Cookies Policy
Effective: 2025-10-07
This Cookies Policy explains how cookies and similar storage are used in the Revisit dashboard and by the Revisit Recorder on your website(s).
What we use
Dashboard (first‑party)
rv_access: authentication access token; HttpOnly; SameSite=Lax; ~15 minutes; Secure on HTTPS.rv_refresh: refresh token; HttpOnly; SameSite=Strict; ~30 days; Secure on HTTPS.rv_csrf: CSRF token (double‑submit); readable by JS; SameSite=Lax; ~15 minutes; Secure on HTTPS.rv_trusted: "Remember this device" for MFA; HttpOnly; SameSite=Lax; up to ~30 days; Secure on HTTPS.
Recorder on your website (first‑party to your domain)
revisit_visitor_id: stable visitor ID for session continuity; SameSite=Lax; up to 13 months; Secure on HTTPS.- Honors Do Not Track (DNT) and Global Privacy Control (GPC): when present, the recorder doesn't set identifiers or start recording.
Other storage used by the recorder
- localStorage:
revisit:visitorId,revisit:session:<project> - sessionStorage:
revisit:sessionId,revisit:seq:<session>
Managing cookies
- You can clear cookies in your browser settings.
- Dashboard cookies are strictly necessary for secure login and CSRF protection.
- On your websites, you decide whether to enable recording or use a consent banner/CMP.
Cookie consent and compliance
Revisit Dashboard (revisit.pro)
- No consent banner needed: All dashboard cookies (
rv_access,rv_refresh,rv_csrf,rv_trusted) are strictly necessary for authentication and security - These cookies are exempt from consent requirements under GDPR/ePrivacy as they are essential for the service you explicitly requested
- We do not use any analytics, marketing, or tracking cookies on the dashboard
Recorder on your websites
As the data controller, you are responsible for cookie compliance on your website. Here's guidance:
EU/EEA (GDPR + ePrivacy Directive):
- Option 1 - Consent banner: Implement a cookie consent banner that blocks the
revisit_visitor_idcookie and recording until user consents - Option 2 - Legitimate interests: If you configure proper masking (mask sensitive inputs, honor DNT/GPC, minimize IP), you may rely on legitimate interests with a clear privacy notice and easy opt-out
- Recommendation: Most websites use a consent banner to be safe; legitimate interests requires careful DPIA
UK (UK GDPR + PECR):
- Similar to EU: consent or legitimate interests (with proper safeguards)
- ICO guidance allows analytics cookies under legitimate interests if properly configured
California (CCPA/CPRA):
- No explicit cookie consent required, but you must disclose in privacy policy
- Honor Global Privacy Control (GPC) signals — our recorder does this automatically
- Provide opt-out mechanism and data deletion rights
Other jurisdictions:
- Check local laws; most follow EU model (consent) or US model (notice + opt-out)
- Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act) have varying requirements
Implementation tips:
- Use a Consent Management Platform (CMP) like Cookiebot, OneTrust, Osano, or Termly
- The recorder honors DNT/GPC automatically — no additional code needed
- To implement consent gating, conditionally load the recorder script after consent is given
- Disclose session recording clearly in your privacy policy
- Provide an opt-out mechanism (e.g., "Don't record my sessions" checkbox)
Complete cookie reference
For completeness, here are all cookies used with full technical details:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
rv_access | Authentication access token | 2 hours | Strictly necessary |
rv_refresh | Refresh token for session renewal | 30 days | Strictly necessary |
rv_csrf | CSRF protection (double-submit token) | 2 hours | Strictly necessary |
rv_trusted | "Remember this device" for MFA | Up to 30 days | Strictly necessary |
revisit_visitor_id | Visitor identification (on your website) | Up to 13 months | Analytics/Functional |
Retention
- Export ZIP links under
/storage/exports/are available for 1 week and then removed. - Application logs are deleted roughly every month.