Yahalaly
Cookie Policy

Cookie Policy

Last updated: July 16, 2026

Yahalaly uses first-party cookies for account authentication, request security, a language choice, and saving an optional analytics choice. No advertising, cross-site marketing, or third-party analytics cookies are active at the founding-member launch.

1) What a cookie is

A cookie is a small value stored by a browser and returned with later requests to the same service. Some cookies are necessary to keep an account signed in, protect a state-changing request, or remember a setting.

2) Cookies currently used

Security cookies may be replaced earlier when you sign in, sign out, revoke a session, reset credentials, or when Yahalaly rotates them for security. Server-side session, audit, rate-limit, and security records are not browser cookies and are covered by the Privacy Policy.

  • access_token — HTTP-only authentication cookie used for a short signed-in session; configured for up to 15 minutes.
  • refresh_token — HTTP-only authentication cookie used to renew a session securely; configured for up to 30 days and revocable from account session controls.
  • csrf_token — first-party anti-CSRF value used to validate state-changing requests; configured for up to 30 days.
  • locale — first-party preference cookie set when you choose an interface language; configured for up to one year.
  • yahalaly_analytics_consent — first-party choice cookie containing only the consent version and an analytics true/false choice; configured for up to one year.

3) Optional aggregate analytics

Yahalaly shows equal choices to allow or decline optional first-party analytics. The tracker runs only after an allow choice and remains disabled when a browser sends Do Not Track or Global Privacy Control, or reports automated-browser operation. On public pages, including this policy, you can reopen Analytics choices and change the setting at any time.

When allowed, the site sends a cookie-free analytics request with credentials omitted and no referrer header. The consent cookie is therefore not sent to the analytics ingestion endpoint. The server keeps only daily totals by a fixed page key, broad source category, and one of two actions: page view or registration-button click.

The aggregate table contains no event or visitor identifier, exact event time, IP address, user agent, raw referrer, query string, device, country, or session. Its daily totals are retained for up to 400 days. Yahalaly does not use this measurement to follow a person across pages or sites.

4) Browser controls

You can inspect, delete, or block cookies using browser settings. Blocking authentication or security cookies prevents sign-in and protected account actions from working. Deleting the locale cookie resets automatic language selection. Deleting the analytics-choice cookie makes the choice panel appear again; choosing decline stops future optional analytics requests.

5) No advertising or third-party analytics

Yahalaly does not activate advertising, cross-site marketing, or third-party analytics technology at launch. A future provider or category would be named with its purpose and duration, and any required choice would be presented before it becomes active.

6) Contact and changes

Material changes receive a new effective date. Questions about cookies or browser storage can be sent to privacy@yahalaly.com.