Cookie Policy
Last updated: May 8, 2026
1. Controller
The controller for Verxion cookies and similar technologies is Roberto Diaz (Spanish Tax ID / NIF 71655922C), a self-employed sole trader established in Spain.
- Privacy contact: [email protected]
- Professional address: Calle Vázquez de Mella 75, 33012 Oviedo, Asturias, Spain
- Tax ID / fiscal number: 71655922C
2. What we use and why (LSSI Art. 22.2)
Spanish law (LSSI-CE Art. 22.2) requires that any storage on a user’s device — cookies, localStorage, sessionStorage — be disclosed itemized. The table below lists every key Verxion sets across apps/web (marketing site), apps/web-app (authenticated app), and the API:
| Key | Type | Owner | Purpose | Duration | Strictly necessary? |
|---|---|---|---|---|---|
better-auth.session_token | Cookie | First-party | Authenticated session token | 7 days, rolling | Yes |
better-auth.session_data | Cookie | First-party | Cached session metadata for SSR | Session | Yes |
__Secure-better-auth.session_token | Cookie | First-party | Secure variant of the session token (Secure + SameSite=None for cross-origin SPA) | 7 days, rolling | Yes |
verxion_csrf (or BetterAuth-issued equivalent) | Cookie | First-party | CSRF protection on form posts | Session | Yes |
sidebar_state | Cookie | First-party | Remembers whether the side navigation is collapsed | 7 days | Necessary (preference; user-set) |
vx_oauth_ctx | sessionStorage | First-party | Holds the OAuth state token during the sign-in flow | Session | Yes |
onboarding.username | sessionStorage | First-party | In-progress onboarding form data; cleared on completion | Session | Yes |
verxion_language | localStorage | First-party | User-selected language (en/es) | Persistent until cleared by user | Necessary (preference; user-set) |
verxion:onboarding:celebrated | localStorage | First-party | UI flag to avoid showing the onboarding completion celebration twice | Persistent until cleared by user | No (UX state) |
No analytics cookies. Verxion does not currently load Google Analytics, Plausible, PostHog, Hotjar, Mixpanel, or any other behavioral or marketing tracker on the public site or the authenticated app. Sentry (error tracking) runs server-side only.
3. Non-essential cookies
If Verxion enables analytics, advertising, or other non-essential trackers in the future, we will surface a consent banner before any such storage is set on your device, and we will update this list. The current list is honest: nothing here loads without your active use of a feature.
4. Third-party services
Some features depend on third parties:
- Apple / Google OAuth: Sign-in flows redirect to Apple’s or Google’s domains, which may set their own cookies under their own policies.
- Resend (transactional email): no cookies on Verxion domains.
- OpenFoodFacts (food metadata): server-to-server only, no cookies.
- Any MCP-compatible client you authorize (non-exhaustive examples: ChatGPT, Claude, Gemini, Cursor, OpenCode, etc.): when you authorize a connected app, the OAuth flow redirects via Verxion but the third-party client itself sets cookies on its own domain under its own policy.
5. Managing cookies
You can manage or delete cookies through your browser settings. Blocking strictly necessary cookies or session storage may prevent sign-in, break OAuth flows, or disable essential product features. Preference cookies (sidebar state, language, onboarding flag) can be deleted with no functional impact — the app falls back to defaults.
6. Contact
For privacy or cookie questions, contact [email protected].