Cookie Policy

Serendity uses necessary cookies only by default: an HTTP-only session cookie and a CSRF cookie used to protect account actions. These cookies are required for login and security.

The session cookie supports server-side inactivity controls. If an authenticated session is inactive for more than 3 hours, the backend rejects it and a fresh login is required.

No analytics, advertising, marketing, or cross-site tracking cookies are loaded by default. If optional analytics or marketing tools are added later, they must remain disabled until a separate opt-in consent mechanism exists.

The feedback widget does not add analytics or marketing cookies. It only submits the form data you send.

In production, session cookies must be Secure and SameSite=Lax unless a documented auth flow requires a stricter or different setting.