fociiCookie Policy
A plain-English explanation of every cookie and local storage mechanism Focii uses — and what it does not use.
1. What Cookies Are
Cookies are small text files that a website places in your browser when you visit it. They are sent back to the originating website on subsequent visits and can be read by the server that set them. Cookies serve many purposes: keeping you logged in, remembering preferences, measuring site performance, or tracking behaviour across sites for advertising.
This policy explains every cookie and browser-storage mechanism used across the Focii platform — the web dashboard, the Chrome and Firefox browser extensions, and the Windows Companion desktop application.
2. Cookies Set by the Focii Dashboard
The Focii dashboard sets exactly two cookies. Both are strictly necessary for the service to function — without them you cannot stay logged in. Neither is used for advertising or tracking.
| Cookie name | Type | Purpose | Duration | HttpOnly |
|---|---|---|---|---|
| ACCESS_TOKEN | Strictly necessary | Holds your Supabase JWT access token. Authenticates every request you make to the dashboard and API while your session is active. | 1 hour (refreshed automatically while active) | Yes |
| REFRESH_TOKEN | Strictly necessary | Holds your Supabase JWT refresh token. Used to obtain a new access token when the current one expires, so you are not logged out mid-session. | Supabase default refresh token lifetime | Yes |
Both cookies are set with the HttpOnly and Secure flags. HttpOnly means the cookies cannot be read by any JavaScript running in the browser — including any scripts on the page. Secure means they are only ever transmitted over an encrypted HTTPS connection, never over plain HTTP.
These cookies are set on the Focii dashboard domain only. They are not present on any other website a student visits.
3. Third-Party Cookies
Focii uses one third-party service on the login and registration pages that may interact with your browser.
Cloudflare Turnstile (CAPTCHA)
The login and registration forms are protected by Cloudflare Turnstile, a privacy-respecting CAPTCHA alternative. Turnstile may set a short-lived cookie or use browser storage to complete its bot-detection challenge. This cookie is functional — it exists solely to determine that you are a human completing the form. It does not track your browsing activity or persist after you have completed the form. You can review Cloudflare's data practices at cloudflare.com/privacypolicy.
What we do not use
Focii does not use any of the following:
✕Google Analytics or any other analytics platform
✕Facebook Pixel or any social media tracking
✕Advertising or retargeting cookies of any kind
✕Hotjar, Mixpanel, Segment, or similar behaviour-tracking tools
✕Any cookie that persists across sessions for non-authentication purposes
4. Browser Extension Local Storage (Not Cookies)
The Focii Chrome and Firefox extensions do not set any browser cookies. They use chrome.storage.local — a separate storage API provided by the Chrome Extensions platform that is completely isolated from the normal browser cookie store. Data held in chrome.storage.local is scoped to the extension itself and cannot be read by any website the student visits, including the Focii dashboard.
The following values are stored by the extension:
| Key / file | Location | Contents | Accessible to websites? |
|---|---|---|---|
| parentToken | chrome.storage.local | Supabase JWT access token for the parent account | No |
| parentRefreshToken | chrome.storage.local | Supabase JWT refresh token for the parent account | No |
| deviceId | chrome.storage.local | A UUID that uniquely identifies this extension installation across restarts | No |
| pairedStudentId / deviceStudentId | chrome.storage.local | UUID of the student profile linked to this device | No |
| supabaseUrl / supabaseKey | chrome.storage.local | Project URL and public anon key needed to reach the Focii backend | No |
| sessionOverrideGrants | chrome.storage.local | Temporary list of URLs/domains the parent has approved for the current session | No |
| Pending events | chrome.storage.local | Analysis events buffered locally awaiting upload to the database | No |
All data in chrome.storage.local is automatically removed when the extension is uninstalled from the browser.
5. Windows Companion Local Files (Not Cookies)
The Focii Windows Companion application does not set any browser cookies. It writes three local files to the %APPDATA%\FocusInterceptor\ directory on the student's Windows PC. These are local application files, not cookies, and are not accessible to any website or browser.
| Key / file | Location | Contents | Accessible to websites? |
|---|---|---|---|
| config.json | %APPDATA%\FocusInterceptor\ | Supabase project URL, public API key, student ID, parent ID, device ID, and Chrome extension ID needed to connect the Companion to the backend | No |
| policy_cache.json | %APPDATA%\FocusInterceptor\ | Cached app-blocking policy fetched from the parent dashboard. Used to enforce blocking during brief internet outages without making a network request | No |
| companion.log | %APPDATA%\FocusInterceptor\ | Structured local log of enforcement events (which apps were blocked and when). Used for debugging and uploading event records to the database | No |
These files are removed when the Windows Companion is uninstalled.
6. How to Control and Delete Cookies
Dashboard authentication cookies
You can delete the ACCESS_TOKEN and REFRESH_TOKEN cookies at any time by logging out of the Focii dashboard. You can also delete them manually via your browser's developer tools or privacy settings. Deleting them will log you out of your session — you will need to sign in again to access your dashboard.
Because these cookies are HttpOnly they cannot be modified by JavaScript, only deleted. Blocking them via your browser's cookie controls will prevent you from staying logged in to the dashboard.
Cloudflare Turnstile
The Turnstile challenge cookie is short-lived and is set only on the login and registration pages. It can be deleted via your browser's cookie controls. Blocking third-party cookies in your browser may affect whether the Turnstile challenge completes successfully.
Browser extension storage
Extension local storage cannot be cleared through normal browser cookie controls. It is cleared automatically when the Focii extension is uninstalled. You can also clear it manually from your browser's extension-management page (for Chrome, chrome://extensions) by opening Focii extension details and clearing extension storage where the browser provides that control. This will sign the extension out.
Browser-level cookie controls
Most browsers provide settings to view, block, or delete cookies. Common paths:
Chrome: Settings → Privacy and security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Settings → Privacy → Manage Website Data
Edge: Settings → Cookies and site permissions → Cookies and site data
7. Changes to This Policy
If we introduce new cookies or change how existing ones are used we will update this page and revise the effective date. Any new strictly necessary cookies required for authentication or security will not require additional consent. Any non-essential cookies — which we currently do not use — would require your consent before being set.
8. Contact
If you have questions about cookies or local storage used by Focii, contact us at legal@focii.app or reach out via the contact page.