Cookie Policy

Burning Ash Protocol cookie policy — what cookies we use, how we use them, and your choices.

Last Updated: March 2026

What Are Cookies

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work efficiently and to provide information to site owners. Similar technologies include local storage, session storage, pixels, and web beacons.

How We Use Cookies

BAP uses a minimal set of cookies. We prioritize privacy and do not use advertising, marketing, or third-party tracking cookies.

These cookies are essential for the Service to function. They cannot be disabled.

Cookie Name	Purpose	Duration	Type
`bap_token`	JWT authentication token (stored in localStorage)	Session / until expiry (1 hour)	First-party, functional
`bap_refresh`	Refresh token for JWT renewal (stored in localStorage)	Session / until expiry	First-party, functional
Session cookies	CSRF protection, session management	Session	First-party, essential

Legal basis (GDPR): These are strictly necessary for the provision of the Service (ePrivacy Directive Art. 5(3) exemption; GDPR Art. 6(1)(b) contract performance).

Analytics

We use Plausible Analytics, a privacy-respecting analytics tool that does not use cookies, does not track individuals, and does not collect personal data. No consent is required for cookieless analytics.

If we ever introduce analytics that set cookies, we will update this policy and request your consent before activation.

Third-Party Cookies

Service	Purpose	Cookies Set	Consent Required
Stripe (payment pages)	Payment processing, fraud prevention	Stripe sets its own cookies on payment pages	Yes (functional, set during payment interaction)

We do not embed social media widgets, advertising pixels, or cross-site tracking scripts.

Local Storage and Similar Technologies

In addition to cookies, BAP uses browser localStorage:

Key	Purpose	Duration
`bap_token`	JWT authentication	Until expiry or logout
`bap_refresh`	Refresh token	Until expiry or logout
`bap_cookie_consent`	Cookie consent preference	Persistent until cleared
Theme/preference settings	UI preferences	Persistent until cleared

localStorage items are first-party only and are not accessible by third-party scripts.

Your Choices

Browser Settings

You can control cookies through your browser settings:

Chrome: Settings > Privacy and Security > Cookies
Firefox: Settings > Privacy & Security > Cookies
Safari: Preferences > Privacy > Cookies
Edge: Settings > Cookies and site permissions

Blocking essential cookies may prevent the Service from functioning.

When you first visit the BAP website, a cookie consent banner allows you to accept or decline non-essential cookies.

Do Not Track

We respect the Do Not Track (DNT) browser signal. When DNT is enabled, we do not load any optional analytics or tracking scripts.

Global Privacy Control (GPC)

We honor the Global Privacy Control signal as required by CCPA/CPRA. When GPC is detected, we treat it as a valid opt-out of any non-essential data collection.

Compliance

EU ePrivacy Directive (2002/58/EC)

We comply with Article 5(3) by obtaining prior opt-in consent before setting any non-essential cookies or accessing information on your device.

Cookie consent meets GDPR requirements for freely given, specific, informed, and unambiguous consent (Art. 4(11), Art. 7). Consent can be withdrawn as easily as it was given.

CCPA/CPRA

We honor opt-out preferences including Global Privacy Control signals. We do not use cookies for cross-context behavioral advertising or to sell personal information.

Changes to This Policy

We may update this Cookie Policy periodically. Changes will be posted on this page with an updated date. Material changes to cookie usage will trigger a renewed consent request.

Contact

Privacy inquiries: privacy@baprotocol.com

This Cookie Policy is part of our Terms of Service. By using BAP, you agree to both.