Cookie Policy
Effective date: 19 June 2026
This Cookie Policy explains how Silkway Tech LLC uses cookies and similar browser storage on railbase.app and how Railbase self-hosted deployments may use cookies and local storage. It should be read together with our Privacy Policy.
1. What cookies and similar storage are
Cookies are small text values stored by your browser. Similar technologies include localStorage, sessionStorage, and browser-managed security state. We use these technologies for authentication, security, language selection, preferences, and embedded checkout flows.
We do not use third-party advertising cookies. Our first-party website analytics are cookieless and do not set tracking identifiers.
2. railbase.app cookies and storage
| Name or storage key | Type | Purpose | Typical duration |
|---|---|---|---|
sess |
Necessary cookie | Keeps a signed-in marketplace/account user authenticated. | Session/account TTL, or until sign-out |
| Admin session cookie | Necessary cookie | Keeps an operator signed into the railbase.app admin console. | Admin session TTL, or until sign-out |
lang |
Preference cookie | Remembers selected site language for redirects and future visits. | Up to 1 year |
theme |
Preference localStorage | Remembers light/dark theme. | Until changed or cleared |
| Stripe.js / Stripe iframe storage | Necessary third-party payment storage | Enables secure payment collection, fraud prevention, and checkout/payment processing by Stripe. | Controlled by Stripe |
Session cookies are generally configured with security attributes such as HttpOnly, SameSite, and Secure in production where applicable. Preference storage is readable by the browser because the page needs it to apply the selected language or theme.
3. Cookieless analytics
railbase.app records first-party analytics without analytics cookies. We may record page views, download events, referrer host, browser/user-agent, country derived from IP, a salted hash of IP address, dwell time, scroll depth, CTA clicks, basic performance signals, JavaScript error metadata, and bot/AI crawler classification. These analytics do not set a cookie or localStorage tracking ID and are used for security, reliability, product improvement, and marketplace reporting.
4. Self-hosted Railbase cookies and storage
If you run Railbase on your own server, your deployment may set cookies and local storage values such as:
| Name or storage key | Type | Purpose |
|---|---|---|
railbase_session |
Necessary cookie | Authenticates app users in the self-hosted deployment. |
railbase_admin_session |
Necessary cookie | Authenticates system admins in the self-hosted admin console. |
railbase_csrf |
Necessary security cookie | Double-submit CSRF protection for cookie-authenticated requests. This cookie must be readable by the SPA so it can mirror the value into the X-CSRF-Token header. |
railbase_oauth_state |
Necessary security cookie | Protects OAuth/OIDC sign-in flow state, including provider, nonce, return URL, and PKCE verifier where applicable. |
railbase_saml_state |
Necessary security cookie | Protects SAML sign-in flow state and request binding. |
rb_token, rb_tenant_id, rb_admin_token or similar |
Local storage | Used by generated Railbase frontends, admin UI, or plugin frontends to persist bearer tokens and selected tenant across reloads. |
| UI preference keys | Local storage or cookies | Theme, language, sidebar state, or similar interface preferences. |
Your organization is responsible for disclosing and managing cookies, localStorage, analytics, consent, and third-party scripts in your own self-hosted deployment and any applications you build with Railbase.
5. Plugin storage
Plugins may add their own browser storage or may reuse Railbase authentication and tenant storage. For example, the Translate plugin frontend reads the same localStorage token and tenant keys used by the host application so it can call /api/translate/* as the signed-in user. Plugin data itself is usually stored server-side in your self-hosted deployment rather than in browser cookies.
6. Consent
We currently use cookies and similar storage that are necessary for authentication, security, checkout, language selection, and preferences. Because our analytics do not use cookies or persistent browser tracking identifiers, we do not currently display an analytics-cookie consent banner. If we add non-essential cookies, advertising cookies, or cookie-based analytics, we will update this policy and request consent where required.
7. Managing cookies
You can block or delete cookies and localStorage in your browser settings. Blocking necessary cookies may prevent sign-in, checkout, CSRF protection, OAuth/SAML sign-in, admin access, or language/theme preferences from working correctly.
8. Contact
Questions about cookies or privacy can be sent to support@railbase.app.