Cookie notice
AOV currently uses first-party cookies and related browser state only for necessary workspace operation. Login is not blocked behind a cookie consent gate because these cookies are required to provide the authenticated service.
| Cookie or state | Purpose | Category | Retention | Consent or opt-out |
|---|---|---|---|---|
| Auth session cookie | Keeps the signed-in session active and binds requests to the authenticated person. | Strictly necessary | Session or configured auth-session lifetime | Required for sign-in; not optional while using the app |
| CSRF cookie/token | Protects sign-in and cookie-authenticated writes from cross-site request forgery. | Strictly necessary | Short-lived/session | Required for secure form and API writes |
| Callback/redirect handling | Returns the user to the intended same-origin workspace page after authentication. | Strictly necessary | Short-lived/session | Required for login flow continuity |
| aov_active_context | Stores the selected organization, agreement, vendor, IV, org-admin, or AOV context. | Strictly necessary | Session-oriented workspace preference | Required for correct authorization context |
Non-essential scripts
AOV does not currently load analytics, marketing, advertising, session replay, or cross-site tracking scripts. Any future non-essential script category must be held until the user has a real preference control.