Cookie Policy

Last updated: April 20, 2026

This page lists every cookie OMM Flow sets on your browser, what it's for, and how long it lasts. We split cookies into two groups:

  • Essential — required for the site to function (signing in, CSRF protection). Loaded whether or not you accept the banner.
  • Analytics— help us understand which pages work and which don't. Loaded ONLY after you click "Accept all" on the banner. If you reject the banner or ignore it, these never load.

Essential cookies

All first-party. Set on the omm-flow.com domain — no third parties see them.

NamePurposeLifespan
next-auth.session-token
first-party
Keeps you signed in to your OMM Flow workspace. Deletes when you sign out.30 days (rolling)
next-auth.csrf-token
first-party
Anti-CSRF token — prevents cross-site form submissions from hijacking your session.Session
next-auth.callback-url
first-party
Temporary cookie NextAuth sets during OAuth round-trips to remember where to send you after sign-in. Cleared automatically after the redirect.Session (minutes)
portal_session
first-party
Keeps client portal users signed in when they accept an approval share link.14 days
gintent / gsignup
first-party
Short-lived signed cookies that carry invite-token / new-signup intent across a Google OAuth round-trip.10 minutes

Analytics cookies

Third-party. Set by Google Analytics 4 on the .google-analytics.com domain — only after your consent. Data is anonymised; no names, emails, or other personally identifying information is sent.

NamePurposeLifespan
_ga
Google Analytics 4 · third-party
Distinguishes individual users anonymously so we can count returning vs new visitors.2 years
_ga_<container-id>
Google Analytics 4 · third-party
Session state for the specific GA4 property — tracks which pages you visit within a session.2 years

Changing your preference

Your choice is stored in your browser's local storage (not a cookie). To change it:

  • Clear site data for omm-flow.comin your browser's site settings — the banner will re-appear on your next visit and you can choose again.
  • Or change your mind in 12 months — the banner re-prompts automatically so your choice doesn't get locked in.
  • Browser-level: most modern browsers offer global cookie controls (Chrome → Settings → Privacy and security, Safari → Preferences → Privacy, etc.). "Block third-party cookies" will stop analytics cookies without affecting the essential ones.

Third-party data sharing

When analytics is enabled, Google Analytics receives anonymous usage data (page views, session duration, referrer). See Google's privacy controls at policies.google.com/technologies/cookies. You can opt out globally via Google's opt-out browser extension.

Questions

Email privacy@omm-flow.com if anything here is unclear or if you need the full sub-processor list for your own compliance paperwork.