 30 days |
__gfss |
GabForge single sign-on session token — keeps your one GabForge account signed in across GabForge products | Essential | .gabforge.ai / .gabforge.org |
30 days, rotated on use |
gf-theme |
Your light/dark theme preference | Preference | per site | 1 year |
gf-locale |
Your UI language preference (currently informational only — we have not yet shipped non-English UI) | Preference | per site | 1 year |
You have one GabForge account and sign in once with GabForge OAuth. Each site still sets its own session cookie, and cookies do not cross sites natively (browsers prevent this). Single sign-on across GabForge products is achieved via the standard OAuth 2.1 + PKCE redirect, not by sharing cookies between sites.
3.2 OSS TLD — gabforge.org
| Cookie | Purpose | Category | Scope | Lifetime |
|---|---|---|---|---|
__gfsess_org |
OSS session cookie after login on .org |
Essential | .gabforge.org |
Up to 30 days (idle timeout 7 days) |
__gfss |
GabForge single sign-on session token — keeps your one GabForge account signed in across GabForge products | Essential | .gabforge.ai / .gabforge.org |
30 days, rotated on use |
gf-theme |
Your light/dark theme preference | Preference | .gabforge.org |
1 year |
3.3 Corporate TLD — gabforge.com
The corporate site is mostly anonymous-browse. Cookies appear only after you log in to the Founder's Cockpit at admin.gabforge.com (staff / investors / press only — no public signup).
| Cookie | Purpose | Category | Scope | Lifetime |
|---|---|---|---|---|
gf-corporate-session |
Corporate-site login session | Essential | .gabforge.com |
7 days |
gf-login-error |
Short-lived flash cookie that carries a login-error message from the server to the login page without putting it in the URL | Essential | .gabforge.com |
10 minutes |
gf-theme |
Your light/dark theme preference | Preference | .gabforge.com |
1 year |
No user-tracking, advertising, or analytics cookies are set on .com. The company site uses its own staff/investor login that is separate from the GabForge account used for the product — a .com login does not sign you in to the app, and vice versa.
3.4 What you will NOT find
Not present on any GabForge surface:
- Google Analytics (
_ga,_gid,_gat*) - Facebook Pixel (
_fbp,fr) - Hotjar, Mixpanel, Amplitude, Segment, or any other session-recording / behavioural-analytics cookie
- Advertising network cookies
- A/B testing platform cookies (Optimizely, VWO)
- Marketing automation cookies (HubSpot, Marketo)
If we add any of these in the future, this doc changes first and a banner will appear before they're active.
4. JavaScript / browser storage that isn't a cookie
Some web platforms use localStorage, sessionStorage, or IndexedDB instead of cookies. GabForge uses:
localStorage— occasionally, for client-only UI state (e.g., remembering which panel you had expanded in the workspace). Never to store tokens, identity, or PII.sessionStorage— transiently, to survive a tab refresh during onboarding. Cleared when the tab closes.- IndexedDB — only in the GabForge offline model runner on your device. Holds your local chat history if you've opted to use offline GabForge Lite (4B). Never synced to our servers.
These aren't cookies in the regulatory sense, but the data they hold is still covered by our Privacy Policy.
5. Third-party cookies during payments
We don't embed third-party widgets, social-media like buttons, video iframes that set tracking cookies, or advertising networks. The only third parties whose cookies your browser may encounter are payment gateways during checkout:
- Razorpay — set on
razorpay.com/checkout.razorpay.comduring the redirect-based checkout flow used ongabforge.in,gabforge.ai, andgabforge.live(international payments via Razorpay International). Governed by Razorpay's cookie policy.
We do not read these cookies, we do not share cookie data with the gateways, and they do not persist on GabForge domains.
6. Managing and deleting cookies
Your browser lets you view, block, and delete cookies per-site or site-wide:
- Chrome: Settings → Privacy and Security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Preferences → Privacy → Manage Website Data
- Edge: Settings → Cookies and site permissions → Manage and delete cookies
Blocking our essential cookies will log you out and prevent you from logging back in. Blocking preference cookies is harmless — we just can't remember your theme choice between visits.
You can also use your browser's "Private / Incognito" window — no cookies are persisted after the window closes.
7. Do Not Track, Global Privacy Control
Because we do not track you in the first place, there is nothing for us to "stop" when you send a DNT: 1 header or a Global Privacy Control (GPC) signal. We receive these headers, we log nothing about them, and our behaviour is identical regardless of whether you send them.
8. Cookie banners — why we don't show one
EU / UK ePrivacy law requires a consent banner only for cookies that are non-essential to the service the user has actively requested. Our essential cookies (§3.1–3.3) fall under the functional-necessity exemption, and our preference cookies are set only after you change the default (e.g., toggling the theme) — which courts have treated as an implicit consent in most jurisdictions.
If we ever add a non-essential cookie, a banner will appear before that cookie is set, with granular opt-in per category, matching GDPR / ePrivacy guidance. We would rather not add such cookies in the first place.
9. Regional specifics
9.1 India — DPDP Act 2023 + IT Rules 2021
DPDP does not yet have detailed cookie-specific rules; the general consent + purpose-limitation principles apply. Our cookies are purpose-limited to service delivery and user preference, with no personal data shared with third parties. India users have the same cookie-management rights as all other users.
9.2 EU / UK — GDPR + ePrivacy Directive + UK PECR
Essential cookies fall under the Article 5(3) ePrivacy exemption. Preference cookies are set only after an affirmative user action. No consent banner is required for the current cookie set. If you object to any cookie anyway, blocking in-browser is sufficient — we do not lock out users who block our cookies (though essential-cookie blocks will prevent login).
9.3 California — CCPA / CPRA
We do not "sell" or "share" personal information as those terms are defined. "Do Not Sell My Personal Information" is therefore not applicable — but if you want to exercise it anyway, emailing privacy@gabforge.ai will have us confirm in writing.
10. Changes to this policy
If we add a cookie, remove a cookie, change its purpose, or extend its lifetime:
- This doc is updated in the same commit as the code change.
- The Changelog at the bottom of this doc records the change.
- If the change is material (new category of cookie, new third-party integration), we also email all signed-in users and post a notice on the site.
11. Contact
For any cookie-related question or complaint:
- Email:
privacy@gabforge.ai(primary) orprivacy@on the TLD you used - India users may additionally contact: the Interim Grievance Officer at
grievance@gabforge.inper Contact_Support §6 - Postal: GABFORGE UNLIMITED, 142, Spanzilla, Gulam Ali Guda, Parvathapur Road, Medipally, Hyderabad 500098, India
We respond within 15 calendar days for India grievance requests and 30 calendar days for all other jurisdictions.