COOKIES · LAST UPDATED MAY 2026

Cookies

TillPulse uses strictly necessary cookies only. We do not use third-party advertising or marketing cookies, and we do not sell tracking data.

What we set

NamePurposeLifetimeType
tp_accessShort-lived JWT used to authenticate API and dashboard requests.15 minuteshttpOnly · SameSite=Lax · Secure
tp_refreshRefresh token used to mint new tp_access cookies. Rotated on every refresh.30 dayshttpOnly · SameSite=Lax · Secure
tp_sso_pkceHolds the state + PKCE code_verifier across the SSO redirect.10 minutes (single-use)httpOnly · SameSite=Lax · Secure
tp_csrfDouble-submit token on POST/PUT/PATCH/DELETE requests from the dashboard.SessionSameSite=Lax · Secure
tp_themeOptional, set when a user picks a non-default theme.1 yearSameSite=Lax · Secure

What we do not set

  • No third-party advertising cookies.
  • No tracking pixels or marketing trackers.
  • No cross-site fingerprinting.

Why we don't show a banner

Strictly necessary cookies under most regulations (GDPR, POPIA, NDPA) do not require consent — they are essential to deliver a service the user has asked for (signing in, staying signed in, completing an SSO flow). If we ever introduce non-essential cookies, we will gate them behind a real consent banner.

Disabling cookies

You can clear or block cookies in your browser settings, but the dashboard won't function — sign-in won't survive the redirect. SDKs do not use cookies; they use HTTP requests with header-based auth. Disabling browser cookies has no effect on TillPulse SDK telemetry.

Third-party services in the dashboard

We load fonts from Google Fonts (preconnect to fonts.googleapis.com and fonts.gstatic.com) and the world map from a public TopoJSON CDN on the Field Map page. Neither sets cookies in our hosting context.

Questions

Email privacy@tillpulse.io.


Privacy policy →Terms of service →