Cookie Policy
Version 2.0 — Last updated: April 24, 2026
This policy describes, in compliance with Article 82 of the French Data Protection Act (as amended by the Ordinance of 12 December 2018) and the CNIL recommendation of 17 September 2020, every cookie and similar technology (localStorage, sessionStorage, technical fingerprinting) we use on injobby.com.
1. What is a cookie?
A cookie is a small text file placed on your device by a website. It lets the site remember information (session, preference) between page loads. By extension, we apply the same rules to every technology with equivalent purpose: localStorage (persistent browser storage), sessionStorage (ephemeral storage), and IndexedDB. The CNIL treats them identically when they read or write information.
2. Strictly necessary cookies
These cookies are essential for the site to function. They are exempted from consent collection under Article 82 and cannot be disabled without breaking the service.
| Name | Issuer | Purpose | Duration |
|---|---|---|---|
| access_token | InJobby (1st-party, httpOnly, Secure, SameSite=Lax) | Session authentication (short-lived JWT) | 30 minutes |
| refresh_token | InJobby (1st-party, httpOnly, Secure, SameSite=Lax) | Renewal of the access_token (rotated on each use) | 30 days |
| injobby-auth (localStorage) | InJobby (1st-party) | Client-side session state (name, email, plan shown in the UI — never a password or a token) | Until logout |
| injobby:consent:v1 (localStorage) | InJobby (1st-party) | Memory of your cookie-banner choice (consent proof under GDPR Article 7.1) | 13 months |
| NEXT_LOCALE | next-intl (1st-party) | Language preference (fr/en) persisted across visits | 1 year |
CSRF protection. We do not use a dedicated anti-CSRF cookie. The protection relies on the custom X-Requested-With header — which only a same-origin script can set — combined with the SameSite=Lax attribute on the authentication cookies.
3. Cookies and trackers subject to your consent
These tools are only loaded after explicit acceptance on the consent banner. You can change your mind at any time (section 5).
3.1 Product analytics — PostHog
We use PostHog (EU Cloud, Frankfurt) to understand which features are used and spot friction points in the activation funnel. PostHog is only loaded with your explicit consent.
| Name | Type | Purpose | Duration |
|---|---|---|---|
| ph_* (localStorage) | PostHog (third-party, EU Cloud) | Anonymous visitor ID and pending product-event queue (no session replay) | 1 year |
Session replays are disabled (disable_session_recording: true). PostHog only collects the named product events we explicitly emit (page views, first CV created, ATS scan run, PDF downloaded, etc.) — no screen recording, no DOM capture, no input tracing. For users who withdraw consent, PostHog is never initialised.
3.2 Error monitoring — Sentry
Sentry collects unhandled JavaScript errors so we can fix bugs. From version 2.0, its initialisation is subject to your consent (aligning with the CNIL recommendation on technical trackers of this kind).
| Name | Type | Purpose | Duration |
|---|---|---|---|
| sentryReplaySession (sessionStorage, optional) | Sentry (third-party, EU region) | Error replay session identifier | Browser session |
3.3 Payments — Stripe
When you start a payment you are redirected to a Stripe-hosted page. Cookies set on that page are governed by Stripe's privacy policy. They are limited to payment processing and fraud detection — no advertising cookie is set.
4. What we do NOT use
- No advertising cookies.
- No social-media pixels (Facebook, LinkedIn, X, TikTok).
- No marketing-oriented Real User Monitoring (Hotjar, Mouseflow, etc.).
- No browser fingerprinting for identification.
- Google Analytics is not used.
5. Managing and withdrawing consent
On your first visit a banner invites you to accept or reject the cookies that require consent. Accept and Reject are presented with equal visual weight, per CNIL recommendation 2021-SR-15.
To change your mind at any time, in one click:
- "Manage cookies" button — available (i) in the landing-page footer, (ii) in the dashboard footer once you're signed in, and (iii) in Settings → Cookies and preferences. Clicking it clears your saved choice and re-shows the consent banner immediately, with no page reload. You can then accept or reject again.
- Otherwise, clear your local storage for
injobby.comin your browser settings — the banner will reappear on your next visit. - Or email contact@injobby.com with subject “Withdraw consent” — we'll enforce your choice server-side (events purged from PostHog within 30 days).
Your browser also lets you delete or block cookies generally:
Note: disabling strictly necessary cookies prevents the site from functioning (login, language preference).
6. Consent retention
Your choice (accepted or rejected) is retained for up to 13 months, the duration recommended by the CNIL, after which the banner reappears.
7. Learn more
For more details on how we process your data overall, see our Privacy Policy. Any question: contact@injobby.com.