Cookie Policy
Effective Date: March 3, 2026
Last Updated: March 3, 2026
1. What Are Cookies?
Cookies are small text files placed on your device (computer, smartphone, or tablet) when you visit a website. They are widely used to make websites work, to remember your preferences, and — in some cases — to collect information about your browsing behavior.
NSuite Solo uses cookies and similar browser-based storage technologies. This Cookie Policy explains exactly what we use, why, and what controls you have.
2. Our Approach to Cookies
NSuite Solo is built with a minimal footprint philosophy:
- We use one strictly necessary authentication cookie that is required for the platform to function.
- With your consent, we use analytics cookies from Google Analytics 4 to help us understand how the product is used.
- We use no advertising or tracking cookies.
- We use no cross-site tracking.
- Third-party cookies from Stripe are present only on public invoice payment pages, operated by Stripe for fraud prevention purposes.
3. First-Party Cookies We Set
3.1 access_token — Authentication Cookie
| Cookie Name | access_token |
|---|---|
| Category | Strictly Necessary |
| Party | First-Party (set by NSuite Solo) |
| Purpose | Authentication. Contains your signed JSON Web Token (JWT), which identifies your logged-in session. Without this cookie, the platform cannot verify your identity and you will not be able to access any protected features. |
| Data Stored | Signed JWT containing your user ID, email address, and assigned roles. The token is cryptographically signed; it cannot be tampered with. |
| Duration | 7 days from login (or registration). The cookie is deleted immediately on logout. |
| HttpOnly | Yes — the cookie is inaccessible to client-side JavaScript. This protects against cross-site scripting (XSS) attacks. |
| Secure | Yes (production only) — the cookie is only transmitted over HTTPS. |
| SameSite | Lax — protects against cross-site request forgery (CSRF) in most scenarios. |
| Set by | Next.js Server Actions on login and registration |
| Deleted by | Server Action on logout; browser upon expiry |
Legal basis: This cookie is strictly necessary for providing the service you have requested. Under the ePrivacy Directive (Recital 66) and UK ICO guidance, strictly necessary cookies are exempt from prior consent requirements. The cookie banner serves as a transparency notice, not a consent request.
3.2 Analytics Cookies — Google Analytics 4 / Google Tag Manager
With your consent, NSuite Solo uses Google Analytics 4 (GA4) and Google Tag Manager (GTM) to collect anonymous, aggregate data about how visitors use the site. These cookies are only placed after you click Accept All in the cookie consent banner. You may withdraw consent at any time by clearing your browser cookies or revisiting the consent banner via the Cookie Settings link.
| Cookie Name | Category | Purpose | Duration |
|---|---|---|---|
_ga | Analytics | Distinguishes unique users by assigning a randomly generated number as a client identifier | 2 years |
_ga_<CONTAINER_ID> | Analytics | Maintains and stores session state for the GA4 measurement container | 2 years |
_gid | Analytics | Distinguishes users within a 24-hour session window | 24 hours |
_gat | Analytics | Throttles the GA4 request rate to prevent overloading | 1 minute |
_gcl_au | Analytics / Conversion | Stores and tracks conversion events; used for Google Ads conversion linking | 3 months |
Legal basis: Your freely given, specific, and informed consent under the ePrivacy Directive and GDPR Art. 6(1)(a). Consent is recorded in localStorage["cookie-consent-analytics"] and may be withdrawn at any time.
4. Third-Party Cookies
4.1 Stripe Cookies — Invoice Payment Pages Only
When you access a public invoice payment page (/pay/[businessId]/invoice/[token]), NSuite Solo loads Stripe's JavaScript library (js.stripe.com/v3/) to render the payment form. Stripe is solely responsible for the cookies it sets.
| Cookie Name | Operator | Category | Purpose | Duration |
|---|---|---|---|---|
__stripe_mid | Stripe, Inc. | Strictly Necessary (Fraud Prevention) | Machine identifier used by Stripe to distinguish devices and detect fraudulent activity | 1 year |
__stripe_sid | Stripe, Inc. | Strictly Necessary (Fraud Prevention) | Session identifier used by Stripe for fraud detection within a browsing session | 30 minutes |
These cookies are only set on invoice payment pages (/pay/). They are governed exclusively by Stripe's Privacy Policy and Stripe's Cookie Settings. NSuite Solo does not have control over what cookies Stripe sets or how long they persist.
5. Browser Local Storage
In addition to cookies, NSuite Solo uses your browser's localStorage API to store lightweight UI preferences. Unlike cookies, localStorage data is never transmitted to our servers, is accessible only within your browser, and is readable only by client-side JavaScript on the same origin. We do not store any personal information in localStorage.
5.1 theme — Dark/Light Mode Preference
| Key | theme |
|---|---|
| Values | "dark" or "light" |
| Purpose | Remembers your dark or light mode display preference so it is applied consistently across sessions. |
| Contains PII | No |
| Duration | Persistent (until manually cleared or browser data is cleared) |
5.2 cal:sidebar:collapsed — Calendar Sidebar State
| Key | cal:sidebar:collapsed |
|---|---|
| Values | "true" or "false" |
| Purpose | Remembers whether you have collapsed the appointment calendar sidebar. Preserves your layout preference between visits. |
| Contains PII | No |
| Duration | Persistent (until manually cleared or browser data is cleared) |
6. Session Storage
We do not use sessionStorage anywhere in the NSuite Solo application. No data is stored in sessionStorage.
7. Analytics and Tracking Technologies
NSuite Solo uses Google Analytics 4 (GA4) and Google Tag Manager (GTM) to collect anonymous, aggregate information about how visitors use the site. This includes page views, session duration, navigation paths, and device type. GA4 is operated by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). IP addresses are anonymised before storage. Data retention is set to 14 months.
These analytics cookies are only placed with your consent. You may withdraw consent at any time by clearing the cookie-consent-analytics key from your browser's localStorage, or by using the Cookie Settings link in the site footer.
We do not use Meta (Facebook) Pixel, Mixpanel, PostHog, Amplitude, Segment, Hotjar, FullStory, session recording, heatmapping, advertising pixels, or cross-site behavioural tracking identifiers.
8. Fonts and Remote Resources
NSuite Solo uses the Geist and Geist Mono typefaces (by Vercel). These are loaded through Next.js's built-in font optimization, which self-hosts the font files at build time and serves them from NSuite's own domain. No runtime requests are made to fonts.googleapis.com or any external font CDN. No font-based tracking occurs.
9. Your Cookie Controls
9.1 Browser Settings
You can control and delete cookies through your browser settings. Most browsers allow you to view and delete individual cookies, block all cookies (note: this will break authentication on NSuite Solo), block third-party cookies, and set preferences for specific sites.
Important: Blocking the access_token cookie will prevent you from logging in to NSuite Solo. The authentication cookie is strictly necessary for the platform to function. We cannot provide an opt-out for this cookie.
9.2 In-App Cookie Consent Banner
On your first visit to NSuite Solo, a cookie consent banner is displayed. The banner explains that we use one strictly necessary authentication cookie and, with your consent, analytics cookies from Google Analytics 4.
Clicking Accept All enables analytics cookies. Clicking Essential Only limits cookies to strictly necessary cookies only. Your choice is stored in localStorage["cookie-consent-analytics"] as "granted" or "denied".
This banner is a consent gate, not merely a transparency notice. Analytics cookies are only placed after you explicitly click Accept All. You may change your preference at any time by clearing your browser's localStorage for this site.
9.3 Stripe Cookie Opt-Out
To manage Stripe's cookies, visit stripe.com/cookie-settings. NSuite Solo does not have the technical ability to control Stripe's cookies on Stripe-loaded payment pages.
10. Do Not Track (DNT)
NSuite Solo does not currently respond to browser-level "Do Not Track" (DNT) signals. Because we do not engage in cross-site tracking or behavioral advertising, DNT is not operationally relevant to our platform. We remain open to adopting Global Privacy Control (GPC) signals as they become legally required in applicable jurisdictions.
11. Changes to This Cookie Policy
We will update this Cookie Policy if we introduce new cookies, storage keys, or tracking technologies. When we make material changes, we will update the "Last Updated" date at the top of this document and notify registered Operators by email.
12. Contact Us
For questions about this Cookie Policy or our data practices:
Core Axis Holdings, LLCAttn: Privacy
3351 S Field St, Lakewood, Colorado 80227
Email: legal@nsuitesolo.com
For Stripe-specific cookie inquiries, contact Stripe at stripe.com/privacy.
Appendix A — Complete Cookie and Storage Inventory
Cookies
| Name | Type | Party | Category | Duration | Pages | PII? |
|---|---|---|---|---|---|---|
access_token | HTTP Cookie | First-Party | Strictly Necessary | 7 days | All authenticated pages | Yes (user ID, email, roles in JWT payload) |
__stripe_mid | HTTP Cookie | Third-Party (Stripe) | Strictly Necessary (Fraud Prevention) | 1 year | /pay/ pages only | No (device identifier) |
__stripe_sid | HTTP Cookie | Third-Party (Stripe) | Strictly Necessary (Fraud Prevention) | 30 minutes | /pay/ pages only | No (session identifier) |
_ga | HTTP Cookie | Third-Party (Google LLC) | Analytics (consent required) | 2 years | All pages (when consent granted) | No (random client ID) |
_ga_<ID> | HTTP Cookie | Third-Party (Google LLC) | Analytics (consent required) | 2 years | All pages (when consent granted) | No (session state) |
_gid | HTTP Cookie | Third-Party (Google LLC) | Analytics (consent required) | 24 hours | All pages (when consent granted) | No (session ID) |
_gat | HTTP Cookie | Third-Party (Google LLC) | Analytics (consent required) | 1 minute | All pages (when consent granted) | No (rate-limit flag) |
_gcl_au | HTTP Cookie | Third-Party (Google LLC) | Analytics / Conversion (consent required) | 3 months | All pages (when consent granted) | No (conversion ID) |
Local Storage
| Key | API | Category | Duration | Pages | PII? |
|---|---|---|---|---|---|
cookie-consent-analytics | localStorage | Consent Record | Persistent | All pages | No |
theme | localStorage | Functional / UI Preference | Persistent | All pages | No |
cal:sidebar:collapsed | localStorage | Functional / UI State | Persistent | Appointments dashboard | No |
Session Storage
None.