Cookie Policy
Last updated: April 24, 2026
This Cookie Policy explains how Bohdan Matviichuk ("PlanVault", "we", "us", or "our") uses cookies and similar client-side storage technologies (including Web Storage: localStorage and sessionStorage) to recognize you when you visit our website at https://planvault.ai ("Website"). It explains what these technologies are and why we use them, as well as your rights to control our use of them.
We do not serve advertisements, engage in targeted advertising, or permit third parties to use tracking technologies on our Website for advertising purposes. Cookies, Local Storage, and similar technologies are used solely for authentication, security, and essential site functionality.
"Cookie" and "Local Storage" in the tables below refer to two different browser technologies with different expiration semantics. HTTP cookies are managed by the browser using the standard `Expires`/`Max-Age` and `Session` attributes and are automatically removed by the browser when those expire. Local Storage (part of the Web Storage standard) has no browser-native expiration attribute — entries persist until they are removed programmatically by the application or manually by the user (for example via the browser's site-data controls, or via the "Sign out everywhere" / storage-reset controls in our admin console). For Local Storage entries, the "Lifetime" column therefore describes the actual application-level behavior (when PlanVault itself removes the value), not a browser attribute.
The inventory of cookies and Local Storage entries in the tables below was last verified against our production deployment on 23 April 2026. The "Last updated" date above reflects when this policy text was last revised.
Essential Cookies and Local Storage Entries
These entries are strictly necessary to provide you with services available through our Website and to use some of its features, such as access to secure areas.
| Name | Provider | Storage type | Lifetime | Purpose |
|---|---|---|---|---|
planvault_kc_theme | planvault.ai | Cookie | 400 days (Max-Age attribute) | Stores the user's light/dark theme preference so the Keycloak login page matches the main application theme. |
AUTH_SESSION_ID | planvault.ai | Cookie | Session (Session attribute — removed when the browser session ends) | Identifies the current authentication session in Keycloak. Required for login and session management. |
KC_RESTART | planvault.ai | Cookie | Session (Session attribute) | Keycloak restart cookie used to resume an interrupted authentication flow (e.g. after selecting Google OAuth). |
KEYCLOAK_IDENTITY | planvault.ai | Cookie | Session (Session attribute) | Stores the authenticated user's identity token. Required to maintain the logged-in state. |
KEYCLOAK_SESSION | planvault.ai | Cookie | Session (Session attribute) | Maintains the active Keycloak session. Required for authentication and single sign-on. |
kc-callback-* | planvault.ai | Local Storage | Until the OAuth flow completes — removed programmatically by the Keycloak adapter after successful authentication or cancellation | Temporary OAuth redirect state stored by the Keycloak JavaScript adapter during the login flow. Local Storage has no browser-native Expires attribute. |
Performance and Functionality
These entries are used to enhance the performance and functionality of our Website but are non-essential to their use.
| Name | Provider | Storage type | Lifetime | Purpose |
|---|---|---|---|---|
planvault_ui_prefs | planvault.ai | Local Storage | Until the user clears storage (via the browser's site-data controls or by resetting UI preferences in the application) | Stores UI preferences: locale, theme mode, content width, table density, sidebar state, recently visited projects, and pinned navigation items. Local Storage has no browser-native Expires attribute. |
pv-runtime-privacy-note-dismissed | planvault.ai | Local Storage | Until the user clears site data in the browser | A boolean flag indicating that the user has dismissed the in-app Runtime privacy notice banner. Contains no identifiers or chat content. Local Storage has no browser-native Expires attribute. |
How we store API keys and other secrets (no secrets in cookies or Local Storage)
PlanVault intentionally does NOT store any secrets or authentication tokens in browser cookies or Local Storage. The entries listed in the tables above are either server-set Keycloak session cookies (issued by the authentication server as part of the standard OpenID Connect flow) or non-secret UI/UX preferences in Local Storage.
Runtime project API keys (e.g. sk_live_…). When you create or rotate a project API key in the Admin Console, the full plaintext is returned once in the create/rotate response. If you opt to use the key from the built-in Runtime console, the application persists the key on the server side under your personal UI preferences (column `runtime_project_api_keys` in the `user_ui_preferences` table, access-gated by the same user's JWT). The value is never written to `document.cookie` or to `localStorage`/`sessionStorage` — the console fetches it on demand from the server via `GET /admin/v1/me/ui-preferences` and keeps it in React in-memory state only while actively used. In the underlying API-keys table the database stores only a hash and a short preview (`sk_live_…abcd`); the full plaintext is never kept at rest after issuance.
Keycloak access/refresh tokens. During a web-console session, Keycloak JWTs are handled by the `keycloak-js` adapter in memory with automatic silent refresh. No adapter configuration used by PlanVault writes plaintext tokens to `localStorage`/`sessionStorage`, and legacy keys (`planvault_auth_token`, `planvault_admin_token`) are actively removed from Local Storage on every page load during AppState bootstrap.
AI-provider API keys (BYOK). Customer-supplied credentials for AI providers (OpenAI, Anthropic, etc.) are stored exclusively server-side in encrypted form and never reach the browser — see the "BYOK" sections in the Privacy Policy (Section 11) and on the Security page.
The practical effect of this design is that an XSS attack against the console cannot exfiltrate secrets by reading Local Storage or cookies because there are none to read. This does not eliminate XSS as a class of vulnerability — any successful XSS in the context of an authenticated user could issue API calls on their behalf — but it removes the "passive client-side-storage exfiltration" class of findings that commonly appears in third-party security audits. The XSS mitigations we rely on (CSP, content sanitization, SameSite attributes on the Keycloak session cookies) are documented on the Security page.
What are cookies and Local Storage?
Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies set by the website owner (in this case, Bohdan Matviichuk) are called "first-party cookies." Cookies set by parties other than the website owner are called "third-party cookies." Cookie lifetime is controlled by the browser using the `Expires`, `Max-Age`, and `Session` attributes.
Local Storage (part of the Web Storage API standard) is a separate client-side storage mechanism scoped to a domain which, unlike cookies, is not automatically sent in HTTP requests. Local Storage has no browser-native expiration attribute (`Expires`, `Max-Age`, or `Session`): values persist until they are removed programmatically by the application or manually by the user. For Local Storage entries, the "Lifetime" column in the tables above therefore describes the actual application-level behavior, not a browser attribute.
How can I control cookies?
You have the right to decide whether to accept or reject cookies. You may set or amend your web browser controls to accept or refuse cookies. If you choose to reject cookies, you may still use our Website though your access to some functionality and areas of our Website may be restricted.
How often will you update this Cookie Policy?
We may update this Cookie Policy from time to time in order to reflect, for example, changes to the cookies we use or for other operational, legal, or regulatory reasons. Please revisit this Cookie Policy regularly to stay informed. The date at the top of this Cookie Policy indicates when it was last updated.
If you have any questions about our use of cookies or other technologies, please contact us at [email protected].