Cookie Policy
1. About this Cookie Policy
This Cookie Policy describes the cookies and similar technologies that Toolum uses, what each of them is for, and how you can control them. It complements our Privacy Policy, which is the broader description of how Toolum processes Personal Data; this document focuses specifically on the browser-side mechanisms by which some of that processing happens.
Cookie disclosures are a legal requirement under the EU ePrivacy Directive (Directive 2002/58/EC as amended) and its implementation in Cyprus through the Law on the Regulation of Electronic Communications and Postal Services 112(I)/2004. They are also a practical commitment to clarity: you should know what is stored in your browser and what you can do about it. This document tries to answer both needs in one place.
1.1 What this Policy covers
This Policy covers cookies and similar local-storage technologies set by Toolum on the following surfaces:
- The marketing site at https://toolum.ai;
- The application at https://app.toolum.ai.
1.2 What this Policy does not cover
This Policy does not cover:
- Cookies set by third-party websites that you visit through links from Toolum;
- Cookies set by hosting providers, app stores, or other third-party services to which you deploy code exported from Toolum (those services have their own cookie disclosures);
- Cookies set on devices outside of standard web browser environments (for example, native mobile apps, which use platform-specific storage mechanisms instead of cookies).
For these, you should refer to the cookie policies of the relevant third parties.
2. What cookies are
A cookie is a small piece of text that a website stores in your browser. The next time you visit the website, your browser sends the cookie back, which lets the website recognize you, remember preferences, or maintain state between page loads. Cookies are stored on your device, not on Toolum's servers; we read them only when your browser sends them back as part of a request.
"Similar technologies" — a phrase that appears in this document and in the ePrivacy Directive — refers to other ways of storing information on your device that serve comparable purposes. The most common is local storage (sometimes called localStorage or sessionStorage), which is a browser feature that lets a website store information in a way similar to cookies but with different size limits and a different mechanism for sending the data back. Toolum uses local storage for some user-interface preferences described in Section 3.2 below.
Throughout this Policy, "cookies" is used as a shorthand for both cookies in the strict sense and similar technologies like local storage. Where the distinction matters, the text says so explicitly.
2.1 First-party vs third-party cookies
A "first-party cookie" is a cookie set by the website you are visiting — in this case, Toolum. A "third-party cookie" is a cookie set by a different domain when you visit a site, typically because that site embeds content (an ad, a tracker, a widget) from the third party.
Toolum does not use third-party cookies. This is described in Section 4 below.
2.2 Session vs persistent cookies
A "session cookie" is deleted when you close your browser. A "persistent cookie" stays on your device until it expires or you delete it manually. Toolum uses both, depending on what each cookie is for. The cookie inventory in Section 6 below identifies which is which for each cookie.
3. Categories of cookies Toolum uses
Toolum uses cookies in three categories. The categories below match the legal framework under EU ePrivacy law: strictly necessary cookies are exempt from the consent requirement; functional and analytics cookies require your consent under EU law, which Toolum collects through the consent banner described in Section 5 below.
3.1 Strictly necessary cookies
Strictly necessary cookies are cookies that the Service cannot work without. If you reject these cookies, the application cannot maintain your sign-in session, cannot prevent cross-site request forgery, and cannot function as a usable platform.
Under Article 5(3) of the EU ePrivacy Directive, strictly necessary cookies are exempt from the consent requirement. They are loaded by default when you visit Toolum, and the consent banner does not offer the option to reject them; rejecting them would mean rejecting the Service itself.
The strictly necessary storage used by Toolum is:
- Authentication tokens. Toolum issues its own JSON Web Tokens (a short-lived access token and a longer-lived refresh token) and stores them in your browser's localStorage. They are sent to the Toolum server as a Bearer token in the HTTP Authorization header on each request, which is what keeps you signed in across page loads. Without them, you would have to re-authenticate on every page.
- Authentication-state cookie. A small first-party cookie records that you are signed in so that the server-side middleware can decide, before a page is rendered, whether to grant access. Staff and administrator sessions additionally carry a short-lived role cookie used to gate internal areas.
- Cross-site request forgery (CSRF) protection. Toolum does not rely on an ambient session cookie for authentication — API calls are authenticated by the Bearer token in the Authorization header, and Toolum's cookies are set with SameSite=Lax. Together these mean a malicious third-party site cannot forge an authenticated request on your behalf, which is the standard CSRF defense for token-based single-page applications. There is no separate CSRF cookie.
The specific names, durations, and purposes of these cookies are listed in Section 6 below.
3.2 Functional cookies and local storage
Functional cookies and local-storage entries remember user-interface preferences and small pieces of state that improve your experience but are not strictly required for the Service to work. Examples include the editor panel layout you last used, your selected theme (light or dark mode if available), and the recently-opened Blueprint list shown when you next sign in.
Toolum's functional storage is implemented primarily in browser localStorage rather than cookies in the strict sense. The mechanism is different, but the legal framework is the same: under EU ePrivacy law, these storage entries require your consent before they are written.
If you decline consent for functional storage, the Service still works, but some user-interface conveniences will not persist between sessions.
3.3 Analytics cookies
Toolum uses PostHog (EU instance: eu.posthog.com) for product analytics. PostHog helps us understand how Builders use the Service — which features are most used, where Builders encounter difficulties, what the typical journey from sign-up to first Blueprint looks like — so that we can prioritize improvements where they will have the most impact.
Analytics cookies set by PostHog identify a randomly-generated anonymous identifier for each browser, plus session metadata. PostHog cookies are first-party from your browser's perspective (PostHog is configured to set cookies under the toolum.ai domain, not under posthog.com) and the PostHog EU instance is the data processor.
Toolum's PostHog configuration excludes Personal Data from event payloads at the instrumentation level. Where event content would otherwise include Personal Data (for example, email addresses or Blueprint names), our instrumentation either omits or hashes those fields before they are sent to PostHog. This is described in our Privacy Policy Section 2.7.
You can decline consent for analytics cookies; if you do, PostHog cookies are not set, and Toolum does not collect analytics data from your sessions.
4. Third-party cookies
Toolum does not use third-party cookies on the marketing site at https://toolum.ai or on the application at https://app.toolum.ai. We do not embed advertising trackers. We do not embed social media widgets that set their own cookies. We do not embed third-party analytics platforms that operate under their own domains.
The cookies and local-storage entries set by Toolum are all first-party from your browser's perspective. This includes the cookies set by PostHog for analytics: PostHog is configured to operate under the Toolum domain, so its cookies appear as first-party.
If we ever add third-party cookies — for example, if we decide in the future to use a third-party help-desk widget or a remarketing pixel — we will update this Policy in advance and present a renewed consent banner so that you can make an informed decision before any third-party cookies are set.
5. How to manage cookies
You have several ways to control cookies on Toolum. They overlap in some places; the simplest one for each situation is described below.
5.1 The Toolum consent banner
When you first visit Toolum (or after we publish a material update to this Cookie Policy), a consent banner appears. The banner gives you three options:
- Accept all — allows strictly necessary, functional, and analytics cookies;
- Reject all non-essential — allows only strictly necessary cookies; declines functional and analytics;
- Customize — opens a detailed view where you can accept or decline functional cookies and analytics cookies independently.
Your choice is recorded and respected until you change it through the cookie settings link in the Toolum footer, or until we publish a material update to this Policy that requires renewed consent.
5.2 Cookie settings link in the footer
The Toolum footer includes a "Cookie settings" link that opens the consent customization view at any time. You can revisit and revise your choices whenever you wish.
5.3 Browser-level controls
All modern browsers let you view, delete, and block cookies at the browser level. The instructions vary by browser:
- Chrome: Settings → Privacy and security → Cookies and other site data;
- Firefox: Settings → Privacy & Security → Cookies and Site Data;
- Safari: Preferences → Privacy → Manage Website Data;
- Edge: Settings → Cookies and site permissions → Cookies and site data.
If you block all cookies at the browser level, Toolum cannot function — you will not be able to stay signed in, and various Service features will fail. If you block only third-party cookies, Toolum is not affected, because we do not use third-party cookies (see Section 4 above).
5.4 Do Not Track signals
Some browsers offer a "Do Not Track" (DNT) signal that asks websites not to track the user. The DNT specification has not been widely adopted as a binding standard, and there is no industry consensus on what websites should do in response. Toolum's position is straightforward: regardless of DNT, you can decline analytics cookies through our consent banner described in Section 5.1 above, and we will respect that choice. The consent banner is more reliable than DNT because the legal framework supporting it is clear.
6. Cookie list
The following table lists the cookies and local-storage entries that Toolum may set on your device. The list is current as of the Last Updated date at the top of this Policy. We update this table whenever we add, remove, or materially change a cookie.
🟡 Note: The names below reflect Toolum's own authentication (custom JWT stored in localStorage) and our analytics provider PostHog. If you observe a cookie on Toolum that is not in this list and you wish to confirm its purpose, please contact info@toolum.ai with the cookie name.
6.1 Strictly necessary cookies and tokens
| Name | Type | Purpose | Duration |
|---|---|---|---|
| toolum_authenticated | First-party cookie (Secure, SameSite=Lax) | Sign-in state marker read by the server-side middleware to gate access to the application | 30 days |
| toolum_staff_role | First-party cookie (Secure, SameSite=Lax) | Role marker set only for staff/administrator sessions; read by the middleware to gate internal areas | 5 minutes (refreshed when the staff cabinet loads) |
| toolum_access_token | localStorage (custom JWT) | Short-lived access token sent as a Bearer Authorization header on API requests | Token valid 15 minutes |
| toolum_refresh_token | localStorage (custom JWT) | Longer-lived refresh token used to obtain a new access token without re-login | Token valid 7 days |
| toolum_consent | First-party cookie (domain .toolum.ai) | Stores your cookie-consent choices set through the consent banner | 365 days |
6.2 Functional storage (cookies and localStorage)
| Name | Type | Purpose | Duration |
|---|---|---|---|
| toolum_locale | First-party cookie (set lazily) | Remembers your selected interface language; absent until you change the default | Until changed or cleared |
| toolum_density | First-party cookie (set lazily) | Remembers your UI density preference; absent until you change the default | Until changed or cleared |
| toolum_theme | First-party cookie | Remembers your selected light/dark interface theme | 1 year |
| toolum-schema | localStorage | Caches the working app schema so the editor can restore your session | Until you clear browser storage |
| toolum-project-<id> | localStorage | Persists the most recent editor draft for a given project | Until you clear browser storage |
| toolum:preview-auth:<id> | localStorage | Holds preview-auth session state for a project's test sign-in | Until you clear browser storage |
| toolum_apis, toolum_bindings, toolum_db, toolum_logic, toolum_nav | localStorage | Persist editor working state (API definitions, data bindings, database, logic, navigation) | Until you clear browser storage |
6.3 Analytics cookies
| Cookie name | Type | Purpose | Duration |
|---|---|---|---|
| ph_<project-key>_posthog | First-party cookie | PostHog analytics — randomly-generated anonymous identifier, session metadata | 12 months |
| ph_<project-key>_window_id | First-party cookie | PostHog session identifier for the current browser window | Session |
The <project-key> portion is a specific identifier for our PostHog project; it is the same value for all Toolum visitors.
6.4 Domain scope
All cookies in the tables above are set under either toolum.ai or app.toolum.ai, depending on which surface you are on. None are set under third-party domains. PostHog cookies, as noted in Section 4, are set under the Toolum domain through PostHog's first-party configuration.
6.5 Storage inside apps you export
Apps you build and export from Toolum run on infrastructure you control and use their own browser storage, which is outside Toolum's control and not covered by this Policy. Note that exported apps generated before this Policy's publication may use legacy storage key names (for example, an appbuilder_* prefix) in their own bundles; apps exported afterwards use the toolum_* naming. You own the exported code and may rename these as you wish.
7. Changes to this Cookie Policy
We update this Cookie Policy when we add, remove, or change cookies on Toolum, or when the underlying legal framework changes in a way that requires updated disclosure.
7.1 How we publish changes
When we change this Policy, we update the Last Updated date at the top of the document. For substantive changes — adding a new cookie category, adding a third-party cookie, or otherwise materially changing what we store on your device — we also revise the Effective Date and publish a short summary of what changed.
Historic versions of this Policy are available at their dated URLs under /legal/cookies/<date> and preserved in our public repository.
7.2 When we ask for renewed consent
If we add a cookie or category that requires consent under EU ePrivacy law and that was not covered by your previous consent choice, we will present a renewed consent banner so that you can make an informed decision before the new cookie is set.
7.3 Non-material changes
Corrections of typographical errors, clarifications of existing language, and updates to a cookie's stated duration without a change in the cookie's purpose are made by updating the Last Updated date without a renewed consent banner.
8. Contact
For any question about this Cookie Policy, about a specific cookie, or about how to exercise your cookie-related rights:
Toolum
Kirill Maximenko (Cyprus self-employed entity)
Tax Identification Number: 60056031S
Address: 3 Evagora Pitali, 4040 Germasogeia, Limassol, Cyprus
Email: info@toolum.ai
Cyprus supervisory authority
For complaints relating to cookies and similar technologies in Cyprus, the supervisory authority is the Office of the Commissioner for Personal Data Protection, which also has competence over ePrivacy matters affecting Cyprus-based services:
Office of the Commissioner for Personal Data Protection
Office address: Kypranoros 15, 1061 Nicosia, Cyprus
Postal address: P.O. Box 23378, 1682 Nicosia, Cyprus
Telephone: +357 22 818456
Email: commissioner@dataprotection.gov.cy
Website: https://www.dataprotection.gov.cy
Related documents
Document version 1.0. Effective June 5, 2026.