Cookie Policy | SpeakHalo

Plain-language summary

SpeakHalo ("we," "us," or "our") sets one first-party browser cookie (auth_token) to protect authenticated routes. We also use browser localStorage for your JWT tokens and UI preferences. We do not use any analytics, advertising, or tracking cookies.

No advertising cookies

No analytics tracking

No cross-site tracking

No data sold to third parties

01

What Are Cookies

Cookies are small text files that a website stores on your device when you visit. They allow the website to remember information across page loads -for example, whether you are signed in.

First-party cookies are set directly by the website you are visiting (speakhalo.com). Third-party cookies are set by external services the website depends on -such as Cloudflare for security and DDoS protection.

Session cookies are deleted when you close your browser. Persistent cookies remain on your device for a defined period or until you delete them manually.

Note on localStorage: Browser localStorage is not a cookie. It is a separate browser storage mechanism that is never transmitted automatically with network requests. We disclose all localStorage usage here because under GDPR and ePrivacy regulations, any data stored on your device must be disclosed regardless of whether it is a cookie.

02

Cookies & Storage Set by SpeakHalo

Browser Cookie (1)

First-party

Name	Purpose	Duration	Category
`auth_token`	A route-protection marker cookie. Stores the value "true" only -not your JWT token. The Next.js server-side middleware reads this to decide whether to redirect unauthenticated visitors away from protected pages such as /dashboard and /admin. Your actual credentials are stored in localStorage.	30 days	Essential

Technical details: Set via JavaScript (document.cookie), SameSite=Lax, no Secure flag required for localhost. Deleted automatically on sign-out. This cookie is strictly necessary and cannot be disabled without breaking the authentication flow.

Browser localStorage (4 entries)

Never transmitted

These items are stored entirely in your browser and are never sent as HTTP request headers. They are accessible only to speakhalo.com.

Name	Purpose	Duration	Category
`access_token`	Your JWT access token. Used by the API client to authenticate every request to the SpeakHalo API. Contains your user ID and role. No personally identifiable information beyond what you provided at sign-up.	Until sign-out or token expiry	Essential
`refresh_token`	Your JWT refresh token. Allows the platform to silently obtain a new access token when the current one expires, keeping you signed in without interruption. Invalidated on sign-out.	Until sign-out	Essential
`cookie_consent`	A JSON object recording your cookie preference choices (e.g., whether Functional cookies are accepted). Prevents the consent banner from reappearing on every page visit.	Persistent until cleared	Essential
`admin_platform_settings`	Saves admin dashboard UI preferences such as display layout or configuration toggles. Present only on accounts with admin privileges. Contains no personal data.	Persistent until cleared	Functional

03

Third-Party Cookies

Our infrastructure is protected by Cloudflare for DDoS mitigation, content delivery, and rate limiting. As part of these security services, Cloudflare sets the following cookies on your device. SpeakHalo does not control these cookies -they are managed entirely by Cloudflare.

Name	Purpose	Duration	Set by	Category
`__cf_bm`	Bot management cookie. Distinguishes between human visitors and automated bots to protect the platform from malicious traffic and credential-stuffing attacks.	30 minutes	Cloudflare	Third-Party
`_cfuvid`	Rate-limiting identifier. Allows Cloudflare to apply per-client rate limiting rules consistently across requests within a short window.	Session	Cloudflare	Third-Party

These cookies do not track you across websites or collect personal information for advertising. They are strictly necessary for platform security. Cloudflare cookie documentation

04

What We Do Not Use

SpeakHalo does not use any tracking, analytics, advertising, or marketing cookies. All platform analytics (call volumes, response times, usage data) are derived server-side from your own operational data and are never collected via browser cookies or third-party scripts.

Google Analytics

We do not embed Google Analytics, Google Tag Manager, or any Google measurement script.

Facebook / Meta Pixel

We do not use Facebook Pixel, Meta tracking, or any social media tracking cookies.

Advertising & retargeting

We do not run retargeting campaigns and set no advertising cookies or ad network trackers.

Marketing attribution

We do not use cookies to track campaign clicks, email opens, or referral sources.

Cross-site tracking

We do not participate in cross-site tracking, browser fingerprinting, or behavioral profiling.

Third-party analytics

We do not use Mixpanel, Amplitude, PostHog, Hotjar, Heap, Segment, or any equivalent service.

05

Managing Cookies

Via SpeakHalo preferences

Click the cookie icon in the bottom-left corner of any page to open the cookie preferences panel. You can toggle the Functional category on or off at any time. Strictly Necessary and Cloudflare cookies cannot be disabled because they are required for the platform to operate and stay secure.

Via your browser

You can also control or delete cookies through your browser's settings. Browser-specific instructions:

Chrome Firefox Safari Edge

Impact of blocking all cookies

SpeakHalo uses one essential cookie (auth_token) for route protection. If you block all cookies, the Next.js middleware cannot verify your session and will redirect you away from protected pages such as /dashboard and /admin. Your JWT tokens live in localStorage, so API requests themselves remain unaffected.

06

Our Consent System

SpeakHalo includes a built-in cookie consent management system designed to comply with GDPR, the UK GDPR, and CCPA requirements.

How it works

1
When you first visit, a consent banner appears with category-level controls for Strictly Necessary, Functional, and Third-Party Infrastructure cookies.
2
Strictly Necessary and Third-Party Infrastructure categories are always enabled -required for security and authentication. You cannot turn them off.
3
The Functional category can be toggled on or off. It covers UI preferences stored in localStorage (admin_platform_settings).
4
Clicking "Accept All" enables all categories. Clicking "Save Preferences" saves only your selected choices.
5
Your choices are stored in localStorage under cookie_consent and also recorded server-side with a timestamp.
6
You can revisit your preferences at any time by clicking the cookie icon in the bottom-left corner of any page.

Consent records

For compliance purposes we record each consent action including: the cookie categories accepted or declined, the timestamp, IP address, user agent, and the policy version in effect. You may request a copy of your consent record by contacting us.

Withdrawing consent

You may withdraw consent at any time through the cookie preferences panel or by contacting us. Withdrawal does not affect the lawfulness of any processing that took place before it was withdrawn.

07

Changes to This Policy

We may update this Cookie Policy when we add or change how cookies are used on the platform. We will always update the "Last updated" date shown at the top of this page. For material changes -such as introducing a new cookie category -we will re-display the consent banner so you can review and confirm your preferences. We encourage you to check this page periodically.

08

Contact Us

If you have questions about this Cookie Policy, want to request a copy of your consent records, or need help managing your cookie preferences, please reach out:

Email

support@speakhalo.com

We aim to respond to all cookie-related inquiries within 30 days as required by applicable privacy regulations.