Cookie Notice

Version 3.0 · Effective from 15 May 2026 · change log

In brief (does not replace the full text) On MINOMO we use strictly necessary technical cookies only: no profiling cookies, no advertising trackers, no behavioural analytics delegated to third parties. This is why you won't find a cookie consent banner here: Italian and European law requires one only for cookies that are not strictly necessary. In the PWA app at app.minomo.io a technical device identifier and your language preference are stored. On the showcase website minomo.io, Cloudflare may set anti-bot cookies in the event of a challenge. Nothing else.

Contents

What cookies are
Cookies and similar technologies
Why there is no cookie banner
Cookies and storage used by MINOMO
What we don't use
How to manage cookies in your browser
Changes to this Notice
Contact

1. What cookies are

Cookies are small text files that a website places in a user's browser when they visit it. They are read automatically by the browser on subsequent requests to the same site and serve various purposes: keeping a login session active, remembering preferences such as language, or — in their more intrusive form — tracking a user's browsing across multiple sites to build advertising profiles.

Cookies are distinguished primarily by duration:

Session cookies: these exist only for the duration of the browser session. They are deleted automatically when the browser is closed.
Persistent cookies: these have a defined expiry date and remain on the device even after the browser is closed, until they expire naturally or are deleted by the user.

And by origin:

First-party cookies: placed directly by the website you are visiting, under its own domain.
Third-party cookies: placed by a domain different from the website you are visiting — typically an external analytics, advertising, or social-media service embedded in the page.

2. Cookies and similar technologies

Beyond cookies in the strict sense, there are other client-side storage technologies worth distinguishing, because privacy regulations treat them differently or because they are relevant to understanding how MINOMO works.

localStorage and sessionStorage

These are browser storage areas accessible via JavaScript. Unlike cookies, they are never sent automatically to the server with HTTP requests: they are read only by JavaScript code running in the page. MINOMO uses localStorage to store non-sensitive interface preferences (for example, the state of the menu or the last active tab) in an entirely client-side manner, without transmission to the server.

IndexedDB

A structured database in the browser, used in the MINOMO PWA to cache offline content: previously visited pages, followed merchant data, saved itineraries. Data in IndexedDB never leaves your device — it exists to let you use the app even without a connection.

Service Worker and Cache API

The Service Worker is a script that the browser runs in the background, separately from the page. The MINOMO PWA uses it to cache application resources offline (HTML, CSS, JavaScript, images) via the browser's Cache API. It contains no personal data: these are application files, not information about you. The Service Worker has no access to cookies, cannot send data to third parties, and does not intercept traffic to other domains.

These technologies do not require consent under cookie regulations, as they do not involve transmitting identifiers to third-party servers or building behavioural profiles.

The absence of a banner is not an oversight. It is a deliberate architectural choice, with a precise legal basis.

The applicable framework consists of:

Directive 2002/58/EC (ePrivacy Directive), implemented in Italy by Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 (Italian Privacy Code);
Regulation (EU) 2016/679 (GDPR);
the Italian Data Protection Authority Guidelines of 10 June 2021 (Decision no. 231) — "Guidelines on cookies and other tracking tools" — which constitute the binding interpretive reference in Italy.

The Italian Data Protection Authority Guidelines of 10 June 2021 make it clear that prior user consent is required exclusively for placing or reading cookies and similar tools that are not strictly necessary for the operation of the service. Technical cookies and technologies strictly necessary to make what the user has explicitly requested work — keeping the session active, remembering the chosen language, protecting the site from bot attacks — do not require consent. For these, it is sufficient to describe them in a notice, which is precisely the document you are reading.

MINOMO uses only cookies and storage of a technical nature, strictly necessary. There are no profiling cookies, no third-party cookies for advertising, and no behavioural analytics tools. Displaying a consent banner in this situation would not only be pointless but potentially misleading: it would lead the user to believe they are consenting to something that does not exist.

The absence of the banner confirms there is nothing to consent to. It is the most honest choice we could make.

Below is the complete, verified inventory, organised by domain. No relevant cookies or storage technologies are omitted.

4a. Showcase website `minomo.io`

The showcase website does not set its own application cookies. Cloudflare, which provides perimeter protection and CDN, may automatically place the following technical cookies only in circumstances where its anti-bot protection system is triggered (for example, during a challenge on a protected form, such as the one on /for-city-agents/):

Name	Purpose	Duration	Category	Legal basis	Party
`__cf_bm`	Cloudflare Bot Management. Distinguishes human traffic from automated traffic to protect forms and pages from abuse and attacks.	30 minutes	Strictly necessary	Art. 6(1)(f) GDPR — legitimate interest in platform security	Third party (Cloudflare, Inc.)
`cf_clearance`	Records the passing of a Cloudflare security challenge (e.g. anti-bot verification), preventing the challenge from being presented again for the duration of the cookie.	30 minutes	Strictly necessary	Art. 6(1)(f) GDPR — legitimate interest in platform security	Third party (Cloudflare, Inc.)

Cloudflare Turnstile — the anti-bot verification system we use on the City Agent form in place of reCAPTCHA — does not set its own tracking cookies. Verification is performed via browser signals without persistent identifiers linked to the user.

Outside anti-bot challenge scenarios, browsing the showcase website minomo.io does not result in any cookies being placed.

4b. PWA app `app.minomo.io`

Name	Purpose	Duration	Category	Legal basis	Party
`minomo_device_id`	Technical device identifier, used to keep the login session active on that specific device and to manage the lifecycle of authentication tokens (including revocation in the event of loss or device change). It is not an advertising identifier.	Persistent (long-lasting, until explicit deletion or logout)	Strictly necessary	Art. 6(1)(b) GDPR — performance of a contract (provision of the authentication service)	First party (AVi Kairos Srl)
`minomo_lang`	Stores the user's language preference (e.g. `it`, `en`, `ro`) so that it is applied automatically in subsequent sessions, without needing to select the language each time.	365 days (`max-age=31536000`)	Strictly necessary	Art. 6(1)(b) GDPR — performance of a contract; the choice of language is an integral part of the service experience	First party (AVi Kairos Srl)

Both cookies carry the SameSite=Lax attribute: they are never sent in cross-site requests initiated by third parties, eliminating the risk of CSRF and cross-domain tracking.

4c. Operational panels (merchant panel, City Agent portal, admin)

MINOMO's operational panels are accessible exclusively to authenticated merchants, City Agents, and administrators. Upon login, an HTTP session cookie is created (a server-side session identifier generated by the application framework) that keeps the user logged in for the duration of the working session. This cookie:

carries the HttpOnly attribute (not accessible from JavaScript, mitigating the risk of XSS);
carries the Secure attribute (transmitted only over HTTPS connections);
is a session cookie (expires when the browser is closed or on explicit logout).

It falls within the category of strictly necessary technical cookies and does not require consent.

4d. Third-party cookies for marketing or analytics purposes

We do not use any. No MINOMO domain loads third-party scripts that place cookies for advertising profiling, retargeting, behavioural analytics, or social tracking. Section 5 explicitly lists the services we are able to exclude from the infrastructure.

4e. Service Worker and offline storage (PWA)

For completeness and transparency — even though these are technically not cookies — we note that the MINOMO PWA uses:

Cache API: stores application resources (HTML, CSS, JavaScript, and interface images) for offline operation. Contains no personal user data.
IndexedDB: stores locally on your device content you have recently viewed (merchants, POIs, notifications) to enable offline browsing and reduce data consumption. This data never leaves your device and is updated automatically when a connection is available.
localStorage: non-sensitive interface preferences (menu state, minor local settings). Never sent to the server.

You can delete this data at any time from your browser settings, under "Site" or "Storage" for the app.minomo.io domain. Deletion logs you out of the app and removes the offline cache, but does not result in loss of account data (which is held server-side).

5. What we don't use (the MINOMO cookie manifesto)

On no MINOMO domain are the following services present — neither in the HTML code, nor in loaded scripts, nor in network requests:

Google Analytics or Google Tag Manager in any configuration;
Meta Pixel (Facebook/Instagram Pixel) or Facebook Conversions API;
LinkedIn Insight Tag;
TikTok Pixel;
Hotjar, Mouseflow, FullStory, LogRocket, or any other session recording and heatmap tool;
Mixpanel, Amplitude, Heap, or other product analytics tools based on individual tracking;
Intercom, Drift, HubSpot Tracking, or other CRM tools that track browsing behaviour;
retargeting or remarketing cookies from any advertising platform;
third-party affiliate tracking pixels.

These absences are not incidental: they are the result of a system design choice. MINOMO's business model is not based on behavioural advertising and does not require tracking users to sell their attention to advertisers. The usage statistics we produce are aggregated, anonymous, and remain on our servers.

6. How to manage cookies in your browser

You can control, limit, or delete cookies at any time from your browser settings. Below are links to the official guides for the main browsers:

Google Chrome: support.google.com/chrome/answer/95647
Mozilla Firefox: support.mozilla.org — Enhanced Tracking Protection in Firefox
Apple Safari: support.apple.com — Manage cookies in Safari
Microsoft Edge: support.microsoft.com — Delete cookies in Microsoft Edge
Opera: help.opera.com — Web preferences, cookies

For managing PWA storage (Cache API, IndexedDB, localStorage), the main browsers provide tools in the Site Settings section or in the Developer Tools (DevTools), under Application > Storage.

What happens if you disable technical cookies

The cookies we use are strictly necessary. If you block or delete them from your browser:

on the showcase website minomo.io you will notice no practical difference during ordinary browsing;
on the PWA app app.minomo.io you will not be able to maintain an active login session between visits — you will need to log in again each time you open the browser. Offline functionality will not be available if you also delete local storage data.

7. Changes to this Notice

When the cookie inventory changes — due to the introduction of new services, the removal of existing ones, or regulatory developments — we update this document, record the change in the changelog below, and, if the change involves adding cookies that are not strictly necessary (an eventuality that would also require introducing a consent banner), we will notify you proactively with at least 30 days' notice.

Change log

Version	Date	Main changes
3.0	15 May 2026	First standalone version of the MINOMO Cookie Notice. Full inventory of cookies and local storage technologies, with explicit legal basis for the absence of a consent banner. Aligned with Privacy Policy v3.0 and Subprocessors v1.0.
2.x	up to 14 May 2026	Legacy version inherited from the previous platform, no longer applicable.

8. Contact

For any questions about this Notice, the cookie inventory, or the exercise of GDPR rights:

Privacy email: [email protected]
GDPR requests form: minomo.io/en/legal/data-request/
Postal address: AVi Kairos Srl — Strada Lungă 188, Corp C2, Ap. 2, Brașov 500051, România
General enquiries: [email protected]

This Cookie Notice forms an integral part of MINOMO's Privacy Policy. In the event of conflict between the two documents, the Privacy Policy prevails.

For any questions about this Notice, contact us at [email protected].