Cookie Policy

Effective date: 18 May 2026 — Version 1.2 (updated 28 May 2026)

Short version: We set two strictly necessary HTTP cookies for authentication and cross-domain session detection. A third cookie stores your language preference if you switch languages. We also store your consent choice and, only if you accept analytics, a PostHog visitor ID in your browser's localStorage. We have no advertising or cross-site tracking cookies.

Last audited: 28 May 2026 — Production audit of pennapay.com and app.pennasystems.com via browser DevTools inspection (pre- and post-consent flows verified; cookies and localStorage inspected before consent, after Accept, and after Decline).

1. What is a cookie?

A cookie is a small text file stored on your device by your browser when you visit a website. Cookies help websites remember your preferences or keep you logged in. Under GDPR and the Danish cookie rules derived from the ePrivacy Directive (EU 2002/58/EC, as amended by 2009/136/EC), we must tell you which cookies we use and obtain your consent for any cookies that are not strictly necessary.

This policy also covers localStorage identifiers, which have the same privacy impact as cookies and are treated equivalently under current EDPB guidance.

2. Cookies we set

PennaSystems classifies cookies and similar client-side identifiers according to the four categories established under the ePrivacy Directive and EDPB guidance:

Strictly necessary — required for the platform to function (e.g. keeping you logged in, remembering your language). No consent required (ePrivacy Directive Art. 5(3) exemption for technically necessary storage).
Functional — improve usability without being essential (e.g. remembering UI preferences). Consent required where they are not strictly necessary.
Analytics — measure how the platform is used. Consent required for non-anonymous analytics or where the identifier persists across sessions.
Marketing / advertising — track users across sites for advertising or retargeting purposes. Always require explicit, granular consent.

At the date of this policy, PennaSystems sets only strictly necessary cookies (listed in the table below) and uses one consent-gated analytics identifier (the PostHog visitor ID, stored in browser localStorage rather than as a cookie — see §3 below). We do not set functional cookies (UI preferences such as theme and builder layout are stored in localStorage, not in cookies), and we set no marketing or advertising cookies of any kind.

The following table lists every HTTP cookie set by pennapay.com, app.pennasystems.com, and pennasystems.com.

Name	Domain	Category	Purpose	Lifetime	HttpOnly	Set by
`access_token`	app.pennasystems.com	Strictly necessary	Stores your JSON Web Token (JWT) authentication credential. Required to keep you logged in. HttpOnly prevents JavaScript access; Secure flag ensures HTTPS-only transmission.	30 days (or until logout)	Yes	Server
`ps_session`	.pennasystems.com	Strictly necessary	Session presence flag — value is always `1` and contains no personal data or auth credentials. Allows pennasystems.com to detect that you are logged in and update its button from "Sign in" to "Open dashboard". Set and cleared alongside `access_token`.	30 days (or until logout)	No	Server
`penna-locale`	pennapay.com, app.pennasystems.com	Strictly necessary	Stores your chosen display language (`en` or `da`). Only set when you explicitly click the language toggle — not set automatically. Allows your preference to persist across page loads.	1 year	No	Client (lang-toggle.js)

That is the complete list of HTTP cookies. We do not set advertising cookies, retargeting cookies, or cross-site tracking cookies of any kind.

3. localStorage items we store

In addition to HTTP cookies, we store the following items in your browser's localStorage. These are not transmitted to our servers with every request, but they persist across browser sessions until cleared.

Key	Domain	Category	Purpose	Lifetime	Set by
`cookie_consent_v2`	pennapay.com, app.pennasystems.com	Strictly necessary	Records your consent choices (analytics on/off, timestamp, schema version). Required to remember your decision and avoid showing the banner on every visit. The consent record itself is exempt from the consent requirement under the ePrivacy Directive.	Persistent (until you clear localStorage or the banner resets)	cookie-banner.js (set when you interact with the consent banner)
`ph_{key}_posthog`	pennapay.com, app.pennasystems.com	Analytics — consent required	PostHog visitor state: a random device ID and session identifiers used to understand how the product is used. Contains no name, email, or other directly identifying information for anonymous visitors. Only stored after you accept analytics.	Persistent (removed immediately if you withdraw consent)	PostHog library (only initialized after you accept analytics)

If you decline analytics, only cookie_consent_v2 is stored in localStorage. The ph_* key is never created.

4. Analytics tools we use

PostHog Analytics

We use PostHog (PostHog, Inc., EU Cloud) for product and web analytics. PostHog:

Stores a random visitor ID in your browser's localStorage (the ph_{key}_posthog entry above). It does not set HTTP cookies.
Does not collect or store IP addresses in identifiable form.
Records: page URL, referrer domain, country (country-level only), browser family, device type, and in-app feature usage events.
For logged-in users, events are linked to your PennaSystems account ID so we can understand how features are used.
All data is stored on EU servers (AWS eu-central-1, Frankfurt). No data leaves the EU.
No advertising profiles are created. No data is sold or shared with third parties for advertising.

PostHog is only initialized after you grant analytics consent. You can clear the PostHog visitor ID at any time by withdrawing consent below or by clearing localStorage for our domains in your browser's developer tools (Application → Local Storage → delete the ph_* key). PostHog privacy policy →

Cloudflare Web Analytics

We use Cloudflare Web Analytics as a secondary analytics layer. It:

Sets no cookies and creates no client-side identifiers — it does not fingerprint browsers.
Records aggregate metrics only: page loads, performance timings, error rates.
Because it creates no persistent client-side identifier, it is loaded without requiring consent under the ePrivacy strictly-necessary exemption.
Data is processed by Cloudflare (USA) under Standard Contractual Clauses.

Cloudflare privacy policy →

5. Cookies set by subprocessors during checkout

When you initiate a paid subscription, Stripe's checkout page may set Stripe-specific cookies on its own domain. These are governed by Stripe's cookie policy, not ours. We have no control over them once you are on Stripe's checkout page.

6. Third-party cookies

We do not embed third-party advertising scripts, social media widgets, or tracking pixels. Third-party HTTP cookies are therefore not set by any content originating on our pages.

If you follow a link from our site to a third party (e.g. Stripe's payment page), that third party may set its own cookies governed by its own cookie policy.

7. Your consent

The strictly necessary items listed in Sections 2 and 3 (access_token, ps_session, penna-locale, cookie_consent_v2) do not require your consent under GDPR Art. 6(1)(b) (performance of a contract) and the ePrivacy Directive exemption for technically necessary cookies.

Cloudflare Web Analytics sets no cookies and creates no client-side identifiers; it operates without consent under the ePrivacy strictly-necessary exemption.

PostHog stores a random visitor ID in localStorage. PostHog is only initialized after you click Accept on the cookie banner. You may withdraw consent at any time:

8. How to control or delete cookies

You can control and delete cookies at any time through your browser settings:

Chrome: Settings → Privacy and security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Manage Website Data
Edge: Settings → Cookies and site permissions → Cookies and site data

Impact of deleting specific items:

Deleting access_token will log you out of PennaSystems.
Deleting ps_session will hide the "Open dashboard" shortcut on pennasystems.com until your next login.
Deleting penna-locale will reset your language to your browser's default on next visit.
Deleting cookie_consent_v2 from localStorage will cause the consent banner to reappear on your next visit.
Deleting ph_* keys from localStorage removes your PostHog visitor ID.

9. Do Not Track

Because we do not engage in cross-site tracking regardless of the DNT setting, we do not alter our behaviour in response to Do Not Track signals — our practices already align with what DNT requests.

10. Changes to this policy

If we add new cookies or materially change how we use existing ones, we will update this policy and display a notice on the site at least 14 days before the change takes effect. Registered users will also be notified by email if the change affects the authenticated application.

11. Contact

Questions about our use of cookies or this policy:
Johanna Aliséa Valérianne Rævdal Walther (PennaSystems)
privacy@pennapay.com
We respond within 5 business days.

You may also contact Datatilsynet (the Danish Data Protection Agency) at [email protected] if you wish to lodge a complaint about how we use cookies or process personal data, or you may contact the supervisory authority in your EU/EEA country of residence.