Cookie Policy - ruledoc.io
Status: DRAFT (non-lawyer prepared). Review before publishing. Effective date: [REVIEW: set effective date on publish] Last updated: 2026-05-10 Version: 1.0-draft
What this policy covers
This Cookie Policy explains how ruledoc.io (operated by RFPvault, postal address pending PostNord boxadress registration (Stockholm, Sweden), contact privacy@ruledoc.io) uses cookies and similar technologies (collectively, "Cookies") on its website and Service. It should be read together with our Privacy Policy.
This Policy is informed by:
- GDPR (Regulation (EU) 2016/679) - where Cookies process personal data
- ePrivacy Directive (2002/58/EC, as amended), Art. 5(3) - consent for storage of information on a user's device
- The Swedish Electronic Communications Act (Lag (2022:482) om elektronisk kommunikation), § 9 ch. 28 (Swedish implementation of ePrivacy Art. 5(3))
Summary
ruledoc.io uses only strictly-necessary cookies. We do not use analytics cookies, advertising cookies, social-media plugins, or any form of cross-site tracking. We do not display a cookie banner because strictly-necessary cookies do not require consent under ePrivacy Art. 5(3) and the Swedish Electronic Communications Act.
If this changes in the future (for example, if we add product-analytics), we will update this Policy, deploy a compliant consent banner, and obtain your prior consent before any non-essential Cookie is set.
Cookies we set
| Cookie name | Purpose | Type | Set by | Duration | Personal data |
|---|---|---|---|---|---|
ruledoc_session |
Maintains your authenticated session after login | Strictly necessary (ePrivacy Art. 5(3) exemption) | ruledoc.io (first-party) | Session (cleared on browser close) or 30 days if "remember me" is selected | Session identifier (not your password); linked server-side to your account |
ruledoc_csrf |
Prevents cross-site request forgery on form submissions | Strictly necessary (ePrivacy Art. 5(3) exemption) | ruledoc.io (first-party) | Session | Random token, not linked to identity |
[REVIEW: confirm the actual cookie names used by the Service. If they differ, update this table. Add any other first-party cookies that exist in production.]
Strictly-necessary status
The Cookies listed above are exempt from the consent requirement of ePrivacy Art. 5(3) because their sole purpose is either (a) to carry out the transmission of a communication (CSRF), or (b) strictly necessary in order to provide a service explicitly requested by you (session authentication for the Service you are using). This is consistent with European Data Protection Board (EDPB) Guidelines 5/2020 on consent and EDPB Guidelines on the use of cookies (where applicable).
Cookies we do NOT set
For full transparency:
- No analytics cookies (no Google Analytics, no Plausible-with-cookies, no Mixpanel, no Hotjar, no Amplitude, no Heap)
- No advertising cookies (no AdSense, no Facebook Pixel, no LinkedIn Insight Tag)
- No social-media plugins that set third-party cookies (no Facebook Like button, no Twitter widget, no LinkedIn Share)
- No session-replay cookies (no FullStory, no LogRocket)
- No A/B-testing cookies (no Optimizely, no Google Optimize)
- No CDN tracking cookies [REVIEW: if you add Cloudflare in front of
the Service, the
__cf_bmcookie may be set by Cloudflare; that is classified as strictly necessary by Cloudflare for bot management. If you add Cloudflare, list it here.]
If we ever introduce any of the above, we will (a) update this Policy, (b) deploy a compliant consent banner with equally prominent "Accept" and "Reject" controls (no dark patterns), (c) default all non-essential Cookies to OFF, and (d) only set them after explicit affirmative consent that is as easy to withdraw as to give (Art. 7(3) GDPR).
Other tracking technologies
We do not use:
- Pixel tags / web beacons set by third parties
- Browser fingerprinting
- localStorage or sessionStorage for tracking purposes (we may use localStorage for storing UI preferences such as light/dark theme; this data stays in your browser and is not personal data unless it identifies you)
- IndexedDB for tracking
- Server-side identifiers tied to a fingerprint
[REVIEW: confirm Service does not use localStorage in a way that constitutes device-storage requiring consent - if it does, this section needs to be updated.]
Embedded content from other websites
Articles or pages on ruledoc.io may include embedded content (for example, images or documentation snippets). Embedded content from other websites behaves in the same way as if you visited the other website directly. Those websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content.
[REVIEW: at present, ruledoc.io does not embed third-party content. If this changes, list the providers here.]
Your choices
Because we use only strictly-necessary Cookies, no consent is required and no opt-out is available without breaking the Service (you cannot maintain a logged-in session without the session cookie).
You can still control Cookies at the browser level:
- Most browsers allow you to block all cookies, block third-party cookies only, delete cookies on close, or manage cookies per-site.
- Blocking the
ruledoc_sessioncookie will prevent you from logging in. - Blocking the
ruledoc_csrfcookie will prevent forms from being submitted.
If we add non-essential Cookies in the future, we will offer per-purpose opt-in toggles in a consent preference centre, and your refusal will not affect access to the Service (Art. 7(4) GDPR - no detriment for refusal).
Updates to this Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. If we materially change our use of Cookies, we will notify customers by email and (where required by law) obtain consent before the change takes effect.
Contact
For questions about this Cookie Policy, contact privacy@ruledoc.io.
For complaints, you may contact:
Integritetsskyddsmyndigheten (IMY) - the Swedish Authority for Privacy Protection Box 8114, SE-104 20 Stockholm, Sweden Web: https://www.imy.se/
[REVIEW] Items requiring your attention before publication:
- [REVIEW] Confirm actual cookie names used in production
(
ruledoc_session,ruledoc_csrfare placeholders - verify with the current implementation) - [REVIEW] Confirm whether any CDN (Cloudflare, Bunny, etc.) is in front of the Service - if so, list its strictly-necessary cookies
- [REVIEW] Confirm localStorage / sessionStorage use, if any
- [REVIEW] Confirm no third-party embeds at launch
- [REVIEW] Effective date
DRAFT NOTICE. This is a defensible non-lawyer draft. Before publishing, run a browser DevTools check (Application → Cookies and Application → Storage) on a logged-in session of ruledoc.io to confirm that the Cookies actually set match the table above. If anything else appears, update the table or remove the source.