Cookie Policy
- Effective date:
- 2026-05-01
- Last updated: 2026-05-01
- Version 1.1.0
1. About this policy
Day One Education Pty Ltd (ABN 52 696 719 561) ("we", "us", "our") operates the DOE GAMSAT preparation platform. This Cookie Policy explains what cookies and similar technologies we use on our website and web application ("the Service"), why we use them, and how you can control them.
This policy applies to all users of the Service, regardless of where you are located. We have registered users primarily in Australia, the United Kingdom, and Ireland, and we acknowledge the requirements of Australia's Privacy Act 1988 (Cth), the EU General Data Protection Regulation ("GDPR"), UK GDPR, and the UK Privacy and Electronic Communications Regulations 2003 ("PECR").
This Cookie Policy sits alongside our Privacy Policy and Terms of Service. For
questions about our general data practices, please read the Privacy Policy. For
cookie-specific questions, contact us at legal@dayoneed.com.
2. What cookies and similar technologies are
Cookies are small text files placed on your device by a website when you visit it. They are sent back to the originating website on each subsequent visit, or to another website that recognises them. Cookies serve many purposes: remembering your login state, keeping the site secure, counting visits, and improving performance.
localStorage and sessionStorage are browser-based key-value stores that websites can read and write. Unlike cookies, they are never automatically sent to the server with network requests — they exist only inside your browser.
First-party cookies are set by the website you are directly visiting (in our
case, dayoneed.com and subdomains). Third-party cookies are set by other
domains whose code is embedded in a page — for example, a payment provider's
script.
3. How we use cookies
We group our cookie use into three purposes. We do not use cookies or tracking technologies for advertising or marketing.
3.1 Strictly necessary — authentication and session security
These cookies are essential for the Service to function. Without them you cannot log in or use any protected part of the platform. Under Art 5(3) of the ePrivacy Directive (and its UK equivalent under PECR), strictly necessary cookies are exempt from consent requirements. We set them only for the duration they are needed to deliver the service you have requested.
The DOE platform uses a custom session layer built on top of Supabase authentication. When you sign in via a magic link, three httpOnly, Secure, SameSite=Lax cookies are written server-side by our Next.js backend:
doe-access-token— your short-lived Supabase access token (JWT). Expires when the session expires (typically 1 hour).doe-refresh-token— a long-lived token used to obtain fresh access tokens without requiring you to sign in again. Expires after 30 days of inactivity.doe-access-token-expires-at— a numeric timestamp indicating when the access token expires, used by the server-side proxy to know when to refresh. Expires after 30 days alongside the refresh token.
These cookies are httpOnly (inaccessible to JavaScript), Secure (HTTPS only in
production), and confined to the / path on the same origin. They are deleted
when you sign out.
3.2 Functional — user preferences
Functional cookies and local-storage items remember your preferences so the platform feels consistent between visits.
theme(localStorage) — stores your selected interface theme (light,dark, orsystem). Persists until you clear your browser storage or change the setting. This item is written client-side and is never sent to our servers.
Functional items improve your experience but do not affect security or access. If you clear your browser's localStorage this preference will reset to the platform default (dark mode).
3.3 Analytics — measuring how the platform is used
We use Google Analytics 4 ("GA4") to understand how users navigate the Service,
which sections are most used, and where users encounter errors. GA4 is loaded
only if the NEXT_PUBLIC_GA_MEASUREMENT_ID environment variable is configured
in our deployed application. When it is active, the following cookies are set by
Google's analytics script:
_ga— distinguishes unique visitors. Expires after 2 years._ga_<measurement-id>— maintains session state for GA4. Expires after 2 years.
GA4 may also collect device and browser characteristics (such as screen resolution, browser version, and operating system) as part of its standard event data. We do not use this data to build individual fingerprints; we use it only in aggregate to understand general user demographics and browser support requirements.
Analytics cookies are not strictly necessary. We ask for your consent via the cookie consent banner before loading GA4. If you decline or withdraw consent, the GA4 script is not loaded and none of these cookies are set.
Under GDPR and PECR, Google acts as a data processor on our behalf for analytics data. You can read Google's privacy practices at policies.google.com/privacy.
3.4 Advertising and marketing — not used
We do not use any advertising, marketing, retargeting, or cross-site tracking cookies. We do not embed Facebook pixels, LinkedIn Insight Tags, Hotjar, TikTok pixels, Intercom, Mixpanel, or any similar third-party marketing scripts.
4. Third-party cookies
Third-party technologies embedded in the Service may set their own cookies. Below is our honest inventory of those actually deployed:
Google Analytics 4
When analytics are active and you have given consent, Google sets _ga and
_ga_<measurement-id> cookies (described in §3.3). These cookies originate from
google-analytics.com. For details see
policies.google.com/technologies/cookies.
Payment processing (via RevenueCat → Paddle checkout)
When you interact with the billing or pricing section of the Service, our
merchant of record (Paddle, via RevenueCat) may set fraud-prevention cookies
during the checkout flow. These cookies are set by Paddle's JavaScript on the
pay.rev.cat domain and assist Paddle's fraud-detection systems. They are
subject to Paddle's Privacy Policy.
Paddle acts as an independent controller for the data it collects through these
cookies.
Note: these cookies are only set when you visit a billing page or initiate a checkout. They are not set on general platform pages.
RevenueCat
RevenueCat's web SDK (@revenuecat/purchases-js) does not set browser cookies.
It uses your browser's localStorage to cache offering and customer
information locally so the paywall loads faster on repeat visits. The key names
used are under the rc_ prefix and contain no personal information beyond your
pseudonymous RevenueCat app user ID (which is your DOE user UUID).
5. Fingerprinting
Day One Education does not intentionally fingerprint users. We do not collect or combine device characteristics (such as screen resolution, installed fonts, hardware concurrency, or canvas rendering) to build a persistent identifier that tracks you without cookies.
Google Analytics 4 incidentally receives some device and browser attributes as part of its standard hit data (see §3.3). We do not use this data for fingerprinting; we use it in aggregate to understand the technical environments our users access the Service from. Paddle also performs limited device characterisation through its fraud-detection scripts; this is processed by Paddle under their own privacy policy and terms.
6. How to manage your cookies
Cookie consent banner
Before we load any non-essential cookies (currently GA4 analytics), we will present you with a cookie consent banner. The banner gives you the ability to:
- Accept all — enables analytics cookies in addition to strictly necessary ones.
- Reject non-essential — blocks analytics cookies; only strictly necessary session cookies are set.
- Customise — choose which categories of cookie to accept or reject individually.
You can change your consent choice at any time by returning to the cookie settings panel (accessible from the footer). Your preference is recorded so you are not asked again on every visit.
Note: A cookie consent banner is a commitment we have made for the Service
before it is made available to the public. If you are accessing a pre-launch
version of the platform and do not see a banner, please contact us at
legal@dayoneed.com and we will provide you with a way to record your
preference manually.
Global Privacy Control (GPC)
We honour the Global Privacy Control signal. If your browser sends a
Sec-GPC: 1 header, we treat it as a "reject non-essential cookies" instruction
and will not load analytics scripts for your session, even if a prior consent
record exists. GPC is a recognised opt-out mechanism under several privacy
regimes, and we respect it accordingly.
Browser-level controls
All modern browsers allow you to view, block, and delete cookies:
- Chrome — Settings → Privacy and security → Cookies and other site data
- Firefox — Settings → Privacy & Security → Cookies and Site Data
- Safari — Settings → Privacy → Manage Website Data
- Edge — Settings → Cookies and site permissions
Blocking or deleting strictly necessary cookies will sign you out and may
prevent the Service from working correctly. Blocking analytics cookies (or
deleting _ga/_ga_<measurement-id>) will not affect your ability to use DOE.
Google Analytics opt-out
You can also install the Google Analytics Opt-out Browser Add-on provided by Google, which prevents GA4 from collecting data across all websites you visit, regardless of individual cookie settings.
7. Cookie inventory table
The table below lists every cookie and browser-storage item we are aware of at the time this policy was published. Items marked "consent required" are only set after you accept the relevant category at the consent banner.
| Name | Type | First / Third Party | Purpose | Expiry | Consent required? |
|---|---|---|---|---|---|
doe-access-token | Cookie (httpOnly, Secure) | First party | Authentication — holds your Supabase access token | Session / ~1 hour | No — strictly necessary |
doe-refresh-token | Cookie (httpOnly, Secure) | First party | Authentication — used to silently refresh the access token | 30 days | No — strictly necessary |
doe-access-token-expires-at | Cookie (httpOnly, Secure) | First party | Authentication — expiry timestamp for the access token | 30 days | No — strictly necessary |
theme | localStorage | First party | Remembers your selected UI theme (light/dark/system) | Persistent (until cleared) | No — functional, non-tracking |
impersonationToken | sessionStorage | First party | Admin impersonation — holds a temporary token for admin-to-user sessions | Browser tab session | No — strictly necessary for admins only |
_ga | Cookie | Third party (Google) | GA4 — distinguishes unique visitors | 2 years | Yes — analytics |
_ga_<measurement-id> | Cookie | Third party (Google) | GA4 — maintains session state | 2 years | Yes — analytics |
| Paddle fraud-prevention cookies | Cookie | Third party (Paddle) | Paddle fraud prevention — set during checkout flow on pay.rev.cat | Session / short-lived | No — strictly necessary when billing is invoked |
rc_* (various) | localStorage | First party via RC SDK | RevenueCat — caches offering and customer data locally | Varies | No — functional |
8. Changes to this policy
We may update this Cookie Policy from time to time, for example when we add new features, switch technology providers, or when applicable law requires us to disclose additional information. When we make material changes we will update the "last updated" date at the top of this document and, where appropriate, notify you via a banner on the Service or by email.
We encourage you to review this policy periodically. Continued use of the Service after the effective date of a revised policy constitutes acceptance of the updated terms only to the extent permitted by applicable law; for changes that require fresh consent (such as adding new non-essential cookie categories), we will ask for your consent explicitly.
9. Contact
If you have questions about how we use cookies, would like to exercise your rights in relation to data processed through cookies, or believe we are not honouring your consent preference, please contact us:
Day One Education Pty Ltd Email: legal@dayoneed.com
If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority:
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
- EEA: Your national data protection authority (a full list is available at edpb.europa.eu)
- UK: Information Commissioner's Office (ICO) — ico.org.uk