Cookie Policy

1. About this Policy

A “cookie” is a small text file that a website asks your browser to store, and which the browser sends back on later visits so the website can recognise the same device or session. Cookies can be set by the website you are visiting (first-party) or by other domains embedded into the page (third-party).

This Cookie Policy describes how the TAG Vault platform at vault.brikbond.com uses cookies and similar browser-storage mechanisms when you create an account, sign in, or sign documents. It supplements our Privacy Policy and forms part of our Terms of Service.

This Policy is published in English. If a translation is provided in any of the 22 languages of the Eighth Schedule of the Constitution of India, the English text prevails in case of inconsistency.

2. Our cookie philosophy

We use the minimum cookies necessary to deliver an authenticated, secure signing service — and nothing more.

We do not set or permit third-party tracking cookies on TAG Vault pages. We do not use analytics cookies (no Google Analytics, no Mixpanel, no Hotjar, no session-replay). We do not use advertising cookies, retargeting pixels, social-media trackers, or behavioural-profiling cookies. We do not use a Content Delivery Network that drops cookies on our pages. We do not sell, share, or rent any cookie-derived signal to third parties.

This commitment matters because the only data we read back from your browser through cookies is the data we strictly need to keep you safely signed in.

3. The cookies we use

The complete list of cookies set by TAG Vault is in the table below. There are no other cookies.

A few notes on what the security flags above mean in practice:

• HttpOnly — JavaScript running on the page cannot read the cookie. This blocks the most common form of session theft via cross-site scripting.
• Secure — the browser only sends the cookie over HTTPS. It is never transmitted over plain HTTP.
• SameSite=Strict — the browser only sends the cookie when you are actively on vault.brikbond.com. It is not attached to requests originating from any other site, which prevents cross-site request forgery.
• Rotated on each use — every time the cookie is exchanged for a new access token, a fresh refresh token is issued and the old one is invalidated. Token-reuse detection forces sign-out across all sessions if a stolen cookie is replayed.

The opaque value stored in the cookie is a SHA-256 hash on our servers — we do not store the raw token at rest.

4. Why we don’t show a cookie consent banner

Under §7(a) of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), we may process personal data that you “voluntarily provided” for a specified purpose without a separate §6 consent transaction. The tag_vault_refresh cookie is set only after you have signed in by entering your credentials, and it exists for the single purpose of maintaining that authenticated session. It is strictly necessary to deliver the service you have asked for.

Because we do not run analytics, advertising, or any other non-essential cookies that would require §6 opt-in, there is nothing for a cookie banner to ask you about. If we ever introduce a non-strictly-necessary cookie in the future, we will roll out a clear, granular opt-in interface before that cookie is set on any user’s browser — see Section 8 below.

5. Local storage and session storage

TAG Vault uses your browser’s localStorage and sessionStorage very sparingly:

• sessionStorage — a short-lived access token (15-minute lifetime) is held in memory and, in some flows, mirrored to sessionStorage so a tab refresh does not interrupt an active signing ceremony. This data is cleared when you close the tab.
• localStorage — used only for non-personal user-interface preferences (for example, sidebar collapsed state, last-used document filter). We do not persist your name, email, phone, document content, signatures, payment data, or any audit information in localStorage.

No tracking identifiers, advertising IDs, fingerprinting hashes, or behavioural profiles are written to either storage.

6. Browser controls

You can disable, delete, or restrict cookies at any time through your browser settings:

• Google Chrome: Settings → Privacy and security → Third-party cookies / Site settings → Cookies and site data.
• Apple Safari: Settings → Privacy → Manage Website Data; or Preferences → Privacy on macOS.
• Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data.

If you block or delete tag_vault_refresh, TAG Vault will continue to function but you will be signed out and required to enter your password (and OTP) on every page load. The choice is yours — we recognise the right to use the service in a more privacy-restrictive mode, even if it is less convenient.

7. Third-party services and linked pages

Some platform features rely on services operated by third parties. None of them set cookies on TAG Vault pages:

• Meta WhatsApp Business Cloud API — used to deliver transactional WhatsApp notifications (OTPs, signature requests, completion confirmations). This is a server-to-server integration; Meta does not load any script or pixel into your browser when you use TAG Vault, so it sets no cookies on vault.brikbond.com.
• Amazon Web Services (Simple Email Service) — used to deliver transactional email. SES is also server-to-server and sets no cookies on our site.
• No Content Delivery Network, no embedded fonts from a tracking provider, no analytics SDK, no advertising tag. Static assets are served from the same origin as the application.

If you click an external link from TAG Vault (for example, to a State e-stamping portal or a Sub-Registrar website), the destination site is governed by its own cookie policy, not ours.

8. Future changes

We currently use only the one cookie listed in Section 3, and we have no plan to add more. If that ever changes — for example, if we introduce a privacy-preserving analytics cookie to understand which features are most used — we commit to:

1. Update this Policy and publish a notice on the platform at least 30 days in advance.
2. Obtain explicit, granular §6 DPDP Act consent through a clear cookie-preference interface before any non-strictly-necessary cookie is set on your browser.
3. Allow you to withdraw that consent at any time, as easily as it was given, with no degradation of the core signing service.

We will not deploy any new cookie under a “continued use means acceptance” theory. Material changes require actual consent.

9. How to contact us

For any question about this Cookie Policy, or to raise a concern about cookies, browser storage, or related privacy matters:

• Privacy queries: privacy@brikbond.com
• Grievance Officer (DPDP §13): grievance@brikbond.com — see the Privacy Policy for the full Grievance Officer block.

For the broader picture of what data we hold and why, please read our Privacy Policy and our Data Retention Policy.