Scope
This Cookie Policy covers cookies used by the Emailingo web application (e.g., app.emailingo.com) for authentication and security, and by our marketing site (emailingo.com) for the consent banner. We do not set advertising cookies. Public marketing pages run with no cookies, strictly necessary cookies, or — with your consent — analytics cookies.
What Are Cookies?
Cookies are small text files placed on your device by your browser at the request of a website. They are widely used to keep you signed in, enable site functionality, and protect your account.
How We Use Cookies (Login Only)
Note: We do not require CSRF tokens on token issuance, refresh, or MFA verification endpoints. Those endpoints are unauthenticated or use a one-time flow. After you successfully authenticate, we set a CSRF cookie for state-changing requests inside the app.
Your email recipients who open or click your campaigns do not need to sign in to Emailingo, and we do not set authentication cookies in their browser when they do. Tracking pixels and click-redirect links record engagement events server-side without setting persistent cookies on the recipient's device for cross-site tracking.
Cookies We Set
| Cookie | Purpose | Type | Duration | Attributes |
|---|---|---|---|---|
| em_access_token | Signed, opaque token that maps to your authenticated session. Keeps you signed in during an active session. Refreshed automatically when you're using the application. | Session (essential) | 15 minutes (rolling; refreshed automatically on activity) | Secure; HttpOnly; SameSite=Lax; Path=/; HTTPS only. |
| em_refresh_token | Signed, longer-lived token used to automatically refresh your access token. Enables "Remember me" functionality across browser restarts. | Persistent (essential) | 7 days (30 days with "Remember me") | Secure; HttpOnly; SameSite=Lax; Path=/; HTTPS only. |
| em_csrf_token | Cross-site request forgery protection token. Set after successful authentication. Used with a matching X-CSRF-Token request header on state-changing requests. |
Session (essential) | Matches refresh-token lifetime (7 or 30 days) | Secure; SameSite=Lax; readable by JavaScript (not HttpOnly); Path=/; HTTPS only. |
| em_cookie_consent | Records your cookie-banner choice on our marketing site (emailingo.com). Values: all or essential. |
Persistent (consent) | 365 days | Secure; SameSite=Lax; Path=/; HTTPS only. Set on the parent domain so a single decision covers marketing + app. |
Session behavior
- Active use: the access token refreshes automatically while you're using the app.
- Inactivity: sessions expire after the refresh-token TTL (7 days, or 30 days for "Remember me").
- Logout: all three cookies are cleared server-side and immediately invalidated.
- Device tracking: basic device data (browser, platform, masked IP) is logged for security monitoring (separately from cookies).
Device Information Collection
For session security and audit logging, the application collects minimal device information at sign-in:
- Browser type (e.g., Chrome, Firefox, Edge)
- Platform (e.g., macOS, Windows)
- IP address — full address logged for security event correlation; a masked variant (network prefix only) is stored alongside session data for privacy.
- Timezone & language for user-experience.
We do not collect high-entropy fingerprinting identifiers like exact screen resolution, GPU info, or detailed browser-version strings. Device information is used solely for session security, suspicious-login detection, and improving the user experience.
Tracking Pixels & Click-Redirect Links
Outbound campaigns sent through Emailingo may include an open-tracking pixel and click-redirect links so you can measure engagement. These do not set browser cookies on the recipient's device for cross-site tracking. They record engagement events (open / click) server-side, scoped to the specific campaign and recipient. Recipients who use a mail client that blocks remote images, or who use a privacy proxy that pre-fetches images, will not generate accurate open events — this is a known limit of email tracking and not unique to Emailingo.
You as the Customer can disable open tracking, click tracking, or both per-campaign in the app.
Third-Party Cookies on Subscription Checkout
When you purchase or upgrade an Emailingo subscription, the payment form is rendered by Stripe. Stripe may set its own cookies on the checkout page for fraud prevention and to operate its checkout — these are governed by Stripe's cookie policy, not Emailingo's. Emailingo does not receive or read those cookies.
Session Timeout
Your session will automatically expire after 7 days of inactivity, or 30 days if you selected "Remember me" during login. The access token is rotated automatically while you actively use the application; rotation pauses during periods of inactivity.
Data Retention
Session data is automatically deleted when:
- You explicitly log out.
- Your refresh token expires (7 days, or 30 days for "Remember me").
- You revoke the session from another device.
Security event logs (containing full IP addresses) may be retained longer — typically 90 days — for fraud detection and incident response, separate from session data.
Marketing-Site Analytics
If we deploy analytics on our public marketing pages (e.g., Google Analytics), they are not required to use the product and are never loaded inside the application or on the login or MFA endpoints. Where supported, we configure privacy-enhancing settings (IP anonymization, reduced retention).
Cookie Consent
Our marketing pages display a cookie-consent banner that lets you accept or decline non-essential cookies before they are loaded. Essential authentication cookies used by the application do not require consent under the ePrivacy Directive — they are strictly necessary for the Service to function.
In jurisdictions that require prior consent for analytics cookies (including the EEA and UK under the ePrivacy Directive), analytics scripts are not loaded until you provide affirmative consent through the banner. You can change your choice anytime by clicking Cookie settings in the page footer.
Your Choices
Because the authentication cookies above are strictly necessary, blocking them in your browser will prevent you from logging in to Emailingo. You may delete cookies at any time via your browser settings; you will be asked to sign in again.
Security
Authentication cookies are issued over HTTPS with Secure and HttpOnly flags and a SameSite=Lax policy. CSRF protection applies after authentication and uses a separate cookie paired with an X-CSRF-Token request header. Cookie values are signed and validated server-side, and session identifiers are rotated as appropriate (e.g., after MFA success or password change).
Contact
Questions about this Cookie Policy? Contact privacy@emailingo.com.
Effective Date: 2026-05-01