Cookie Policy

1.  What This Policy Covers

This Cookie Policy explains what cookies and similar technologies Addison's Diary uses, why we use them, and how you can control them. It applies to the Addison's Diary website and web application at addisonsdiary.com and any Progressive Web App (PWA) version of the application.

This policy should be read together with our Privacy Policy and Terms of Use, available at addisonsdiary.com.

For EU and UK users: This policy is provided in compliance with the EU ePrivacy Directive (2002/58/EC as amended by 2009/136/EC), the EU General Data Protection Regulation (GDPR), and the UK Privacy and Electronic Communications Regulations (PECR). Your consent to non-essential cookies is required before those cookies are set.

2.  What Cookies Are

Cookies are small text files that a website places on your device when you visit. They are widely used to make websites work, remember your preferences, and provide information to site owners. Cookies are set either by the website you are visiting ("first-party cookies") or by third-party services used by that website ("third-party cookies").

In addition to cookies, websites may use similar technologies including:

• Local storage — browser-side storage for larger data items that persists until explicitly cleared
• Session storage — browser-side storage that is cleared when you close your browser tab
• IndexedDB — a browser database for offline-capable web applications
• Web beacons — small invisible images used to track page views or email opens
• Fingerprinting — using device characteristics to identify a browser (we do not use this)

References to "cookies" in this policy include all similar technologies unless otherwise specified.

3.  Cookie Categories We Use

Addison's Diary uses cookies and browser storage in the following categories. We describe each category, its legal basis, and whether you can opt out.

Category 1 — Strictly Necessary

Strictly necessary cookies and storage include the tokens and session data that keep you signed in, security tokens that protect against cross-site attacks, and the data your browser stores locally to make the application responsive and fast. Without these, the application cannot function.

Cookie / Storage Key	Type	Purpose	Duration	Required?
CognitoIdentityServiceProvider.*	Session / Local Storage	Authentication tokens issued by Amazon Cognito. Keeps you signed in across page loads. Contains your JWT access token, ID token, and refresh token.	Session / Until sign-out	No — required
amplify-signin-with-hostedUI	Local Storage	Tracks whether you signed in through the Cognito Hosted UI. Used for sign-out flow.	Session	No — required
amplify-redirected-from-hosted-ui	Session Storage	Temporary flag used during the OAuth redirect flow to prevent redirect loops.	Session only	No — required
familyId	Local Storage	Stores your family account identifier locally for fast app initialization.	Until sign-out	No — required
addisonsdiary_cookie_consent	Local Storage	Records your cookie consent choice so the banner does not reappear on every visit.	12 months	No — required

Category 2 — Functional

Functional cookies store your in-app preferences such as your chosen notification settings, display preferences, and onboarding checklist status. They make the app feel consistent across sessions.

Cookie / Storage Key	Type	Purpose	Duration	Required?
addisonsdiary_prefs	Local Storage	Stores your in-app display preferences and notification settings locally for faster rendering on load.	Until cleared or sign-out	Yes — optional
addisonsdiary_checklist_dismissed	Local Storage	Remembers whether you have dismissed the Getting Started onboarding checklist. Prevents it from reappearing on every login.	Persistent	Yes — optional
addisonsdiary_last_section	Session Storage	Remembers which section of the app you were viewing, so returning to the app lands you in the right place.	Session only	Yes — optional

Category 3 — Analytics

Addison's Diary uses minimal, privacy-first analytics to understand aggregate usage patterns — such as which features are most frequently used and where users encounter errors. We do not use individual user tracking or behavioral profiling for analytics.

Current status: At launch, Addison's Diary does not use any third-party analytics platform. Basic usage metrics are derived from server-side logs in anonymized form. If we introduce client-side analytics in the future, this policy will be updated and EU/UK users will be prompted for consent.

Category 4 — Advertising and Tracking

4.  Third-Party Cookies

Addison's Diary uses a small number of third-party services that may set their own cookies or use browser storage. These are limited to services essential for the application to function.

Amazon Cognito (AWS)

Purpose: Authentication and account security. Amazon Cognito manages your sign-in, password security, and two-factor authentication. The Amplify JavaScript library used by Addison's Diary stores Cognito authentication tokens in your browser's local storage.

Data stored: Your JWT authentication tokens. These are encrypted credentials that prove your identity on each request. They contain your user ID and session information — not your health data or personal care information.

Third-party cookie: No — Cognito tokens are stored in local storage by the addisonsdiary.com domain, not by a separate domain. They are first-party storage items.

Privacy: aws.amazon.com/privacy

Stripe

Purpose: Subscription payment processing. When you access the Stripe-hosted payment page (for subscription signup or managing your billing), Stripe sets its own cookies for fraud prevention and session management on the Stripe-hosted domain.

Scope: Stripe cookies are only set when you visit Stripe's payment pages. They are set on Stripe's domain, not on addisonsdiary.com. Addison's Diary does not receive or process these cookies.

Privacy: stripe.com/privacy

Postmark and Twilio

Purpose: Email and SMS delivery. These services do not set cookies on addisonsdiary.com. They process email and text message delivery only — they have no cookie presence on the application.

No Other Third-Party Cookies

Addison's Diary does not load Google Analytics, Facebook Pixel, Google Ads, LinkedIn Insight, Twitter/X tracking, or any other advertising or analytics third-party script that would set cookies on your browser from a third-party domain.

5.  The Cookie Consent Banner

When you visit addisonsdiary.com for the first time, a cookie consent banner appears before any non-essential cookies or tracking technologies are loaded. This banner is required by EU ePrivacy Directive (implemented as PECR in the UK) and is best practice for US state privacy laws including CCPA/CPRA (California), CTDPA (Connecticut), and others.

How the Banner Works

• The banner fires on your first visit before any non-essential scripts load
• Strictly necessary cookies load immediately — they are required for the page to function
• Non-essential cookies (functional, analytics) do not load until you click "Accept" or "Accept All"
• If you click "Decline" or "Necessary Only," only strictly necessary cookies are set
• Your choice is stored in local storage (addisonsdiary_cookie_consent) so the banner does not reappear
• You can change your preference at any time — see Section 6

Banner Text — Short Version (for reference)

EU and UK Users — Legal Basis for Consent

For EU users, the cookie consent banner satisfies the requirement under Article 5(3) of the ePrivacy Directive (as implemented in each member state) and Article 7 of the GDPR for consent-based cookies. For UK users, it satisfies the requirement under Regulation 6 of the UK Privacy and Electronic Communications Regulations 2003 (PECR).

Consent collected through the banner is:

• Freely given — you can decline without losing access to essential functionality
• Specific — you are told what each category of cookie does before consenting
• Informed — this Cookie Policy provides full detail
• Unambiguous — consent requires an affirmative action (clicking "Accept"), not a pre-ticked box
• Withdrawable — you can change your preference at any time

6.  How to Control and Delete Cookies

6.1  Change Your Preferences on Addison's Diary

You can update your cookie preferences at any time:

• Visit addisonsdiary.com/cookies and use the preference center
• Or clear the addisonsdiary_cookie_consent item from your browser's local storage — the consent banner will reappear on your next visit
• EU/UK users: withdrawing consent stops non-essential cookies from loading on future visits

6.2  Browser Settings

You can control cookies through your browser settings. Most browsers allow you to:

• View and delete individual cookies
• Block all cookies or block third-party cookies only
• Set cookies to expire when you close your browser
• Receive a notification when a cookie is set

Instructions for common browsers:

• Google Chrome: Settings → Privacy and Security → Cookies and other site data
• Safari: Settings → Privacy → Manage Website Data
• Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data
• Microsoft Edge: Settings → Cookies and site permissions → Cookies and site data
• Samsung Internet: Settings → Privacy and security → Cookie management

Important: Blocking strictly necessary cookies will prevent you from signing in to Addison's Diary. The application requires authentication tokens stored in local storage to function. Blocking all cookies or local storage will break the app.

6.3  Local Storage and Session Storage

Cookies stored in local storage and session storage are not deleted by clearing browser cookies alone — they are managed separately. To clear local storage for addisonsdiary.com:

• Chrome / Edge: Developer Tools (F12) → Application → Local Storage → addisonsdiary.com → Right-click → Clear
• Firefox: Developer Tools (F12) → Storage → Local Storage → addisonsdiary.com → Right-click → Delete All
• Safari: Developer menu → Web Inspector → Storage → Local Storage → addisonsdiary.com
• Or: clear all browsing data including "Site data" / "Cached web content" in your browser settings

Clearing local storage will sign you out of Addison's Diary and reset your preferences.

6.4  Do Not Track (DNT)

Some browsers include a "Do Not Track" setting that sends a signal to websites requesting that they not track you. Addison's Diary respects this signal — if your browser sends a DNT:1 header, we will not set any non-essential cookies or load any analytics scripts, regardless of your cookie banner consent choice. We do not use cross-site tracking of any kind in any case.

6.5  Global Privacy Control (GPC)

The Global Privacy Control (GPC) is a browser signal that communicates your opt-out of the sale of personal information and sharing for cross-context behavioral advertising under CCPA/CPRA and other state laws. Addison's Diary honors GPC signals. If your browser sends a GPC signal, we treat it as an opt-out of any sale or sharing of personal information — though we do not sell personal information in any case.

7.  Cookies and the Mobile App (PWA)

Addison's Diary is a Progressive Web App (PWA) that can be added to the home screen of iOS and Android devices. When used as a PWA, the application uses the same browser-based storage mechanisms described in this policy — local storage, session storage, and browser cookies — within the PWA's isolated browser context.

The PWA does not use native app tracking technologies such as:

• Apple's App Tracking Transparency (ATT) framework — we do not track users across apps or websites
• Google Advertising ID (GAID) or Apple's Identifier for Advertisers (IDFA)
• Mobile measurement partners or SDK-level analytics
• Push notification identifiers for advertising purposes

If Addison's Diary is distributed as a native app through the Apple App Store or Google Play Store in the future, this policy will be updated to address any platform-specific tracking technologies. At present, the application is web-based only.

8.  Data Stored in Cookies — What Is and Is Not There

9.  Your Rights by Jurisdiction

European Union — ePrivacy and GDPR

EU users have the right to refuse all non-essential cookies without any disadvantage. Strictly necessary cookies do not require consent. For all other cookies, consent is required before the cookie is set, and you may withdraw consent at any time. Processing of personal data through cookies is subject to GDPR. To exercise your GDPR rights regarding cookie data, contact privacyandlegal@pribco.com.

Supervisory authority complaints: edpb.europa.eu

United Kingdom — PECR and UK GDPR

UK users have equivalent rights under the UK Privacy and Electronic Communications Regulations (PECR) and UK GDPR. Consent for non-essential cookies is required before they are set. To exercise UK GDPR rights, contact privacyandlegal@pribco.com or contact the ICO at ico.org.uk.

California — CCPA/CPRA

California residents have the right to opt out of the sale of personal information and sharing for cross-context behavioral advertising. Addison's Diary does not sell personal information and does not share it for advertising. Cookie data is not sold. To exercise CCPA rights, contact support@addisonsdiary.com.

All Other US States

Residents of US states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas, and others) have the right to opt out of targeted advertising and profiling. Addison's Diary does not engage in targeted advertising or cross-context behavioral profiling. The cookie controls described in Section 6 allow you to limit cookie use to strictly necessary functions.

10.  Changes to This Cookie Policy

We may update this Cookie Policy from time to time — for example, if we add new features that use cookies, if we engage a new analytics provider, or if applicable law changes. When we make material changes, we will:

• Update the effective date at the top of this policy
• Notify registered users by email or in-app notice
• Reset the cookie consent banner for EU and UK users so you can review and re-consent to any new cookie categories
• Not introduce advertising or tracking cookies without prominent disclosure and your explicit consent

11.  Contact

Questions about this Cookie Policy or your cookie preferences may be directed to:

Pribco LLC — Addison's Diary

Privacy and Cookie Inquiries: privacyandlegal@pribco.com

General Support: support@addisonsdiary.com

Cookie Preference Center: addisonsdiary.com/cookies

PART 2 — CONSENT BANNER COPY

Ready-to-use text for the website cookie consent pop-up

Three versions: Standard · Minimal · EU/UK Expanded

Banner Version 1 — Standard (Recommended)

Use this for most visitors. Covers US and EU. Clear, friendly, and legally sound.

Banner Version 2 — Minimal (Mobile / Small Screens)

Use this for mobile PWA first launch. Compact. Links to full policy.

Banner Version 3 — EU/UK Expanded (GDPR / PECR Compliant)

Use this for visitors with EU or UK IP addresses. More detailed. Meets GDPR Article 7 and PECR Reg. 6 requirements.

Banner Version 4 — Re-Consent After Policy Update

Use this when the Cookie Policy is updated and EU/UK users need to re-consent.

Implementation Notes for Alex

The following technical requirements must be met for the cookie consent implementation to be legally compliant:

Critical — Must Be Done Before Launch

• Cookie banner must fire before any non-essential scripts load — not after. JavaScript for functional/analytics cookies must be wrapped in a consent check.
• Strictly necessary cookies (Cognito auth tokens) may load immediately — they do not require consent.
• The consent choice must be stored in local storage (addisonsdiary_cookie_consent) with a 12-month expiry and the banner must not reappear until expiry or until the policy changes.
• The banner must offer a genuine "Decline" / "Necessary Only" option with equal visual prominence to "Accept All" — a small grey "decline" link does not meet GDPR requirements.
• The "Manage Preferences" / "Cookie Settings" option must open a preference panel where users can toggle categories individually.
• A "Cookie Preferences" link must be accessible from the website footer on every page so users can update their choice at any time without waiting for the banner to reappear.
• For EU/UK visitors (detected by IP geolocation): use Banner Version 3. For US visitors: Banner Version 1 is sufficient.
• Honor DNT:1 and GPC browser signals — if detected, default to necessary-only without showing the banner.
• The consent banner must not obscure the entire page or prevent scrolling — GDPR guidance requires users to be able to read the page before accepting cookies.

Recommended Implementation

Consider using a lightweight open-source consent management library such as:

• CookieConsent by Orest Bida (github.com/orestbida/cookieconsent) — free, GDPR-compliant, well-maintained
• Klaro (github.com/klaro-org/klaro) — open source, multilingual, GDPR/CCPA compliant
• Tarteaucitron.js — French-developed, strong EU compliance track record

These libraries handle consent storage, banner display, script blocking, and preference management. They are significantly easier to implement correctly than a custom solution.

Addison's Diary  ·  A product of Pribco LLC  ·  addisonsdiary.com  ·  For the moments that matter most.