Cookie Policy
Effective Date: February 2026
Document Version: 2.0
This Cookie Policy explains how Rymeda, Inc. ("Rymeda," "we," "us") uses cookies and similar technologies on the Rymeda website (rymeda.com) and the Rymeda platform. This policy should be read together with our Privacy Policy, which provides full details on how we collect, use, and protect your personal information.
Rymeda takes a privacy-first approach to cookies and tracking technologies. We use only strictly necessary cookies required for platform functionality and security. We do not use advertising cookies, cross-site tracking pixels, or behavioral profiling technologies. Our analytics provider, Plausible Analytics, is entirely cookie-free.
1. What Are Cookies
Cookies are small text files that are placed on your device (computer, tablet, or mobile phone) when you visit a website. They are widely used to make websites work efficiently, provide security features, and give website operators information about how the site is being used.
Cookies can be classified in several ways:
By Duration
- Session cookies — Temporary cookies that are deleted when you close your browser. They are essential for navigating the site and using its features.
- Persistent cookies — Cookies that remain on your device for a set period or until you delete them. They remember your preferences across visits.
By Origin
- First-party cookies — Set by the website you are visiting (rymeda.com). All cookies used by Rymeda are first-party.
- Third-party cookies — Set by a domain other than the one you are visiting. Rymeda does not use third-party cookies.
By Purpose
- Strictly necessary — Required for the website to function. Cannot be disabled without breaking core functionality.
- Functional — Remember your preferences (language, theme, display settings) to improve your experience.
- Analytics — Help us understand how visitors interact with the website. Rymeda uses cookie-free analytics (see Section 5).
- Advertising — Used for ad targeting and behavioral profiling. Rymeda does not use advertising cookies.
2. Cookie Inventory
The following table provides a complete inventory of cookies used on the Rymeda website and platform. This list is reviewed and updated whenever cookies are added, modified, or removed.
| Name | Category | Purpose | Duration | Type | Domain |
|---|---|---|---|---|---|
| CognitoIdentityServiceProvider.* | Strictly Necessary | AWS Cognito authentication tokens (ID token, access token, refresh token). Required for user authentication and session management. | 1 hour (access/ID); 30 days (refresh) | First-party | rymeda.com |
| cognito-session | Strictly Necessary | Maintains authenticated session state across page navigations. Contains no PHI or personal data beyond session identifier. | Session | First-party | rymeda.com |
| XSRF-TOKEN | Strictly Necessary | Cross-Site Request Forgery protection token. Prevents unauthorized actions on behalf of authenticated users. Required for security. | Session | First-party | rymeda.com |
| cookie-consent | Strictly Necessary | Stores your cookie consent preferences. Records which categories of cookies you have accepted or declined. | 1 year | First-party | rymeda.com |
| theme-preference | Functional | Stores your display theme preference (e.g., dark mode). Does not contain personal data. | 1 year | First-party | rymeda.com |
| locale | Functional | Stores your language/locale preference for the platform interface. Does not contain personal data. | 1 year | First-party | rymeda.com |
Last inventory review: February 2026. This table reflects all cookies set by the Rymeda website and platform as of the effective date.
3. Strictly Necessary Cookies
Strictly necessary cookies are essential for the Rymeda website and platform to function correctly. They enable core features such as authentication, session management, and security protections. These cookies cannot be disabled without breaking platform functionality.
3.1 Authentication Cookies (AWS Cognito)
Rymeda uses Amazon Web Services (AWS) Cognito for user authentication. When you sign in, Cognito sets authentication tokens that maintain your session:
- ID Token — Contains user identity claims (name, email, role). Expires after one (1) hour. Used for authorization decisions. Transmitted only over TLS 1.3 encrypted connections.
- Access Token — Grants access to protected API endpoints. Expires after one (1) hour. Scoped to the minimum permissions required for the user's role.
- Refresh Token — Used to obtain new ID and Access tokens without requiring re-authentication. Expires after thirty (30) days or upon explicit sign-out. Stored securely and revocable by the user or administrator.
Authentication cookies are HttpOnly where technically feasible, meaning they cannot be accessed by client-side JavaScript, which reduces the risk of cross-site scripting (XSS) attacks. All authentication tokens are transmitted exclusively over HTTPS (TLS 1.3).
3.2 CSRF Protection
The XSRF-TOKEN cookie provides Cross-Site Request Forgery protection. It ensures that form submissions and API requests originate from the Rymeda platform and not from a malicious third-party site. This is a session cookie that is deleted when you close your browser.
3.3 Cookie Consent
The cookie-consent cookie stores your cookie preferences. It records which categories of cookies you have accepted or declined, ensuring your choices persist across visits. This cookie is itself classified as strictly necessary because it is required to honor your cookie preferences.
Healthcare Data: Strictly necessary cookies used by Rymeda never contain Protected Health Information (PHI), clinical data, patient identifiers, or diagnosis/treatment information. Authentication tokens contain only the minimum claims required for identity verification and role-based access control.
4. Functional Cookies
Functional cookies remember your preferences and settings to provide a more personalized experience. These cookies are optional and can be disabled without affecting core platform functionality.
Theme Preference
Stores your display theme selection (e.g., dark mode). If disabled, the platform will use the default theme on each visit. Does not contain personal data or transmit information to third parties.
Locale / Language
Stores your language and regional formatting preference. If disabled, the platform will default to English (US) on each visit. Does not contain personal data or transmit information to third parties.
Functional cookies do not track your behavior, build user profiles, or share data with third parties. They exist solely to remember your interface preferences.
5. Analytics
Cookie-Free Analytics
Rymeda uses Plausible Analytics, a privacy-first analytics provider that does not use cookies, does not collect personal data, and does not track users across websites. No consent is required for Plausible under GDPR, ePrivacy Directive, CCPA/CPRA, or PECR because it does not process personal data or use cookies.
5.1 How Plausible Works
Unlike traditional analytics providers (such as Google Analytics), Plausible does not set any cookies or use browser fingerprinting. It collects only aggregate, non-personal metrics:
| Data Collected | Personal Data? | Purpose |
|---|---|---|
| Page URL | No | Understand which pages are visited |
| Referral source | No | Understand how visitors find the site |
| Browser type (aggregate) | No | Ensure browser compatibility |
| Operating system (aggregate) | No | Ensure platform compatibility |
| Device type (desktop/mobile) | No | Optimize responsive design |
| Country (from IP, then IP discarded) | No | Aggregate geographic distribution |
5.2 Plausible Privacy Guarantees
- No cookies — Plausible does not set any cookies or use browser storage mechanisms.
- No personal data — IP addresses are used transiently for country-level geolocation and then immediately discarded. No IP addresses are stored or logged.
- No cross-site tracking — Plausible does not track users across different websites or build user profiles.
- No browser fingerprinting — Plausible does not use canvas fingerprinting, WebGL fingerprinting, or any device fingerprinting technique.
- EU-hosted infrastructure — Plausible processes data on EU-based servers, subject to GDPR protections.
- Open source — Plausible's analytics script and server software are fully open source and auditable.
- Lightweight script — The Plausible script (< 1 KB) is loaded from
plausible.ioas permitted by our Content Security Policy.
5.3 Why We Chose Plausible
As a healthcare platform handling Protected Health Information (PHI), we selected Plausible specifically because it eliminates privacy risks associated with traditional analytics:
- No consent banner required — reduces user friction while maintaining full legal compliance.
- No data shared with advertising networks or data brokers.
- No risk of PHI leakage through analytics cookies or tracking pixels.
- Compliant with GDPR, ePrivacy Directive (Article 5(3)), CCPA/CPRA, PECR, and HIPAA requirements for minimum necessary data collection.
6. Local Storage & Similar Technologies
In addition to cookies, web browsers provide other storage mechanisms such as localStorage, sessionStorage, and IndexedDB. These technologies store data locally on your device and are not transmitted to servers with each request like cookies.
6.1 Current Usage
As of the effective date of this policy, the Rymeda website does not use localStorage, sessionStorage, or IndexedDB for data storage. All persistent data is managed through cookies (as documented in Section 2) or server-side session management.
6.2 Web Beacons & Pixels
Rymeda does not use web beacons (tracking pixels), clear GIFs, or similar invisible tracking technologies on the website or in emails. We do not embed third-party tracking pixels from advertising networks, social media platforms, or data brokers.
6.3 Browser Fingerprinting
Rymeda does not use browser fingerprinting techniques (canvas fingerprinting, WebGL fingerprinting, audio fingerprinting, or font enumeration) to identify or track users.
7. Consent Mechanism
Rymeda provides granular cookie consent controls in compliance with GDPR (Article 6, Article 7), the ePrivacy Directive (Article 5(3)), CCPA/CPRA, and UK PECR.
7.1 Consent Categories
| Category | Consent Required? | Can Be Disabled? | Default State |
|---|---|---|---|
| Strictly Necessary | No (exempt under ePrivacy Art. 5(3)) | No | Always active |
| Functional | Yes (opt-in) | Yes | Off until accepted |
| Analytics | Not applicable (Plausible is cookie-free) | N/A | N/A — no cookies used |
| Advertising | N/A | N/A | Not used |
7.2 Consent Controls
- Cookie banner — On your first visit, a cookie consent banner is displayed with clear options to accept or decline each category of non-essential cookies.
- Granular control — You can accept or decline each cookie category independently (e.g., accept functional cookies but decline all others).
- Modify preferences — You can change your cookie preferences at any time through the cookie settings link in the website footer or by contacting legal@rymeda.com.
- Withdraw consent — You may withdraw consent for any non-essential cookie category at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal (GDPR Article 7(3)).
- No cookie walls — Access to the Rymeda website is never conditioned on accepting non-essential cookies. Declining optional cookies does not restrict access to information or services.
7.3 Consent Record
Your consent preferences are stored in the cookie-consent cookie for one (1) year. Rymeda retains a server-side record of consent events (timestamp, categories accepted/declined, consent version) for compliance documentation purposes, as required by GDPR Article 7(1).
8. Do Not Track (DNT)
The Do Not Track (DNT) signal is a preference you can set in your browser to indicate that you do not want to be tracked across websites. There is currently no universally accepted standard for how websites should respond to DNT signals.
Rymeda's DNT Response: Because Rymeda does not engage in cross-site tracking, behavioral advertising, or user profiling, our practices are already consistent with the intent of DNT signals. We honor DNT signals by design — there is no cross-site tracking to disable. When a DNT signal is detected, we log the preference for compliance documentation.
For California residents, under the California Online Privacy Protection Act (CalOPPA), we disclose our DNT response as stated above. For additional California-specific privacy rights, see our Privacy Policy.
9. Third-Party Cookies
No Third-Party Cookies
Rymeda does not use third-party cookies of any kind. The following categories of third-party cookies are explicitly absent from the Rymeda website and platform:
- No advertising cookies — We do not use Google Ads, Facebook Pixel, LinkedIn Insight Tag, or any advertising network cookies.
- No cross-site tracking — We do not share browsing data with third-party trackers, data brokers, or advertising exchanges.
- No social media plugins — We do not embed social media widgets (Facebook Like, Twitter Share, etc.) that set third-party cookies.
- No retargeting — We do not use retargeting or remarketing cookies to serve ads to you on other websites.
- No third-party analytics cookies — We use Plausible Analytics, which is entirely cookie-free. We do not use Google Analytics, Adobe Analytics, Mixpanel, or similar services that set tracking cookies.
Our Content Security Policy (CSP) headers restrict the domains from which scripts can be loaded to self and plausible.io, providing a technical enforcement layer that prevents unauthorized third-party scripts from setting cookies. See our Information Security Policy for details on our security headers.
10. Managing Cookies in Your Browser
In addition to the consent controls described in Section 7, you can manage cookies directly through your browser settings. Most browsers allow you to view, block, and delete cookies.
10.1 Browser-Specific Instructions
Google Chrome
Settings → Privacy and Security → Cookies and Other Site Data. You can block all cookies, block third-party cookies, or clear cookies when you close Chrome.
Mozilla Firefox
Settings → Privacy & Security → Cookies and Site Data. Firefox offers Enhanced Tracking Protection with Standard, Strict, and Custom levels.
Apple Safari
Preferences → Privacy → Cookies and Website Data. Safari blocks cross-site tracking by default through Intelligent Tracking Prevention (ITP).
Microsoft Edge
Settings → Cookies and Site Permissions → Manage and Delete Cookies and Site Data. Edge offers tracking prevention with Basic, Balanced, and Strict levels.
10.2 Impact of Disabling Cookies
| If You Disable... | Impact |
|---|---|
| Strictly Necessary cookies | You will be unable to sign in, maintain a session, or use the platform. CSRF protection will be disabled, creating security risks. Not recommended. |
| Functional cookies | Your theme and language preferences will reset to defaults on each visit. No impact on core platform functionality. |
| All cookies | The platform will be unusable because authentication requires session cookies. The marketing website (rymeda.com) will remain accessible. |
11. International Considerations
Rymeda's cookie practices are designed to comply with the strictest applicable cookie regulations globally:
European Union — GDPR & ePrivacy Directive
Strictly necessary cookies are exempt from consent under ePrivacy Directive Article 5(3). Functional cookies require opt-in consent. Analytics (Plausible) is cookie-free and exempt. Our consent mechanism complies with EDPB guidelines on consent (05/2020).
United Kingdom — UK GDPR & PECR
Same consent framework as GDPR/ePrivacy. Strictly necessary cookies are exempt under PECR Regulation 6(4). ICO guidance on cookies is followed.
California — CCPA/CPRA
Rymeda does not "sell" or "share" personal information through cookies as defined under Cal. Civ. Code §1798.140(ad) and §1798.140(ah). No opt-out for cookie-based sale/sharing is required because we do not engage in such practices. For broader CCPA/CPRA rights, see our Privacy Policy.
HIPAA Alignment
Consistent with HIPAA's minimum necessary standard (45 CFR §164.502(b)), cookies contain only the minimum data required for their stated purpose. No PHI is stored in cookies. Authentication tokens are scoped to the minimum claims necessary for role-based access control.
12. Changes to This Policy
We may update this Cookie Policy from time to time. Changes will be handled as follows:
- Non-material changes — Updates to cookie names, durations, or descriptions that do not change the categories or purposes of cookies will be reflected by updating the effective date on this page.
- Material changes — Introduction of new cookie categories (e.g., analytics cookies, advertising cookies), new third-party cookies, or changes that expand data collection will trigger re-consent. We will reset your cookie preferences and display the consent banner again.
- Notification — For material changes, we will provide notice via email, in-platform notification, and/or website banner at least fourteen (14) days before the changes take effect.
We encourage you to review this policy periodically. The "Effective Date" at the top of this page indicates when the policy was last updated.
Contact
If you have questions about our use of cookies or wish to exercise your cookie preferences:
Mailing Address
Rymeda, Inc.
Attn: Privacy Team