Skip to main content
ER ExaRoutes
Sign in Get started

Cookies Policy

Last updated: 6 May 2026

This page lists every cookie and browser-storage entry that ExaRoutes sets, why we set it, and how long it lasts. Read it together with the Privacy Policy for the bigger picture on what personal information we handle.

We split entries into three groups: strictly necessary (authentication and security; set without consent because the service cannot run without them), analytics (loaded only after you accept the cookie banner), and functional (browser-storage entries that are not technically cookies).

Strictly necessary

These cookies are required for sign-in and security. They are HTTP-only (not accessible from JavaScript), Secure (only sent over HTTPS), and have a SameSite policy that blocks cross-site sending of state-changing requests.

  • er-jwt: short-lived access token. Lifetime 30 minutes. SameSite=Lax. Cleared on sign-out.
  • er-rt: refresh token used to extend your session. If you tick "Remember me" at sign-in, lifetime is 30 days; if you do not, the cookie is session-only and clears when you close your browser (server-side validity is capped at 8 hours in that case). SameSite=Lax. Cleared on sign-out.
  • eradmjwt: access token for the admin panel (only set if you are an ExaRoutes admin and only on the admin subdomain). Lifetime 30 minutes. SameSite=Strict. Cleared on sign-out.
  • er-mfa-challenge: short-lived proof that you cleared the password step during a multi-factor sign-in. Lifetime 5 minutes. SameSite=Lax. Cleared once MFA is verified or expires.
  • __cf_bm (set by Cloudflare): bot-management cookie. Lifetime 30 minutes. Used to distinguish humans from bots and protect the site from automated abuse. Required for the service to remain available.

Analytics (consent-gated)

These are loaded only if you accept the cookie banner. If you decline or dismiss the banner, none of these scripts are loaded and none of these cookies are set. You can change your choice at any time by clearing the er-cookie-consent entry from your browser's site settings; the banner will reappear on your next visit.

  • ph_* (set by PostHog): product analytics cookies that let us see which marketing pages people visit and which features new users try. Anonymous unless you sign in. Lifetime per PostHog's defaults (typically up to one year for the identifier cookie). More detail at posthog.com/privacy.

We additionally use Cloudflare Web Analytics, which is a cookie-less, fingerprint-less analytics product. It sets no cookies and loads regardless of consent because there is nothing to consent to.

Functional (similar technologies, not cookies)

These are entries we keep in your browser's localStorage or sessionStorage rather than as HTTP cookies. They never travel to our servers automatically.

  • er-cookie-consent (localStorage): records your choice on the cookie banner so we do not show it on every visit. Persists until you clear browser data.
  • er.intendedPlan (sessionStorage): remembers the plan you clicked on the pricing page so the dashboard pre-selects it after sign-up. Cleared automatically when consumed or when you close the tab.

When you scan a QR code we host

The redirect endpoint that turns a scan into the destination URL does not set any cookies on your device. Scan analytics (approximate location, device type, time) are recorded server-side and attributed to the QR code, not to you.

If the QR code's owner has connected Google Analytics 4 or a Meta (Facebook) pixel to that QR code, we forward a scan event to those services on the owner's behalf. Those services may set their own cookies on the destination page they redirect you to. The owner is responsible for any consent banners required by law on that destination page. See section 2.5 of the Privacy Policy for what is forwarded and why.

Managing cookies in your browser

You can clear cookies and site storage from your browser's site-settings UI at any time. Doing so will sign you out of ExaRoutes and reset your cookie consent choice. Most browsers also allow you to block third-party cookies entirely; this should not affect ExaRoutes since we do not rely on third-party cookies for core functionality.

Changes

When we add or remove a cookie or similar technology, we update this page and the "Last updated" date above. For material changes we will tell you in advance (typically by an in-app banner or email).

Contact

Questions about this page go to privacy@exaroutes.com.