Scope
This Cookie Policy covers cookies used by the ElevateIQ web application (e.g., app.elevateiq.com) for authentication and security only. We do not set advertising cookies. Public marketing pages may operate with no cookies, strictly necessary cookies, or — with your consent — analytics cookies.
What Are Cookies?
Cookies are small text files placed on your device by your browser at the request of a website. They are widely used to keep you signed in, enable site functionality, and protect your account.
How We Use Cookies (Login Only)
Note: We do not require CSRF tokens on the /auth/token, /auth/refresh, Passkey, SSO, and MFA verification endpoints. Those endpoints are unauthenticated or use a one-time flow. After you successfully authenticate, we set a CSRF cookie for state-changing requests inside the app.
Cookies We Set
| Cookie | Purpose | Type | Duration | Attributes |
|---|---|---|---|---|
| eq_access_token | Signed, opaque token that maps to your authenticated session. Keeps you signed in during an active session. Refreshed automatically when you're using the application. | Session (essential) | 15 minutes (rolling; refreshed automatically on activity) | Secure; HttpOnly; SameSite=Lax; Path=/; HTTPS only. |
| eq_refresh_token | Signed, longer-lived token used to automatically refresh your access token. Enables "Remember me" functionality across browser restarts. | Persistent (essential) | 7 days (30 days with "Remember me") | Secure; HttpOnly; SameSite=Lax; Path=/; HTTPS only. |
| eq_csrf_token | Cross-site request forgery protection token. Set after successful authentication. Used with a matching X-CSRF-Token request header on state-changing requests. |
Session (essential) | Matches refresh-token lifetime (7 or 30 days) | Secure; SameSite=Lax; readable by JavaScript (not HttpOnly); Path=/; HTTPS only. |
| eq_cookie_consent | Records your cookie-banner choice on our marketing site (elevateiq.com). Values: all or essential. |
Persistent (consent) | 365 days | Secure; SameSite=Lax; Path=/; HTTPS only. Set on the parent domain so a single decision covers marketing + app. |
Session behavior
- Active use: the access token refreshes automatically while you're using the app.
- Inactivity: sessions expire after the refresh-token TTL (7 days, or 30 days for "Remember me").
- Logout: all three cookies are cleared server-side and immediately invalidated.
- Device tracking: basic device data (browser, platform, masked IP) is logged for security monitoring (separately from cookies).
Device Information Collection
For session security and audit logging, the application collects minimal device information at sign-in:
- Browser type (e.g., Chrome, Firefox, Edge)
- Platform (e.g., macOS, Windows)
- IP address — full address logged for security event correlation; a masked variant (network prefix only, e.g.
192.168.x.x) is stored alongside session data for privacy. - Timezone & language for user-experience.
We do not collect high-entropy fingerprinting identifiers like exact screen resolution, GPU info, or detailed browser-version strings. Device information is used solely for session security, suspicious-login detection, and improving the user experience.
Session Timeout
Your session will automatically expire after 7 days of inactivity, or 30 days if you selected "Remember me" during login. The access token is rotated automatically while you actively use the application; rotation pauses during periods of inactivity.
Data Retention
Session data is automatically deleted when:
- You explicitly log out.
- Your refresh token expires (7 days, or 30 days for "Remember me").
- You revoke the session from another device.
Security event logs (containing full IP addresses) may be retained longer — typically 90 days — for fraud detection and incident response, separate from session data.
Third-Party Cookies
If we deploy analytics on our public marketing pages (e.g., Google Analytics), they are not required to sign in and are never loaded on the login or MFA endpoints. Where supported, we configure privacy-enhancing settings (IP anonymization, reduced retention).
Cookie Consent
Our marketing pages display a cookie-consent banner that lets you accept or decline non-essential cookies before they are loaded. Essential authentication cookies used by the application do not require consent under the ePrivacy Directive — they are strictly necessary for the Service to function.
In jurisdictions that require prior consent for analytics cookies (including the EEA and UK under the ePrivacy Directive), analytics scripts are not loaded until you provide affirmative consent through the banner. You can change your choice anytime by clicking Cookie settings in the page footer.
Your Choices
Because the authentication cookies above are strictly necessary, blocking them in your browser will prevent you from logging in to ElevateIQ. You may delete cookies at any time via your browser settings; you will be asked to sign in again.
Security
Authentication cookies are issued over HTTPS with Secure and HttpOnly flags and a SameSite=Lax policy. CSRF protection applies after authentication and uses a separate cookie paired with an X-CSRF-Token request header. The /auth/token, /auth/refresh, Passkey, SSO, and MFA verification endpoints do not require CSRF because they are unauthenticated or use a one-time, short-lived flow. Cookie values are signed and validated server-side, and session identifiers are rotated as appropriate (e.g., after MFA success).
Contact
Questions about this Cookie Policy? Contact privacy@elevateiq.com.
Effective Date: 2026-05-01