Last updated: 10 June 2026
Cookie Policy
Draft under legal review. This document is a working draft prepared for review by qualified counsel. It is not legal advice and should not be relied on until that review completes.
This policy explains which cookies and similar technologies onTerms uses on onterms.org, why we use them, and how you can control them. onTerms is a business-to-business service: it is operated by Rated Counsel Limited, trading as onTerms (registered in England and Wales, company number 11812572), and is governed by the law of England and Wales. This policy should be read alongside our Privacy Policy, which describes how we process personal data more generally.
The short version: we set a very small number of strictly necessary cookies needed for sign-in and passkey ceremonies, we record your consent choice in your browser’s local storage, and our optional analytics tool sets no cookies at all. We never use advertising or cross-site tracking cookies, and we never will under this policy.
1. What cookies and similar technologies are
Cookies are small text files that a website stores on your device and that your browser sends back on later requests. Related technologies include browser local storage (data a site stores in your browser that is not sent with requests) and cookieless analytics (measurement that relies on no stored identifier at all). The rules that apply to these technologies in the United Kingdom come from the Privacy and Electronic Communications Regulations 2003 (PECR) together with the UK GDPR; in the European Union they come from the ePrivacy Directive together with the EU GDPR. Strictly necessary cookies do not require consent; everything else does, which is why our analytics only runs after you opt in.
2. Cookies and similar technologies we use
The complete list is below. There is nothing else: no advertising pixels, no fingerprinting, no social-media trackers.
| Name | Purpose | Type | Duration |
|---|---|---|---|
| WorkOS AuthKit session cookie | Keeps you signed in to your onTerms account. Set by our authentication provider, WorkOS, when you sign in. It is httpOnly, meaning scripts on the page cannot read it. | Essential (first party, httpOnly) | For the duration of your sign-in session |
wa_reg_challenge | Holds the one-time cryptographic challenge during a passkey (WebAuthn) registration ceremony so the server can verify the response. It is httpOnly, Secure and SameSite=Strict, and expires automatically. | Essential (first party, httpOnly) | 5 minutes |
onterms_consent | Records the choice you made in the cookie banner (or an automatic opt-out applied because your browser sent a Global Privacy Control or Do Not Track signal), so we do not ask you again on every visit. | Consent record (first party, browser local storage; strictly speaking not a cookie) | Until you clear it or change your choice; we treat a recorded choice as valid for no more than 12 months, in line with ICO guidance, before asking again |
| Stripe cookies | Set by stripe.com when you use Stripe Checkout or the Stripe billing portal, for payment processing, security and fraud prevention. These are set on Stripe’s own domain and governed by Stripe’s cookie policy, not this one. | Third party (set by stripe.com) | Set and controlled by Stripe; see the Stripe cookie policy |
A note on onterms_consent: because it lives in local storage rather than being sent over the network, it never leaves your browser. We include it here for transparency because it serves the same function as a consent cookie.
3. Analytics: cookieless, and only if you opt in
We use Vercel Web Analytics to understand aggregate page traffic. Two things matter about it:
- It is cookieless. It sets no cookies and stores no identifier on your device. It cannot follow you across websites or across days.
- It is strictly opt-in.The analytics script is not loaded at all unless you choose “Accept” in the cookie banner. If you decline, or never interact with the banner, no analytics code runs.
Vercel acts as one of our service providers; the full list is in the Privacy Policy.
4. Global Privacy Control and Do Not Track
If your browser sends a Global Privacy Control (GPC) signal or has Do Not Track (DNT) enabled, we treat that as a refusal of analytics automatically. We record an opt-out in onterms_consent and do not show you a consent prompt at all: there is nothing for you to click, and no analytics will run. Essential cookies (sign-in and passkey ceremonies) still work, because the service cannot function without them and they require no consent.
5. Third-party cookies
The only third party that may set cookies in connection with onTerms is Stripe, and only when you visit Stripe-hosted pages (Checkout, the billing portal, or Stripe Identity verification where enabled). Those cookies are set on stripe.com under Stripe’s own cookie policy, which you can review at stripe.com/cookies-policy/legal. Pages served from onterms.org do not embed advertising networks, social-media widgets or any other third-party trackers.
6. How to change your choices
You can change your mind at any time:
- Cookie preferences link.Use the “Cookie preferences” link in the footer of any page to reopen the banner and change your choice. The change takes effect immediately: opting out stops analytics from loading on subsequent page views.
- Browser controls. You can clear cookies and local storage for onterms.org through your browser settings. Clearing the
onterms_consententry means we will ask you again on your next visit (or apply an automatic opt-out if your browser sends GPC or DNT). Blocking the essential cookies will prevent sign-in and passkey registration from working. - GPC and DNT. Enabling either signal in your browser opts you out of analytics on onterms.org automatically, as described in section 4.
7. What we never do
- No advertising or retargeting cookies, ever.
- No cross-site tracking or fingerprinting.
- No sale or sharing of cookie-derived data with data brokers.
- No loading of non-essential technologies before you have given consent.
8. Changes to this policy
If we add, remove or change a cookie or similar technology, we will update the table above and the date at the top of this page. If a change would introduce a non-essential technology, it will remain opt-in and the banner will ask for fresh consent before anything loads.
9. Contact
Questions about this policy or about how we use cookies can be sent to hello@ratedcounsel.com. For how we handle personal data more broadly, including your rights under the UK GDPR and EU GDPR, see the Privacy Policy.