Cookie Policy

RE::DACT Platform and Services

Effective Date: February 14, 2026
Last Updated: February 14, 2026
Version: 1.0 (Beta Testing Phase)

This Cookie Policy explains how REAI Prosta Spółka Akcyjna and REDACT Inc. (together, "RE::AI", "we", "us", or "our") use cookies and similar tracking technologies when you visit or use the RE::DACT platform, SPARK content discovery tool, RE::CORD voice transcription service, and related websites and applications (collectively, the "Services").

This Policy should be read together with our Privacy Policy and Terms of Service. Defined terms used but not defined here have the meanings given in the Privacy Policy.

Applicable law: This Policy complies with the ePrivacy Directive (2002/58/EC as amended by 2009/136/EC), GDPR (EU) 2016/679, UK GDPR and PECR (Privacy and Electronic Communications Regulations 2003), and applicable national implementations including Polish law (Prawo Telekomunikacyjne, Art. 173).

TABLE OF CONTENTS

• 1. What Are Cookies?
• 2. What Technologies Do We Use?
• 3. Categories of Cookies We Use
• 4. Cookie Register — Full List
• 5. Legal Bases for Cookie Processing
• 6. Your Consent — How It Works
• 7. How to Manage and Withdraw Consent
• 8. Cookies Set by Third Parties
• 9. Cookies and Journalistic Source Protection
• 10. Data Retention for Cookie Data
• 11. International Transfers
• 12. Changes to This Policy
• 13. Contact

§ 1. WHAT ARE COOKIES?

Cookies are small text files placed on your device (computer, tablet, or mobile phone) when you visit a website or use a web application. They are widely used to make websites work efficiently, remember your preferences, and provide information to site owners.

Cookies are set either by the website you are visiting ("first-party cookies") or by third-party services operating on that website ("third-party cookies"). They can be "session cookies" — which are deleted when you close your browser — or "persistent cookies" — which remain on your device for a defined period or until you delete them.

Important: Under the ePrivacy Directive and its national implementations, storing or accessing information on a user's device requires either: (a) that the cookie is strictly necessary for a service explicitly requested by the user; or (b) the user's prior, informed, and freely given consent. Pre-ticked boxes, scrolling, and continued browsing do not constitute valid consent.

§ 2. WHAT TECHNOLOGIES DO WE USE?

In addition to traditional cookies, we use the following similar technologies:

Session Storage: Temporary browser storage maintaining your session state within the RE::DACT editor (unsaved document state, active mode). Automatically cleared when you close the browser tab. Strictly necessary — no consent required.

Local Storage: Persistent browser storage saving your UI preferences (editor layout, language, dark/light mode). Remains until cleared by you or the application. Subject to consent where not strictly necessary.

Firebase Authentication Tokens: Secure tokens issued by Google Firebase to maintain your authenticated session. Stored in browser memory or secure storage. Strictly necessary — no consent required.

Pixel Tags / Web Beacons: We do not currently use pixel tags or web beacons. If introduced in future, this Policy will be updated and consent obtained where required.

Fingerprinting: We do not use browser fingerprinting or any similar technique to identify users without cookies.

§ 3. CATEGORIES OF COOKIES WE USE

We group cookies into four categories. Only Category 1 (Strictly Necessary) cookies are set without your consent. All other categories require your prior consent through our Cookie Consent Banner.

Category 1 — Strictly Necessary Cookies

Consent required: No. Essential for the Services to function. You cannot opt out of these cookies while using the Services.

Legal basis: Article 5(3) ePrivacy Directive — technically necessary storage exemption; GDPR Article 6(1)(b) — necessary for performance of contract.

• Authentication tokens (Firebase / Google Identity)
• Session state management (editor functionality, active workspace)
• CSRF protection tokens (security against cross-site request forgery)
• Cookie consent record (stores your consent preferences)
• Load balancing tokens (routing requests to the correct server instance)

Category 2 — Functional Cookies

Consent required: Yes. These cookies remember your preferences. The Services function without them, but personalisation features will be unavailable.

Legal basis: GDPR Article 6(1)(a) — consent.

• Language and locale preferences
• UI layout preferences (editor panel positions, font size, sidebar state)
• Dark / light mode setting
• Recently accessed documents list (local cache only, not transmitted to server)
• Notification preferences

Category 3 — Analytics Cookies

Consent required: Yes. These cookies help us understand how users interact with the Services in aggregate. All analytics data is anonymized. We do not use analytics cookies for advertising profiling.

Legal basis: GDPR Article 6(1)(a) — consent; GDPR Article 6(1)(f) — legitimate interest (only for genuinely anonymized data where attribution to any individual is impossible).

• Platform usage patterns (which features are used and in what sequence)
• Error and crash reporting (to identify and fix bugs)
• Performance monitoring (page load times, API response times)
• Beta Phase quality signals (anonymized AI output quality indicators — see Privacy Policy §8.3)

Category 4 — Third-Party Service Cookies

Consent required: Yes. Cookies set by Stripe for payment processing. We do not allow third-party advertising or tracking cookies of any kind.

Legal basis: GDPR Article 6(1)(a) — consent; GDPR Article 6(1)(b) — contract performance (Stripe fraud prevention only).

• Stripe payment widget cookies (fraud prevention, payment session state)

What we do not use: RE::AI does not set or permit advertising cookies, retargeting cookies, social media tracking pixels, or cross-site tracking cookies of any kind.

§ 4. COOKIE REGISTER — FULL LIST

The following tables set out every cookie and similar technology currently in use. This register is updated when cookies are added, changed, or removed.

4.1 Strictly Necessary Cookies

Cookie Name       Provider             Purpose                          Category           Duration    Legal Basis
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
__session         RE::DACT (Firebase)  Maintains authenticated user     Strictly           Session     ePrivacy Art.
                                       session. Required for all        Necessary                      5(3) / GDPR Art.
                                       platform functionality.                                         6(1)(b)

__firebase_auth   Google Firebase      Stores Firebase authentication   Strictly           1 year      ePrivacy Art.
                                       state and refresh token for      Necessary                      5(3) / GDPR Art.
                                       automatic re-authentication.                                    6(1)(b)

XSRF-TOKEN        RE::DACT             Cross-site request forgery       Strictly           Session     ePrivacy Art.
                                       protection. Verifies requests    Necessary                      5(3)
                                       originate from the legitimate
                                       application.

redact_consent    RE::DACT             Stores your cookie consent       Strictly           12 months   ePrivacy Art.
                                       preferences (categories          Necessary                      5(3)
                                       accepted/rejected) to avoid
                                       repeated consent requests.

redact_lb         RE::DACT             Load balancing — ensures         Strictly           Session     ePrivacy Art.
                  (Cloud Run)          request routing consistency      Necessary                      5(3)
                                       within a session.

4.2 Functional Cookies

Cookie Name       Provider             Purpose                          Category           Duration    Legal Basis
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
redact_prefs      RE::DACT             Stores UI preferences:           Functional         6 months    GDPR Art. 6(1)
                                       language, editor layout,                                        (a) — Consent
                                       dark/light mode, sidebar state.

redact_locale     RE::DACT             Stores selected language and     Functional         6 months    GDPR Art. 6(1)
                                       regional format settings                                        (a) — Consent
                                       (date, number format).

redact_recent     RE::DACT             Local storage: recently          Functional         30 days     GDPR Art. 6(1)
                                       accessed documents for quick                                    (a) — Consent
                                       navigation. Not transmitted
                                       to server.

4.3 Analytics Cookies

Cookie Name       Provider             Purpose                          Category           Duration    Legal Basis
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
redact_analytics  RE::DACT             Anonymized session analytics:    Analytics          12 months   GDPR Art. 6(1)
                  (BigQuery)           feature usage, navigation                                       (a) — Consent
                                       paths, session duration. No
                                       personal identifiers transmitted.

redact_perf       RE::DACT             Performance monitoring: page     Analytics          Session     GDPR Art. 6(1)
                                       load times, API response                                        (a) — Consent
                                       times, error rates.

redact_beta_qs    RE::DACT             Beta Phase quality signals:      Analytics          Beta        GDPR Art. 6(1)
                  (BigQuery)           anonymized AI output quality                        Phase       (a) / Art. 6(1)(f)
                                       indicators. Used to improve                         only
                                       AI accuracy. See Privacy
                                       Policy §8.3.

4.4 Third-Party Service Cookies

Cookie Name       Provider             Purpose                          Category           Duration    Legal Basis
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
__stripe_mid      Stripe Inc.          Fraud prevention and payment     Third-Party        1 year      GDPR Art. 6(1)
                  (stripe.com)         risk assessment. Set when                                       (a) / Art. 6(1)(b)
                                       Stripe payment widget is loaded.

__stripe_sid      Stripe Inc.          Stripe session cookie for        Third-Party        30 minutes  GDPR Art. 6(1)
                  (stripe.com)         payment flow continuity.                                        (a) / Art. 6(1)(b)

Note: Cookie names, durations, and providers may change as the platform evolves. This register is updated at each Policy revision. Contact privacy@redact.ai to report discrepancies.

§ 5. LEGAL BASES FOR COOKIE PROCESSING

5.1 ePrivacy Directive and National Implementations

The ePrivacy Directive requires prior, informed consent before storing or accessing information on a user's device, with one exception: cookies strictly necessary for a service explicitly requested by the user.

Under Polish law (Prawo Telekomunikacyjne Art. 173), the same rule applies. Under UK PECR (Regulation 6), identical requirements apply to UK users.

For EU, EEA, UK, and Swiss users, we obtain consent before setting Categories 2, 3, and 4 cookies through our Cookie Consent Banner (see Section 6).

5.2 GDPR Lawful Bases

Where cookie processing involves personal data linked to a session ID, GDPR also applies:

Contract performance (Art. 6(1)(b)): For strictly necessary cookies required to deliver the Services you have requested.

Consent (Art. 6(1)(a)): For functional, analytics, and third-party cookies. Consent is granular per category. You may withdraw at any time.

Legitimate interest (Art. 6(1)(f)): Only for genuinely anonymized analytics data that cannot be attributed to any individual, used as a secondary basis where consent has been withdrawn. A balancing test has been conducted and documented internally.

5.3 US Users

RE::AI does not share personal information collected via cookies for cross-context behavioral advertising. No opt-out signal is therefore required under CCPA/CPRA, but we honour Global Privacy Control (GPC) signals as a matter of best practice (see Section 7.3).

§ 6. YOUR CONSENT — HOW IT WORKS

6.1 Cookie Consent Banner

When you first visit the RE::DACT platform, a Cookie Consent Banner is displayed before any non-essential cookies are set. The banner will:

a) Clearly explain the categories of cookies we use;

b) Allow you to accept all categories, reject all non-essential categories, or make granular choices per category;

c) Provide a link to this Cookie Policy for full information;

d) Require an affirmative action to register consent — scrolling, continuing to use the site, or pre-ticked boxes do not constitute valid consent under ePrivacy Directive requirements.

6.2 Granular Consent

Consent is collected separately for each non-essential category. Rejecting Categories 2, 3, or 4 will not prevent you from using the core Services.

• Category 2 — Functional Cookies: Accept / Reject
• Category 3 — Analytics Cookies: Accept / Reject
• Category 4 — Third-Party Service Cookies: Accept / Reject

6.3 Standards for Valid Consent

In accordance with GDPR Article 7, Recital 32, and ePrivacy requirements as interpreted by UODO, ICO, and CNIL, valid consent must be:

Freely given: Consent to non-essential cookies is never a condition of accessing the Services. You can use RE::DACT with strictly necessary cookies only.

Specific: Consent is collected per category, not as a blanket "accept all" without alternatives.

Informed: The banner provides clear information about each category with a link to this full Policy.

Unambiguous: Consent requires a deliberate affirmative action. Inaction and pre-ticked boxes do not count.

6.4 Consent Record

We store a record of your consent choices in the redact_consent cookie. This record contains:

• Date and time of consent
• Categories accepted and rejected
• Version of Cookie Policy in force at time of consent
• Reference to the consent banner version displayed

This record enables us to demonstrate compliance with GDPR Article 5(2) (accountability principle) and to avoid presenting the consent banner on repeat visits.

6.5 Re-consent

We will ask for your consent again if:

• Twelve months have passed since your last consent;
• We add new cookie categories or materially change how existing categories are used;
• You clear your browser cookies, deleting the redact_consent record.

§ 7. HOW TO MANAGE AND WITHDRAW CONSENT

7.1 Cookie Preference Centre

You may review and change your cookie preferences at any time by clicking "Cookie Settings" in the footer of any RE::DACT page. You can: view current choices, change consent for any category, or withdraw all consent for non-essential cookies with a single click. Changes take effect immediately. When you withdraw consent, relevant cookies are deleted within 24 hours or on your next session, whichever is sooner.

7.2 Browser Controls

You can also manage cookies through your browser settings (view, delete, block). Note that blocking strictly necessary cookies will prevent the Services from functioning. Browser-level blocking does not constitute withdrawal of consent for GDPR purposes — please use the Cookie Preference Centre for this.

• Google Chrome: Settings > Privacy and Security > Cookies and other site data
• Mozilla Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Manage Website Data
• Microsoft Edge: Settings > Cookies and site permissions

7.3 Global Privacy Control (GPC)

We honour the Global Privacy Control (GPC) signal. If your browser sends a GPC signal when visiting our Services, we treat this as withdrawal of consent for Categories 3 and 4 cookies. Strictly necessary and functional cookies are not affected.

7.4 Mobile / PWA

The RE::DACT Progressive Web App (PWA) uses the same cookie and local storage mechanisms as the web application. Cookie preferences set in the browser apply to the PWA when accessed from the same browser. OS-level privacy settings (iOS Privacy > Tracking, Android) are honoured where technically applicable.

7.5 Analytics Opt-Out

In addition to the Cookie Preference Centre, you may opt out of anonymized analytics processing at any time by emailing privacy@redact.ai with subject line "Analytics Opt-Out". We will process your request within 5 business days.

§ 8. COOKIES SET BY THIRD PARTIES

8.1 Stripe Inc.

Stripe payment processing widgets set __stripe_mid and __stripe_sid for fraud prevention and payment session continuity. These are set only on pages where payment processing is active. Stripe's cookie policy is available at stripe.com/privacy.

8.2 Google Firebase

Google Firebase Authentication sets cookies and local storage entries to manage your authenticated session. These are first-party in function (operating on behalf of RE::AI) and are classified as strictly necessary. Google's cookie policy is available at policies.google.com/technologies/cookies.

8.3 What We Do Not Allow

RE::AI does not permit and has not integrated:

• Advertising networks (Google Ads, Meta Pixel, TikTok Pixel, etc.)
• Social media tracking buttons or pixels (Facebook, LinkedIn, Twitter/X, etc.)
• Behavioural retargeting services
• Cross-site tracking or data broker services
• Analytics services without valid data processing agreements

§ 9. COOKIES AND JOURNALISTIC SOURCE PROTECTION

Given the journalistic nature of RE::DACT and source protection obligations, the following additional measures apply:

No source data in cookies: Cookies and local storage entries never contain source identities, Placeholder mappings, or any data that could identify a journalistic source. Source data is stored only in encrypted Firestore — never in client-side storage.

Session isolation: Each user session is isolated. Cookies do not create cross-user linkages that could expose source relationships.

Incognito / private browsing: We recommend journalists working on sensitive investigations use private/incognito browsing mode. In private mode, session cookies are automatically deleted on browser close and local storage is cleared. Authentication will be required on each session.

Consent record: The redact_consent cookie contains only consent metadata — no content, usage patterns, or personal data beyond a session reference.

§ 10. DATA RETENTION FOR COOKIE DATA

Session cookies: Deleted automatically when you close your browser or tab.

Persistent cookies: Retained for the duration specified in the Cookie Register (Section 4) or until deleted via browser settings or Cookie Preference Centre.

Analytics data derived from cookies: Anonymized analytics data stored in BigQuery is retained for 12 months, after which it is permanently deleted or aggregated in a form that cannot be attributed to any session or user.

Consent records: Records of your consent choices are retained for 3 years to demonstrate compliance with GDPR Article 5(2) accountability principle.

§ 11. INTERNATIONAL TRANSFERS

Stripe Inc. (USA): Cookie data processed by Stripe is transferred to the United States under Standard Contractual Clauses (SCCs).

Google Firebase (USA/EU): Firebase authentication data is processed in EU-region data storage where available. Transfers to the US are covered by Google's SCCs and Data Processing Agreement.

All international transfers of cookie-related personal data are subject to the safeguards described in Section 12 of the Privacy Policy.

§ 12. CHANGES TO THIS POLICY

Material changes: If we add new cookie categories or significantly change how we use cookies, we will present a new consent banner before the new cookies are set, regardless of prior consent.

Minor changes: For minor updates (new cookie within an existing category, updated durations), we will update the "Last Updated" date and Cookie Register. You will be notified via the Cookie Preference Centre on your next visit.

Previous versions are available upon request at contact@reai-strategy.com

§ 13. CONTACT

For questions about this Cookie Policy, to withdraw consent, or to report a compliance concern:

Email: privacy@redact.ai | Subject: "Cookie Policy Query" or "Cookie Consent Withdrawal"
Response time: Within 5 business days.

EU/EEA/UK:
REAI Prosta Spółka Akcyjna, Aleja Jana Pawła II 5/6, 64-920 Piła, Poland
Supervisory authority: Urząd Ochrony Danych Osobowych (UODO) — www.uodo.gov.pl

UK:
Information Commissioner's Office (ICO) — www.ico.org.uk

US:
REDACT Inc., 1111B S Governors Ave STE 99573, Delaware, United States — privacy@redact.ai

END OF COOKIE POLICY

© 2026 REAI Prosta Spółka Akcyjna / REDACT Inc. All rights reserved.
Compliance: ePrivacy Directive 2002/58/EC (amended 2009/136/EC) | GDPR (EU) 2016/679 | UK GDPR / PECR 2003 | Polish Prawo Telekomunikacyjne Art. 173 | CCPA/CPRA (California)