Cookie Policy

Last Updated: November 2025
Effective Date: November 2025

1. Introduction

This Cookie Policy explains how Optflow AI Limited, trading as Due Agent ("we", "our", or "us"), uses cookies and similar tracking technologies when you visit our website at dueagent.com and use our automated billing notification and payment reminder service.

We are committed to being transparent about how we use cookies and giving you meaningful control over your preferences. This policy should be read alongside our Privacy Policy, which explains how we collect, use, and protect your personal data.

By using our website, you agree to our use of cookies in accordance with this Cookie Policy. If you do not agree to our use of cookies, you should set your browser settings accordingly or not use our website.

2. What Are Cookies?

Cookies are small text files that are placed on your computer, smartphone, or other device when you visit a website. They are widely used to make websites work more efficiently and to provide information to website owners.

Cookies typically contain:

The name of the website that created the cookie
A unique identifier (usually a randomly generated number)
An expiration date that determines how long the cookie stays on your device
Information the website wants to remember (such as your language preference or login status)

Cookies allow websites to recognise your device and remember your actions and preferences over time, making your browsing experience more convenient and personalised.

3. Why We Use Cookies

We use cookies for several important reasons:

Essential Functionality: To enable core website features like secure login, session management, and authentication
Security: To protect your account from unauthorized access, detect and prevent fraud, and maintain the security of our service
Performance: To understand how visitors interact with our website and identify areas for improvement
User Experience: To remember your preferences and settings, making your experience more personalised and efficient
Analytics: To analyse website traffic and usage patterns, helping us improve our service (only with your consent)
Compliance: To record your cookie consent preferences and honour your choices

4. Types of Cookies We Use

We use different types of cookies based on their function and how long they remain on your device. Below is a detailed breakdown of the cookies we use:

4.1 Strictly Necessary Cookies (Always Active)

Legal Basis: GDPR Article 6(1)(f) - Legitimate Interest

These cookies are essential for the website to function and cannot be disabled without severely affecting your ability to use our service. They do not require consent under GDPR as they are strictly necessary for the provision of the service you have requested.

Cookie Name	Purpose	Duration
stack-session	Maintains your authenticated session with Stack Auth. Essential for login and account access.	30 days or until logout
stack-refresh-token	Allows you to stay logged in without re-entering credentials. Improves security by rotating tokens.	90 days
__Secure-next-auth.session-token	Next.js authentication session token for server-side session validation and security.	Session (30 days)
__Host-csrf-token	Protects against Cross-Site Request Forgery (CSRF) attacks. Critical security measure.	Session
_vercel_jwt	Vercel platform token for secure content delivery and edge function authentication.	Session
da-cookie-consent	Stores your cookie consent preferences to remember your choices and avoid showing the banner repeatedly.	1 year

4.2 Performance and Analytics Cookies (Requires Consent)

Legal Basis: GDPR Article 6(1)(a) - Consent

These cookies collect information about how you use our website, such as which pages you visit most often and if you receive error messages. This information helps us improve our service and optimise performance. We only set these cookies with your explicit consent.

Cookie Name	Purpose	Duration
_ga	Google Analytics cookie to distinguish unique users and calculate visitor, session, and campaign data (if analytics is enabled).	2 years
_ga_*	Google Analytics 4 property-specific cookie for measuring interactions and conversions.	2 years
da-vitals	Core Web Vitals measurement for page performance monitoring (LCP, FID, CLS metrics).	90 days

4.3 Functional Cookies (Requires Consent)

Legal Basis: GDPR Article 6(1)(a) - Consent

These cookies allow our website to remember choices you make (such as your language, region, or display preferences) and provide enhanced, more personalised features. We only set these cookies with your consent.

Cookie Name	Purpose	Duration
da-preferences	Stores your display preferences (theme, dashboard layout, notification settings).	1 year
da-language	Remembers your language preference for content display.	1 year

4.4 Marketing and Advertising Cookies (Requires Consent)

Legal Basis: GDPR Article 6(1)(a) - Consent

Note: Due Agent does not currently use marketing or advertising cookies. If we introduce these in the future, we will update this policy and obtain your explicit consent before setting any marketing cookies. This section is included for transparency and future-proofing.

5. First-Party vs Third-Party Cookies

Cookies can be set by the website you visit (first-party cookies) or by other websites that provide services to that site (third-party cookies).

5.1 First-Party Cookies

These are cookies set directly by Due Agent (dueagent.com domain). We have full control over these cookies and they are used exclusively for our service functionality. Examples include:

Authentication and session management cookies (stack-session, stack-refresh-token)
Cookie consent preferences (da-cookie-consent)
User preferences and settings (da-preferences, da-language)

5.2 Third-Party Cookies

These are cookies set by external services we use to provide certain functionality. Third-party cookies we may set include:

Stack Auth (stack.so): For secure authentication and user identity management
Vercel (vercel.com): For hosting platform security and content delivery
Google Analytics (google.com): For website analytics (only if you consent)

All third-party services we use are GDPR-compliant and bound by Data Processing Agreements (DPAs). You can review their privacy policies to understand how they handle cookies and personal data.

International Data Transfers

Some third-party cookies, particularly Google Analytics, may transfer data to servers located outside the United Kingdom and European Economic Area (EEA), including to the United States. Where such transfers occur, they are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission
UK International Data Transfer Agreement (IDTA) or Addendum
Supplementary technical and organisational measures
EU-US Data Privacy Framework certification (where applicable)

You can prevent international transfers by analytics cookies by rejecting analytics cookies in your consent preferences. For more details, see our Privacy Policy section on international transfers.

6. Session vs Persistent Cookies

6.1 Session Cookies

Session cookies are temporary and are deleted from your device when you close your web browser. They help us recognise you as you navigate between pages on our website and ensure features work correctly during your visit.

Examples of our session cookies:

__Host-csrf-token (CSRF protection)
_vercel_jwt (platform security)

6.2 Persistent Cookies

Persistent cookies remain on your device for a set period (specified in each cookie) or until you manually delete them. They help us remember your preferences and settings across multiple visits, improving your user experience.

Examples of our persistent cookies:

stack-session (30 days or until logout)
stack-refresh-token (90 days)
da-cookie-consent (1 year)
da-preferences (1 year)
_ga and _ga_* (2 years, if consented)

7. How Long We Keep Cookies

The length of time a cookie remains on your device depends on its type and purpose:

Retention Period	Cookie Types	Reason
Session (browser close)	CSRF tokens, temporary session data	Security and privacy
30 days	Authentication session (or until logout)	Convenient login experience
90 days	Refresh tokens, performance metrics	Seamless session renewal, analytics
1 year	Cookie consent, user preferences	Remember your choices and settings
2 years	Analytics cookies (if consented)	Long-term usage trends and improvements

GDPR Compliance Note

Our cookie retention periods comply with GDPR data minimization principles (Article 5(1)(c)). We only keep cookies as long as necessary for their intended purpose and automatically delete them when they expire. You can delete cookies manually at any time through your browser settings.

8. How to Manage and Delete Cookies

You have the right to decide whether to accept or reject cookies. You can exercise your cookie rights by managing your preferences through multiple methods:

8.1 Cookie Consent Banner

When you first visit our website, you will see a cookie consent banner that allows you to accept or reject optional cookies. You can choose to:

Accept all cookies: Allows all cookie types for the best user experience
Reject optional cookies: Only essential cookies will be set
Customise preferences: Choose which cookie categories you want to accept

8.2 Privacy Settings Dashboard

If you have a Due Agent account, you can manage your cookie preferences at any time through your Privacy Settings Dashboard. This allows you to:

View all cookies currently set by Due Agent
Enable or disable specific cookie categories
Clear all optional cookies with one click
Review your consent history and timestamps

8.3 Browser Settings

Most web browsers allow you to control cookies through their settings. You can typically configure your browser to:

Block all cookies (may prevent website functionality)
Block third-party cookies only
Delete cookies after each browsing session
Receive a notification before cookies are set

Browser-specific cookie management guides:

Google Chrome

Settings > Privacy and security > Cookies and other site data

View Chrome cookie guide

Mozilla Firefox

Settings > Privacy & Security > Cookies and Site Data

View Firefox cookie guide

Safari (macOS/iOS)

Preferences > Privacy > Manage Website Data

View Safari cookie guide

Microsoft Edge

Settings > Cookies and site permissions > Manage and delete cookies

View Edge cookie guide

Important Notice

Blocking or deleting cookies may impact your ability to use certain features of our website. Strictly necessary cookies are essential for core functionality, and blocking them may prevent you from logging in or accessing your dashboard. You can always re-enable cookies if you experience issues.

9. Do Not Track (DNT) Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. While there is currently no universal standard for how websites should respond to DNT signals, we respect your privacy preferences.

Our approach to DNT signals:

Strictly necessary cookies: Will still be set as they are essential for service functionality
Analytics cookies: Will be automatically disabled if we detect a DNT signal (equivalent to rejecting analytics consent)
Marketing cookies: Will not be set if a DNT signal is detected (currently we do not use marketing cookies)

You can enable DNT in your browser settings. However, we recommend using our cookie consent banner or Privacy Settings Dashboard for more granular control over your preferences.

10. Your Rights Under GDPR and PECR

Under the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR), you have specific rights regarding cookies and tracking technologies:

Right to Consent

You have the right to give or withhold consent for non-essential cookies. Consent must be freely given, specific, informed, and unambiguous. We provide clear information about each cookie type and allow you to choose which categories you accept.

Right to Withdraw Consent

You can withdraw your cookie consent at any time through your Privacy Settings Dashboard or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

Right to Access Information

You have the right to know what cookies are being set, why they are being set, how long they will remain, and what data they collect. This Cookie Policy provides comprehensive information about all cookies we use.

Right to Object

You have the right to object to the use of cookies for analytics, marketing, or other non-essential purposes. You can exercise this right by rejecting optional cookies in your consent preferences.

Right to Lodge a Complaint

If you believe we have not complied with GDPR or PECR requirements regarding cookies, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

11. Cookies and Personal Data

Some cookies may process personal data as defined by GDPR. Personal data is any information relating to an identified or identifiable natural person. In the context of cookies, this includes:

Authentication cookies: Contain encrypted identifiers linked to your user account
Session cookies: May include IP addresses and session identifiers
Analytics cookies: May collect device identifiers, browsing patterns, and usage data
Preference cookies: Store settings associated with your account

For cookies that process personal data, we apply the same data protection principles as outlined in our Privacy Policy:

Data Minimization: We only collect data that is adequate, relevant, and necessary
Storage Limitation: Cookie data is retained only as long as necessary for its purpose
Security: All cookies containing personal data use secure flags (Secure, HttpOnly, SameSite) and encryption where appropriate
Transparency: We clearly identify which cookies process personal data and for what purpose
Accountability: We maintain records of consent and cookie usage for compliance audits

12. Changes to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in our cookie usage, legal requirements, or best practices. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify you via email and/or a prominent notice on our website at least 30 days before changes take effect
Request fresh consent if we introduce new cookie categories or expand data processing purposes
Display the updated cookie banner to allow you to review and update your preferences

We encourage you to review this Cookie Policy periodically to stay informed about how we use cookies. Your continued use of our website after changes become effective constitutes acceptance of the updated policy, unless the changes require fresh consent under GDPR.

13. Contact Us About Cookies

If you have questions about this Cookie Policy, our use of cookies, or wish to exercise your rights, please contact us:

Data Protection Officer: dpo@dueagent.com

Privacy Email: privacy@dueagent.com

Privacy Settings: /dashboard/settings/privacy

Postal Address: Optflow AI Limited, 43 Fairfoot Road, London, England, E3 4EG

We aim to respond to all cookie-related inquiries within 72 hours. For data subject access requests or other GDPR rights, we will respond within 30 days as required by law.

14. Related Policies and Resources

For more information about how we protect your privacy and handle your personal data, please review our related policies:

Privacy Policy

Comprehensive information about how we collect, use, store, and protect your personal data.

View Privacy Policy

Terms of Service

Legal terms governing your use of Due Agent's services.

View Terms of Service

Data Processing Agreement

For customers who act as data controllers when using our service to process client data (available in account settings).

View DPA (Account Required)

Regulatory Compliance

This Cookie Policy complies with:

General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 and UK GDPR
Privacy and Electronic Communications Regulations (PECR) 2003 (as amended by the 2011 regulations)
ePrivacy Directive 2002/58/EC (Cookie Law)
Information Commissioner's Office (ICO) guidance on cookies and similar technologies

© 2025 Optflow AI Limited, trading as Due Agent. All rights reserved.
Company Number: 14990157 | Registered in England and Wales

Cookie Policy

Last Updated: November 2025
Effective Date: November 2025

1. Introduction

2. What Are Cookies?

Cookies typically contain:

The name of the website that created the cookie
A unique identifier (usually a randomly generated number)
An expiration date that determines how long the cookie stays on your device
Information the website wants to remember (such as your language preference or login status)

Cookies allow websites to recognise your device and remember your actions and preferences over time, making your browsing experience more convenient and personalised.

3. Why We Use Cookies

We use cookies for several important reasons:

Essential Functionality: To enable core website features like secure login, session management, and authentication
Security: To protect your account from unauthorized access, detect and prevent fraud, and maintain the security of our service
Performance: To understand how visitors interact with our website and identify areas for improvement
User Experience: To remember your preferences and settings, making your experience more personalised and efficient
Analytics: To analyse website traffic and usage patterns, helping us improve our service (only with your consent)
Compliance: To record your cookie consent preferences and honour your choices

4. Types of Cookies We Use

We use different types of cookies based on their function and how long they remain on your device. Below is a detailed breakdown of the cookies we use:

4.1 Strictly Necessary Cookies (Always Active)

Legal Basis: GDPR Article 6(1)(f) - Legitimate Interest

Cookie Name	Purpose	Duration
stack-session	Maintains your authenticated session with Stack Auth. Essential for login and account access.	30 days or until logout
stack-refresh-token	Allows you to stay logged in without re-entering credentials. Improves security by rotating tokens.	90 days
__Secure-next-auth.session-token	Next.js authentication session token for server-side session validation and security.	Session (30 days)
__Host-csrf-token	Protects against Cross-Site Request Forgery (CSRF) attacks. Critical security measure.	Session
_vercel_jwt	Vercel platform token for secure content delivery and edge function authentication.	Session
da-cookie-consent	Stores your cookie consent preferences to remember your choices and avoid showing the banner repeatedly.	1 year

4.2 Performance and Analytics Cookies (Requires Consent)

Legal Basis: GDPR Article 6(1)(a) - Consent

Cookie Name	Purpose	Duration
_ga	Google Analytics cookie to distinguish unique users and calculate visitor, session, and campaign data (if analytics is enabled).	2 years
_ga_*	Google Analytics 4 property-specific cookie for measuring interactions and conversions.	2 years
da-vitals	Core Web Vitals measurement for page performance monitoring (LCP, FID, CLS metrics).	90 days

4.3 Functional Cookies (Requires Consent)

Legal Basis: GDPR Article 6(1)(a) - Consent

Cookie Name	Purpose	Duration
da-preferences	Stores your display preferences (theme, dashboard layout, notification settings).	1 year
da-language	Remembers your language preference for content display.	1 year

4.4 Marketing and Advertising Cookies (Requires Consent)

Legal Basis: GDPR Article 6(1)(a) - Consent

5. First-Party vs Third-Party Cookies

Cookies can be set by the website you visit (first-party cookies) or by other websites that provide services to that site (third-party cookies).

5.1 First-Party Cookies

These are cookies set directly by Due Agent (dueagent.com domain). We have full control over these cookies and they are used exclusively for our service functionality. Examples include:

Authentication and session management cookies (stack-session, stack-refresh-token)
Cookie consent preferences (da-cookie-consent)
User preferences and settings (da-preferences, da-language)

5.2 Third-Party Cookies

These are cookies set by external services we use to provide certain functionality. Third-party cookies we may set include:

Stack Auth (stack.so): For secure authentication and user identity management
Vercel (vercel.com): For hosting platform security and content delivery
Google Analytics (google.com): For website analytics (only if you consent)

All third-party services we use are GDPR-compliant and bound by Data Processing Agreements (DPAs). You can review their privacy policies to understand how they handle cookies and personal data.

International Data Transfers

Standard Contractual Clauses (SCCs) approved by the European Commission
UK International Data Transfer Agreement (IDTA) or Addendum
Supplementary technical and organisational measures
EU-US Data Privacy Framework certification (where applicable)

You can prevent international transfers by analytics cookies by rejecting analytics cookies in your consent preferences. For more details, see our Privacy Policy section on international transfers.

6. Session vs Persistent Cookies

6.1 Session Cookies

Examples of our session cookies:

__Host-csrf-token (CSRF protection)
_vercel_jwt (platform security)

6.2 Persistent Cookies

Examples of our persistent cookies:

stack-session (30 days or until logout)
stack-refresh-token (90 days)
da-cookie-consent (1 year)
da-preferences (1 year)
_ga and _ga_* (2 years, if consented)

7. How Long We Keep Cookies

The length of time a cookie remains on your device depends on its type and purpose:

Retention Period	Cookie Types	Reason
Session (browser close)	CSRF tokens, temporary session data	Security and privacy
30 days	Authentication session (or until logout)	Convenient login experience
90 days	Refresh tokens, performance metrics	Seamless session renewal, analytics
1 year	Cookie consent, user preferences	Remember your choices and settings
2 years	Analytics cookies (if consented)	Long-term usage trends and improvements

GDPR Compliance Note

8. How to Manage and Delete Cookies

You have the right to decide whether to accept or reject cookies. You can exercise your cookie rights by managing your preferences through multiple methods:

8.1 Cookie Consent Banner

When you first visit our website, you will see a cookie consent banner that allows you to accept or reject optional cookies. You can choose to:

Accept all cookies: Allows all cookie types for the best user experience
Reject optional cookies: Only essential cookies will be set
Customise preferences: Choose which cookie categories you want to accept

8.2 Privacy Settings Dashboard

If you have a Due Agent account, you can manage your cookie preferences at any time through your Privacy Settings Dashboard. This allows you to:

View all cookies currently set by Due Agent
Enable or disable specific cookie categories
Clear all optional cookies with one click
Review your consent history and timestamps

8.3 Browser Settings

Most web browsers allow you to control cookies through their settings. You can typically configure your browser to:

Block all cookies (may prevent website functionality)
Block third-party cookies only
Delete cookies after each browsing session
Receive a notification before cookies are set

Browser-specific cookie management guides:

Google Chrome

Settings > Privacy and security > Cookies and other site data

View Chrome cookie guide

Mozilla Firefox

Settings > Privacy & Security > Cookies and Site Data

View Firefox cookie guide

Safari (macOS/iOS)

Preferences > Privacy > Manage Website Data

View Safari cookie guide

Microsoft Edge

Settings > Cookies and site permissions > Manage and delete cookies

View Edge cookie guide

Important Notice

9. Do Not Track (DNT) Signals

Our approach to DNT signals:

Strictly necessary cookies: Will still be set as they are essential for service functionality
Analytics cookies: Will be automatically disabled if we detect a DNT signal (equivalent to rejecting analytics consent)
Marketing cookies: Will not be set if a DNT signal is detected (currently we do not use marketing cookies)

You can enable DNT in your browser settings. However, we recommend using our cookie consent banner or Privacy Settings Dashboard for more granular control over your preferences.

10. Your Rights Under GDPR and PECR

Under the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR), you have specific rights regarding cookies and tracking technologies:

Right to Consent

Right to Withdraw Consent

Right to Access Information

Right to Object

You have the right to object to the use of cookies for analytics, marketing, or other non-essential purposes. You can exercise this right by rejecting optional cookies in your consent preferences.

Right to Lodge a Complaint

11. Cookies and Personal Data

Some cookies may process personal data as defined by GDPR. Personal data is any information relating to an identified or identifiable natural person. In the context of cookies, this includes:

Authentication cookies: Contain encrypted identifiers linked to your user account
Session cookies: May include IP addresses and session identifiers
Analytics cookies: May collect device identifiers, browsing patterns, and usage data
Preference cookies: Store settings associated with your account

For cookies that process personal data, we apply the same data protection principles as outlined in our Privacy Policy:

Data Minimization: We only collect data that is adequate, relevant, and necessary
Storage Limitation: Cookie data is retained only as long as necessary for its purpose
Security: All cookies containing personal data use secure flags (Secure, HttpOnly, SameSite) and encryption where appropriate
Transparency: We clearly identify which cookies process personal data and for what purpose
Accountability: We maintain records of consent and cookie usage for compliance audits

12. Changes to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in our cookie usage, legal requirements, or best practices. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Notify you via email and/or a prominent notice on our website at least 30 days before changes take effect
Request fresh consent if we introduce new cookie categories or expand data processing purposes
Display the updated cookie banner to allow you to review and update your preferences

13. Contact Us About Cookies

If you have questions about this Cookie Policy, our use of cookies, or wish to exercise your rights, please contact us:

Data Protection Officer: dpo@dueagent.com

Privacy Email: privacy@dueagent.com

Privacy Settings: /dashboard/settings/privacy

Postal Address: Optflow AI Limited, 43 Fairfoot Road, London, England, E3 4EG

We aim to respond to all cookie-related inquiries within 72 hours. For data subject access requests or other GDPR rights, we will respond within 30 days as required by law.

14. Related Policies and Resources

For more information about how we protect your privacy and handle your personal data, please review our related policies:

Privacy Policy

Comprehensive information about how we collect, use, store, and protect your personal data.

View Privacy Policy

Terms of Service

Legal terms governing your use of Due Agent's services.

View Terms of Service

Data Processing Agreement

For customers who act as data controllers when using our service to process client data (available in account settings).

View DPA (Account Required)

Regulatory Compliance

This Cookie Policy complies with:

General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 and UK GDPR
Privacy and Electronic Communications Regulations (PECR) 2003 (as amended by the 2011 regulations)
ePrivacy Directive 2002/58/EC (Cookie Law)
Information Commissioner's Office (ICO) guidance on cookies and similar technologies