Cookies Policy — iBetterCoach
Version: 1.0 Effective date: [to be defined before publication] Last updated: [to be defined before publication]
⚠️ Notice: This document was prepared as a solid legal foundation tailored to iBetterCoach. Before publication it must be reviewed by a Portuguese lawyer specialised in GDPR and digital law.
1. Legal framework
This Cookies Policy governs the use of cookies and similar technologies (pixels, local storage, technical fingerprinting, device identifiers) on the iBetterCoach platform (the "Platform"), accessible at [domain to be defined].
The use of these technologies is regulated by:
- Regulation (EU) 2016/679 of 27 April 2016 (GDPR)
- Directive 2002/58/EC (ePrivacy Directive), transposed into Portuguese law by Law 41/2004 of 18 August, as amended by Law 46/2012
- Law 58/2019 of 8 August, ensuring the execution of the GDPR in the Portuguese legal order
- Guidelines of the Portuguese Data Protection Authority (CNPD) on cookies and identifiers
- EDPB Guidelines 03/2022 on dark patterns in social media platform interfaces
iBetterCoach upholds the principle of prior, free, specific, informed and unambiguous consent for any non-strictly-necessary cookie, pursuant to Article 5(3) of the ePrivacy Directive.
2. What cookies are
Cookies are small text files placed on the user's device (computer, phone, tablet) when the user visits the Platform. They allow the Platform to recognise the device, remember preferences, keep sessions active and collect statistical or usage information.
The Platform may also use equivalent technologies, namely:
- Browser Local Storage and Session Storage
- Tracking pixels and tags (if enabled in the future for campaigns)
- Session identifiers managed by the authentication provider (Clerk)
For the purposes of this Policy, all such technologies are treated with the same rigour as traditional cookies.
3. Cookie categories
iBetterCoach groups cookies into four categories, in line with CNPD and EDPB guidelines:
3.1 Strictly necessary (no consent required)
Essential to the Platform's basic operation. Without them, services such as authentication, session persistence, security or fraud prevention would not be possible.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
__session | Clerk | Keep the user authenticated | Session |
__client_uat | Clerk | Client authentication token | 1 year |
__refresh_<id> | Clerk | Automatic session renewal | 1 year |
_csrf | iBetterCoach | CSRF attack protection | Session |
cookie-consent | iBetterCoach | Remember the user's choice in the cookie banner | 12 months |
Legal basis: legitimate interest of the controller in the technical operation of the service (Article 6(1)(f) GDPR) and the exception in Article 5(3) of the ePrivacy Directive.
3.2 Functionality cookies (optional consent)
Allow the Platform to remember user preferences (language, theme, metric/imperial units, dashboard layout) to improve the experience.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
ui-theme | iBetterCoach | Light/dark theme | 12 months |
locale | iBetterCoach | Preferred language | 12 months |
units-system | iBetterCoach | Metric or imperial system | 12 months |
Legal basis: consent (Article 6(1)(a) GDPR).
3.3 Analytics and performance cookies (optional consent)
Allow iBetterCoach to understand how users interact with the Platform in an aggregate, anonymous way to improve usability.
iBetterCoach commits to using only privacy-friendly analytics tools (anonymised IP, aggregation, no cross-site tracking). Currently considered:
- Vercel Analytics (anonymised)
- Self-hosted PostHog or equivalent in privacy-first mode
- Plausible Analytics (cookieless, no personal data)
The Platform does not use Google Analytics without additional safeguards (proxy, anonymisation, short retention), in line with rulings by the French CNIL, the Austrian DPA and CNPD's position on transfers to the United States.
Legal basis: consent (Article 6(1)(a) GDPR).
3.4 Marketing and advertising cookies (optional consent)
The Platform does not currently use marketing or behavioural advertising cookies. Should these be introduced in the future, this Policy will be updated and the user will be invited to provide explicit consent before activation.
4. Consent banner
On first visit, the user sees a consent banner that complies with the following rules:
- Visual parity between the "Accept all", "Reject all" and "Customise" buttons. No option is more prominent than another.
- One-click rejection, with no need to navigate to sub-menus.
- No non-essential cookie is placed before the user's choice.
- Granularity by category — the user may accept only functional cookies and reject analytics, or vice versa.
- No dark patterns — no auto-acceptance timers, no pre-ticked boxes, no manipulative wording.
- Permanent re-opening — the user may review and change preferences at any time via the "Cookie preferences" link in the footer.
5. Managing and disabling cookies
In addition to the Platform's banner, the user may also manage cookies directly in the browser:
- Chrome: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Preferences → Privacy → Manage Website Data
- Edge: Settings → Cookies and site permissions
Warning: disabling strictly necessary cookies may prevent the Platform from working correctly, including login.
6. Third-party cookies and international transfers
Some processors used by iBetterCoach set their own cookies. The main ones are:
| Processor | Function | Location | Safeguard |
|---|---|---|---|
| Clerk (Clerk Inc., USA) | Authentication | USA | Standard Contractual Clauses (SCC) + DPA |
| Vercel (Vercel Inc., USA) | Hosting and CDN | EU (Frankfurt) with possible global fallback | SCC + DPA + European region preferred |
| Supabase (Supabase Inc., USA) | Database and storage | EU (Frankfurt) | SCC + DPA + European region preferred |
iBetterCoach always prioritises European regions where available and signs Standard Contractual Clauses approved by the European Commission with all processors that may handle data outside the European Economic Area, in line with the Schrems II ruling (C-311/18) and the current EU-US Data Privacy Framework.
7. Retention period
Cookies have the duration indicated in the tables above. In any case, no non-essential cookie is kept for longer than 13 months, in line with the CNIL recommendation frequently followed by CNPD.
8. Data subject rights
Even in the cookie context, the user retains the rights set out in the GDPR, namely:
- Right of access, rectification and erasure (Articles 15, 16 and 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Right to withdraw consent at any time, without affecting the lawfulness of prior processing
- Right to lodge a complaint with CNPD (www.cnpd.pt)
To exercise these rights, the user may contact iBetterCoach at privacy@ibettercoach.com.
9. Changes to this Policy
This Policy may be updated to reflect legal changes, new features or new processors. Whenever there are substantial changes, the user will be notified and, where applicable, invited to renew consent.
The version in force is always available at [URL to be defined]/legal/cookies.
10. Contact
Controller: iBetterCoach — [legal name to be defined, VAT number, address] Data Protection Officer (DPO): [to be appointed if applicable] Email: privacy@ibettercoach.com Supervisory authority: Portuguese Data Protection Authority (CNPD), Av. D. Carlos I, 134 - 1.º, 1200-651 Lisbon, www.cnpd.pt
Document prepared for iBetterCoach. Requires formal legal review before publication.