Cookie Policy

Osos AI GmbH Status: February 20, 2026

Document Class: Compliance / Safety Management System (SMS)

1. Introduction

This Cookie Policy explains which cookies and comparable client-side storage technologies (localStorage, sessionStorage) are used by the web application of Osos AI GmbH (hereinafter "we", "us", or "Osos AI"). This policy is part of our Safety Management System (SMS) and serves to fulfill transparency obligations in accordance with:

General Data Protection Regulation (GDPR) – in particular Art. 5 (1) lit. a (transparency), Art. 13/14 (information obligations)
ePrivacy Directive 2002/58/EC (Art. 5 (3)), as implemented into the national laws of EU member states
German Telecommunications-Digital Services Data Protection Act (TDDDG) – § 25 (1) and (2)

Use of our application is permitted exclusively to users within the European Union. This policy therefore applies without exception within the scope of the GDPR and the ePrivacy Directive.

2. What are Cookies and Comparable Technologies?

Cookies are small text files stored by a web server in the user's browser. They allow the browser to be recognized during subsequent requests.

localStorage is a client-side key-value store in the browser that holds data persistently (even after the browser is closed) until it is explicitly deleted.

sessionStorage functions like localStorage, but the data is automatically deleted when the browser tab is closed. Our application currently does not use sessionStorage.

3. Legal Basis

According to § 25 (2) TDDDG (implementation of Art. 5 (3) ePrivacy Directive), the storage of information on the user's terminal equipment is permitted without consent if it is strictly necessary so that the provider can provide a service expressly requested by the user.

All cookies and localStorage entries used in this application are strictly technically necessary. No marketing, analysis, or tracking cookies are used. Therefore, a consent banner is not required under current law. We nevertheless provide full transparency through this policy.

4. Overview of Used Storage Technologies

We limit the use of storage technologies to the strictly necessary technical minimum. In accordance with Art. 5 (3) ePrivacy Directive, prior consent is not required.

4.1 Authentication and Session Management (Cookies)

Purpose: These cookies are strictly necessary to identify you during a session, grant access to protected areas (demo/login), and ensure the security of data transmission.
Provider: Osos AI GmbH / Supabase (Processor).
Storage Duration: For the duration of the session (maximum 1 hour for demo use) or until logout.

4.2 User Interface and Performance (localStorage)

Purpose: To optimize the user experience, UI states (e.g., window configurations) and fragments of chat messages are cached locally. This enables faster loading times when switching pages. This data remains exclusively in your browser and is not transmitted to our servers.
Provider: Osos AI GmbH.
Storage Duration: Persistent until manual deletion by the user or automated cleanup upon logout.

Our application currently does not use sessionStorage.

5.1 Supabase (Authentication)

Supabase is used as a processor in accordance with Art. 28 GDPR. The `@supabase/ssr` library manages authentication cookies (`sb--auth-token`) server-side via Next.js middleware. Session persistence is handled exclusively via HTTP cookies; no additional storage in localStorage is performed by Supabase.

5.2 OpenAI (AI Processing)

All requests to the OpenAI API are handled exclusively server-side via Server Actions. No client-side scripts from OpenAI are loaded. Therefore, OpenAI does not set cookies in the user's browser.

5.3 Other Third Parties

The application does not integrate any other third-party scripts that independently set cookies or tracking mechanisms on the user's terminal equipment. In particular, we do not use:

Google Analytics or comparable analysis tools
Advertising tracking pixels (Facebook, Google Ads, etc.)
Error-tracking services (Sentry, Datadog, etc.) with client-side SDKs
Social media plugins with independent cookie behavior

6. Data Processing and Storage Locations

All data collected via cookies and localStorage is processed exclusively within the scope of the purposes described in Section 4:

Cookies are transmitted by the user's browser with every HTTP request to our server and evaluated there for authentication or session validation.
localStorage data remains exclusively in the user's browser and is not transmitted to our servers. It serves as a local cache to improve the user experience.

Server-side processing takes place on servers within the European Union or the European Economic Area.

7. Management and Deletion

7.1 Browser Settings

You can manage, block, or delete cookies at any time via your browser settings. Please note that blocking strictly necessary cookies may result in the application no longer functioning correctly.

7.2 Deleting localStorage

localStorage data can be removed via your browser's developer tools (F12 → Application → Local Storage) or by using the "Clear browser data" function.

7.3 Automatic Cleanup

The application automatically clears all `omega_`-prefixed localStorage entries when switching the demo session or logging out. Expired demo users and their data are deleted server-side after the 1-hour demo session expires.

Since the Osos AI demo application:

1. Uses only strictly necessary cookies and localStorage entries,

2. Sets no marketing, advertising, or analysis cookies,

3. Creates no user profiles for advertising purposes,

4. Integrates no third-party tracking scripts,

no prior consent (cookie banner / consent management platform) is required in accordance with Art. 5 (3) ePrivacy Directive. This Cookie Policy serves exclusively to fulfill our transparency obligations under Art. 13 GDPR.

9. Contact

If you have any questions regarding this Cookie Policy or data processing by Osos AI, please contact:

Osos AI GmbH Email: info@ososomega.com