Cookie Policy
Last updated: May 2026
This Cookie Policy explains how OpenedLink uses cookies and similar tracking technologies on openedlink.com and the admin.openedlink.com admin panel. It is a companion to our Privacy Policy — that document describes how we handle personal data overall; this one focuses on browser-side storage. It is enforced by the cookie-consent banner you see on first visit. Per ePrivacy + GDPR, we do not set non-functional cookies until you grant consent; you can change your choice at any time via Settings → Cookie preferences.
1. What is a cookie?
A cookie is a small text file your browser stores when you visit a website. Cookies allow the site to remember information about your visit (e.g., that you are signed in) across page loads.
We also use a few related browser-side storage mechanisms (localStorage, sessionStorage, IndexedDB) for the same purposes; they are governed by the same consent rules.
2.1 Strictly necessary (always on)
These cookies are required for the platform to function. They cannot be disabled — if you reject them the site does not load. We rely on a strictly-necessary basis under ePrivacy Art. 5(3) (no consent required because the cookies are essential to provide the service you requested).
| Cookie | Purpose | Lifetime | Set by |
|---|---|---|---|
| access_token | JWT session token. Keeps you signed in across page loads. HttpOnly, Secure, SameSite=Strict. | 4 hours | api.openedlink.com |
| refresh_token | Long-lived JWT used to mint new access_token without re-prompting password. HttpOnly, Secure, SameSite=Strict. | 7 days | api.openedlink.com |
| csrf_token | Cross-site request forgery protection. Mirrored into X-CSRF-Token on every state-changing request. | 7 days | api.openedlink.com |
| oauth_state | OAuth callback verification. Set briefly during channel-connection flows. SameSite=Lax (intentional — survives redirect from OAuth provider's domain). Cleared on callback completion. | 5 minutes | api.openedlink.com |
2.2 Analytics (opt-in)
We use Metabase as our internal BI tool (bi.openedlink.com). The Metabase iframe is rendered only inside the admin panel when an admin opens the BI menu entry — it is not loaded for regular tenant users or for visitors of the marketing site.
We do NOT use Google Analytics, Hotjar, Mixpanel, PostHog, or any third-party visitor-tracking tool. The BI iframe renders only when analytics: true is in your cookie_consent row.
| Cookie | Purpose | Lifetime | Set by |
|---|---|---|---|
| metabase.SESSION | Authenticates the embedded BI dashboard request. | 1 hour | bi.openedlink.com |
2.3 Marketing (opt-in)
We do not currently use any marketing cookies. The tier exists in the banner so we can ship one without re-prompting consent should we add a future tracking pixel. Until then, the marketing toggle is functionally a no-op.
When we add a marketing cookie, we will: (1) update this Cookie Policy with the cookie name, lifetime, and provider; (2) bump the consent version, which re-prompts every user; (3) notify customers via the in-app security-notice banner mechanism.
3. Sub-processors that may set cookies
Some of the third parties we use to deliver the service may set cookies on their own domains when you interact with them via our platform. The full list is at /legal/sub-processors (canonical, kept current per GDPR Art. 28(2)).
Of those, the ones with direct cookie exposure are:
- Metabase (bi.openedlink.com) — analytics tier only, see §2.2.
- Paddle (checkout iframe) — strictly necessary during a payment flow; the iframe loads only when an admin opens the upgrade dialog.
We do NOT load Anthropic, Brevo, Google Cloud, Meta (WhatsApp), or any other sub-processor in your browser; those run server-side only and do not set cookies on your device.
4. Changing your choice
You can change your cookie choices at any time:
- Admin panel: Settings → Cookie preferences → toggle analytics or marketing → Save.
- Landing site: open the cookie banner footer link "Cookie preferences" — your previous choice is shown; toggle and submit.
When you withdraw a tier, we mark the prior cookie_consent row as withdrawn (append-only audit per Art. 7(1)) and stop loading the relevant cookies on the next request.
5. Browser controls + children
In addition to our consent banner, your browser has its own cookie controls. You can view stored cookies for openedlink.com and admin.openedlink.com (DevTools → Application → Storage), block all third-party cookies (will break Metabase BI; the strictly-necessary first-party cookies will continue to work), or clear all cookies (you will be signed out and the consent banner will re-prompt on next visit).
Disabling strictly-necessary cookies will prevent the platform from working — there is no workaround for the JWT session.
We do not knowingly serve users under 16 (or the age of digital consent in your jurisdiction). The platform is a B2B admin tool.
Manage your cookie preferences
Adjust which optional cookie categories are active. Necessary cookies stay on — they are required for the site to function.
Loading your current preferences…
Questions about cookies?
For questions about this policy or our cookie practices, contact us at:
contact@openedlink.com