HomeOrbit
HomeOrbit®
Legal & Policies
Back to siteLog in
LegalPrimary

HomeOrbit Cookie Policy

How cookies and similar technologies are used on the HomeOrbit site and platform.

Version 1.2
Updated 3 May 2026

This Cookie Policy explains how HomeOrbit uses cookies and similar technologies on its website and platform.

1. What are cookies?

Cookies are small text files placed on your device when you visit a website. They can help a website operate securely, remember your preferences, maintain a logged-in session, and improve usability.

2. How HomeOrbit currently uses cookies

HomeOrbit currently uses cookies and similar technologies primarily for strictly necessary purposes, including:

  • maintaining authenticated sessions;
  • keeping users securely logged in;
  • verifying multi-factor authentication ("MFA") challenges;
  • remembering a trusted browser or device where a user chooses that option;
  • protecting sensitive actions such as password changes;
  • supporting platform security and request integrity;
  • remembering theme or interface preferences, such as dark or light display mode; and
  • ensuring core website and platform features work correctly.

At the date of this policy, HomeOrbit does not state that it uses advertising cookies or behavioural marketing cookies.

3. Types of cookies and similar technologies we may use

3.1 Strictly necessary cookies

These cookies are essential to provide the website or platform you have requested. Without them, core functions such as secure login, account session management, and requested preferences cannot operate properly.

Examples may include:

  • session and authentication cookies;
  • MFA verification cookies;
  • trusted-browser or trusted-device cookies;
  • password-change verification cookies;
  • security and anti-abuse cookies;
  • load-balancing or service integrity cookies where used by infrastructure providers; and
  • preference cookies necessary to deliver your chosen interface mode.

3.2 MFA and security cookies

HomeOrbit uses additional strictly necessary cookies to support MFA and account security. These cookies help confirm that a signed-in user has completed an email verification challenge, allow a user to remember a trusted browser or device where they choose to do so, and protect password-change flows.

When a user chooses to remember a trusted browser or device, HomeOrbit stores a security cookie on that browser and a matching server-side trusted-device record. The cookie contains a random selector and validator token. The server-side record stores the matching hashed token, the user account it belongs to, expiry and revocation timestamps, and limited security metadata such as device label, browser/user-agent information, IP address information, and last-used timestamps. This allows HomeOrbit to check the trusted browser without storing the plain trusted-device token in the database.

Current examples include:

| Cookie or technology | Purpose | Typical duration | | --- | --- | --- | | Supabase authentication cookies | Maintain a secure signed-in session and refresh authentication securely. | Session or authentication-token duration. | | `ho_email_mfa_ok` | Records that the signed-in user has completed the required email MFA challenge for the current browser session. | Browser session or until cleared. | | `ho_mfa_trust` | Remembers a trusted browser or device when the user selects the trusted-browser option, so repeated MFA prompts are reduced on that browser. | Up to 90 days from when it is set or refreshed, unless revoked, expired, invalidated, or cleared earlier. | | Server-side trusted-device record | Stores the matching hashed trusted-device token and limited security metadata needed to verify, expire, audit, or revoke trusted-browser status. | Up to 90 days, unless revoked or deleted earlier. | | `ho_pw_change_ok` | Confirms that the user has completed an email verification step before changing their password. | Around 10 minutes. | | `orbit` | Remembers the user's chosen Orbit/light display mode. | Preference duration set by the platform or browser. |

MFA and trusted-browser cookies are set with security-focused attributes where supported, such as `HttpOnly`, `SameSite=Lax`, and `Secure` in production environments. Trusted-browser status applies only to the browser or device where it was set. Using another browser or device, clearing cookies, expiry, or revocation may require the user to complete MFA again.

3.3 Preference technologies

HomeOrbit may store certain preferences, such as theme mode or recently used account identifiers, using browser storage or cookies in order to improve usability.

3.4 Future optional technologies

If HomeOrbit later introduces optional analytics, performance measurement, or other non-essential technologies, the website and this policy will be updated and a consent mechanism will be implemented where required by law.

4. Lawful basis and consent

Where cookies or similar technologies are strictly necessary to provide the service you request, HomeOrbit relies on the applicable legal exemption for those technologies. This includes security, authentication, MFA, trusted-browser, and password-change cookies needed to protect user accounts and provide the logged-in platform.

Where the use of these cookies or related records involves personal data, HomeOrbit processes that data for the security, authentication, service delivery, and fraud-prevention purposes described in the HomeOrbit Privacy Notice.

If HomeOrbit introduces non-essential cookies or similar technologies in future, it will seek consent where required before placing or reading them.

5. Managing cookies

You can usually manage cookies through your browser settings, including blocking or deleting cookies. Please note that blocking strictly necessary cookies may prevent parts of the website or platform from working properly.

If you delete authentication, MFA, or trusted-browser cookies, you may need to sign in again, complete MFA again, or re-confirm a trusted browser. If trusted-browser status is revoked in the platform or expires, the related cookie may be cleared or ignored and MFA may be requested again.

6. Third-party services

Some third-party providers that support HomeOrbit may also use necessary cookies or similar technologies as part of providing infrastructure, authentication, security, or embedded functionality. Where relevant, those providers' own privacy and cookie information may also apply.

7. Contact

If you have questions about this Cookie Policy, contact support@homeorbit.co.uk.

8. Changes to this policy

We may update this policy from time to time to reflect changes in law, technology, or website operation. The latest version will apply from the date shown above.