Legal
Cookie Policy
This policy explains how ClearCandidate uses cookies and similar technologies when you use our website and mobile app.
Last updated: 30 May 2026
1. What are cookies?
Cookies are small text files that a website places on your device when you visit. They are widely used to make websites work efficiently and to provide information to site owners. Similar technologies include local storage, session storage, and authentication tokens stored on your device.
We aim to use as few tracking technologies as possible. ClearCandidate does not use advertising cookies, third-party tracking pixels, or behavioural profiling tools.
2. What we use
Strictly necessary
These are essential for the Platform to function. You cannot opt out of them while using the service.
| Name / type | Purpose | Duration |
|---|---|---|
| access_token (localStorage) | Short-lived JWT used to authenticate API requests. Contains your user ID and role — no personal data. | 60 minutes (auto-refreshed while active) |
| refresh_token (localStorage) | Used to obtain a new access token without requiring you to log in again. | 7 days (or until logout) |
| cc_user (localStorage) | Stores your name and role locally so the dashboard can display them without an extra API call. | Session / until logout |
On the mobile app, these tokens are stored in hardware-backed secure storage (iOS Keychain / Android Keystore) rather than browser storage. They are not accessible to other apps on your device.
Functional
We do not currently use any functional cookies beyond those listed above.
Analytics
We do not currently use any third-party analytics cookies (e.g. Google Analytics). If we introduce analytics tools in future, this policy will be updated and your consent will be sought before any non-essential cookies are placed.
Advertising
We do not use advertising or targeting cookies of any kind.
3. Authentication tokens in more detail
ClearCandidate uses JSON Web Tokens (JWTs) rather than traditional session cookies. JWTs are a standard, secure method of transmitting authentication credentials between a browser or app and an API.
Our JWTs:
- Are signed using HMAC-SHA256. They cannot be forged or tampered with without invalidating them.
- Contain only your user ID and role — no personal data such as your name, email, or NI number is embedded in the token.
- Are transmitted only over HTTPS.
- Are stored in
localStorageon the web and in device secure storage on mobile. We do not usehttpOnlycookies for token storage on the web; however, we apply Content Security Policy and other headers to mitigate XSS risk. - Expire after 60 minutes. When you are actively using the Platform, new tokens are issued automatically using your refresh token. When you log out, both tokens are deleted.
4. Third-party services
The following third-party services may set their own cookies or tokens when you use ClearCandidate:
Stripe (payments)
When Employers complete subscription payments, Stripe may set cookies on your device for fraud prevention and checkout flow purposes. These are governed by Stripe's Privacy Policy.
Heroku
Our hosting provider may set technical cookies as part of its infrastructure. These are strictly necessary and contain no personal information.
postcodes.io
We use this open API server-side only to convert postcodes to coordinates for distance filtering. It does not set any cookies on your device.
5. Managing cookies and tokens
Web browser
You can clear our authentication tokens at any time by logging out of ClearCandidate. This deletes all tokens from localStorage. You can also clear site data manually via your browser's developer tools or settings, though this will log you out.
To manage cookies set by third parties (such as Stripe during checkout), you can use your browser's cookie settings. Note that blocking strictly necessary cookies will prevent the Platform from functioning.
Mobile app
Logging out of the app deletes all stored tokens from device secure storage. Uninstalling the app also removes all locally stored data.
Browser cookie controls
Most browsers allow you to view, manage, and delete cookies via their settings. Here are instructions for the most common browsers:
6. Changes to this policy
We will update this policy if we introduce new cookies or change how we use existing ones. If we introduce non-essential cookies, we will ask for your consent before placing them. The date at the top of this page shows when it was last updated.
7. Contact
If you have any questions about our use of cookies or tokens, please contact us:
Email: privacy@clearcandidate.co.uk
For complaints about our use of cookies you can also contact the Information Commissioner's Office at ico.org.uk.