Cookies
TillPulse uses strictly necessary cookies only. We do not use third-party advertising or marketing cookies, and we do not sell tracking data.
What we set
| Name | Purpose | Lifetime | Type |
|---|---|---|---|
tp_access | Short-lived JWT used to authenticate API and dashboard requests. | 15 minutes | httpOnly · SameSite=Lax · Secure |
tp_refresh | Refresh token used to mint new tp_access cookies. Rotated on every refresh. | 30 days | httpOnly · SameSite=Lax · Secure |
tp_sso_pkce | Holds the state + PKCE code_verifier across the SSO redirect. | 10 minutes (single-use) | httpOnly · SameSite=Lax · Secure |
tp_csrf | Double-submit token on POST/PUT/PATCH/DELETE requests from the dashboard. | Session | SameSite=Lax · Secure |
tp_theme | Optional, set when a user picks a non-default theme. | 1 year | SameSite=Lax · Secure |
What we do not set
- No third-party advertising cookies.
- No tracking pixels or marketing trackers.
- No cross-site fingerprinting.
Why we don't show a banner
Strictly necessary cookies under most regulations (GDPR, POPIA, NDPA) do not require consent — they are essential to deliver a service the user has asked for (signing in, staying signed in, completing an SSO flow). If we ever introduce non-essential cookies, we will gate them behind a real consent banner.
Disabling cookies
You can clear or block cookies in your browser settings, but the dashboard won't function — sign-in won't survive the redirect. SDKs do not use cookies; they use HTTP requests with header-based auth. Disabling browser cookies has no effect on TillPulse SDK telemetry.
Third-party services in the dashboard
We load fonts from Google Fonts (preconnect to fonts.googleapis.com and fonts.gstatic.com) and the world map from a public TopoJSON CDN on the Field Map page. Neither sets cookies in our hosting context.
Questions
Email privacy@tillpulse.io.