In due righe
On MINOMO we use strictly necessary technical cookies only — no profiling, no advertising trackers, no third-party analytics. Audience measurement is first-party and cookieless (self-hosted Matomo, IP anonymised). No consent banner: nothing requiring consent is stored on your device.
What cookies are
Cookies are small text files that a website places in a user’s browser when they visit it. They are read automatically by the browser on subsequent requests to the same site and serve various purposes: keeping a login session active, remembering preferences such as language, or — in their more intrusive form — tracking a user’s browsing across multiple sites to build advertising profiles.
Cookies are distinguished primarily by duration:
- Session cookies: these exist only for the duration of the browser session. They are deleted automatically when the browser is closed.
- Persistent cookies: these have a defined expiry date and remain on the device even after the browser is closed, until they expire naturally or are deleted by the user.
And by origin:
- First-party cookies: placed directly by the website you are visiting, under its own domain.
- Third-party cookies: placed by a domain different from the website you are visiting — typically an external analytics, advertising, or social-media service embedded in the page.
Cookies and similar technologies
Beyond cookies in the strict sense, there are other client-side storage technologies worth distinguishing.
localStorage and sessionStorage: These are browser storage areas accessible via JavaScript. Unlike cookies, they are never sent automatically to the server with HTTP requests. MINOMO uses localStorage to store non-sensitive interface preferences (for example, the state of the menu or the last active tab) in an entirely client-side manner, without transmission to the server.
IndexedDB: A structured database in the browser, used in the MINOMO PWA to cache offline content: previously visited pages, followed merchant data, saved itineraries. Data in IndexedDB never leaves your device — it exists to let you use the app even without a connection.
Service Worker and Cache API: The Service Worker is a script that the browser runs in the background. The MINOMO PWA uses it to cache application resources offline (HTML, CSS, JavaScript, images) via the browser’s Cache API. It contains no personal data. The Service Worker has no access to cookies, cannot send data to third parties, and does not intercept traffic to other domains.
These technologies do not require consent under cookie regulations, as they do not involve transmitting identifiers to third-party servers or building behavioural profiles.
Why you won’t find a cookie banner on MINOMO
The absence of a banner is not an oversight. It is a deliberate architectural choice, with a precise legal basis.
The applicable framework consists of:
- Directive 2002/58/EC (ePrivacy Directive), implemented in Italy by Legislative Decree 196/2003 as amended by Legislative Decree 101/2018;
- Regulation (EU) 2016/679 (GDPR);
- the Italian Data Protection Authority Guidelines of 10 June 2021 (Decision no. 231) — “Guidelines on cookies and other tracking tools”.
The Guidelines make it clear that prior user consent is required exclusively for placing or reading cookies and similar tools that are not strictly necessary for the operation of the service. Technical cookies strictly necessary to make what the user has explicitly requested work — keeping the session active, remembering the chosen language, protecting the site from bot attacks — do not require consent. For these, it is sufficient to describe them in a notice, which is precisely the document you are reading.
MINOMO uses only cookies and storage of a technical nature, strictly necessary. There are no profiling cookies, no third-party cookies for advertising, and no behavioural analytics tools. Displaying a consent banner in this situation would not only be pointless but potentially misleading.
The absence of the banner confirms there is nothing to consent to. It is the most honest choice we could make.
Cookies and storage used by MINOMO
Below is the complete, verified inventory, organised by domain.
Showcase website minomo.io
The showcase website does not set its own application cookies. Cloudflare, which provides perimeter protection and CDN, may automatically place the following technical cookies only in circumstances where its anti-bot protection system is triggered (for example, during a challenge on a protected form):
| Name | Purpose | Duration | Category | Legal basis | Party |
|---|---|---|---|---|---|
__cf_bm | Cloudflare Bot Management. Distinguishes human traffic from automated traffic to protect forms and pages from abuse and attacks. | 30 minutes | Strictly necessary | Art. 6(1)(f) GDPR — legitimate interest in platform security | Third party (Cloudflare, Inc.) |
cf_clearance | Records the passing of a Cloudflare security challenge, preventing the challenge from being presented again for the duration of the cookie. | 30 minutes | Strictly necessary | Art. 6(1)(f) GDPR — legitimate interest in platform security | Third party (Cloudflare, Inc.) |
Cloudflare Turnstile — the anti-bot verification system we use on the City Agent form in place of reCAPTCHA — does not set its own tracking cookies. Verification is performed via browser signals without persistent identifiers linked to the user.
Outside anti-bot challenge scenarios, browsing the showcase website minomo.io does not result in any cookies being placed.
PWA app app.minomo.io
| Name | Purpose | Duration | Category | Legal basis | Party |
|---|---|---|---|---|---|
minomo_device_id | Technical device identifier, used to keep the login session active on that specific device and to manage the lifecycle of authentication tokens (including revocation in the event of loss or device change). It is not an advertising identifier. | Persistent (until explicit deletion or logout) | Strictly necessary | Art. 6(1)(b) GDPR — performance of a contract | First party (AVi Kairos Srl) |
minomo_lang | Stores the user’s language preference (e.g. it, en, ro) so that it is applied automatically in subsequent sessions. | 365 days (max-age=31536000) | Strictly necessary | Art. 6(1)(b) GDPR — performance of a contract | First party (AVi Kairos Srl) |
Both cookies carry the SameSite=Lax attribute: they are never sent in cross-site requests initiated by third parties, eliminating the risk of CSRF and cross-domain tracking.
Operational panels (merchant panel, City Agent portal, admin)
MINOMO’s operational panels are accessible exclusively to authenticated merchants, City Agents, and administrators. Upon login, an HTTP session cookie is created that keeps the user logged in for the duration of the working session. This cookie:
- carries the
HttpOnlyattribute (not accessible from JavaScript, mitigating the risk of XSS); - carries the
Secureattribute (transmitted only over HTTPS connections); - is a session cookie (expires when the browser is closed or on explicit logout).
It falls within the category of strictly necessary technical cookies and does not require consent.
Third-party cookies for marketing or analytics purposes
We do not use any. No MINOMO domain loads third-party scripts that place cookies for advertising profiling, retargeting, behavioural analytics, or social tracking.
First-party audience measurement (Matomo, cookieless)
To understand how our public pages are used — which content is read, where visitors arrive from in aggregate — we run Matomo, an open-source analytics tool self-hosted on our own infrastructure (matomo.minomo.io). It is configured for the maximum-privacy, consent-free profile:
- No cookies, no device storage. Matomo runs with
disableCookies: it does not write or read any cookie, identifier, or fingerprint on your device. Because nothing is stored on or read from the terminal, the ePrivacy consent requirement (Art. 5(3)) is not triggered. - IP anonymised. The last bytes of the IP address are masked server-side before storage, so visitors are not individually identifiable.
- First party only. The data stays on our servers. It is never sent to Google or any other third party, and there is no cross-site or cross-device tracking.
- Aggregate purpose. We use it solely to produce aggregate statistics (page views, referrers, approximate country), never to profile individuals.
- Do Not Track honoured. If your browser sends a Do Not Track (DNT) or Global Privacy Control (GPC) signal, Matomo collects nothing.
The lawful basis is our legitimate interest (Art. 6(1)(f) GDPR) in measuring and improving our own service in a privacy-preserving way — the basis recognised by EU data-protection authorities for exempt, anonymised, first-party audience measurement. Since no information is stored on or read from your device and no profiling takes place, no consent banner is required. You can opt out at any time through your browser’s Do Not Track setting.
Service Worker and offline storage (PWA)
For completeness and transparency — even though these are technically not cookies — the MINOMO PWA uses:
- Cache API: stores application resources (HTML, CSS, JavaScript, and interface images) for offline operation. Contains no personal user data.
- IndexedDB: stores locally on your device content you have recently viewed (merchants, POIs, notifications) to enable offline browsing. This data never leaves your device.
- localStorage: non-sensitive interface preferences (menu state, minor local settings). Never sent to the server.
You can delete this data at any time from your browser settings, under “Site” or “Storage” for the app.minomo.io domain.
What we don’t use
On no MINOMO domain are the following services present — neither in the HTML code, nor in loaded scripts, nor in network requests:
- Google Analytics or Google Tag Manager in any configuration;
- Meta Pixel (Facebook/Instagram Pixel) or Facebook Conversions API;
- LinkedIn Insight Tag;
- TikTok Pixel;
- Hotjar, Mouseflow, FullStory, LogRocket, or any other session recording and heatmap tool;
- Mixpanel, Amplitude, Heap, or other product analytics tools based on individual tracking;
- Intercom, Drift, HubSpot Tracking, or other CRM tools that track browsing behaviour;
- retargeting or remarketing cookies from any advertising platform;
- third-party affiliate tracking pixels.
These absences are the result of a system design choice. MINOMO’s business model is not based on behavioural advertising.
How to manage cookies in your browser
You can control, limit, or delete cookies at any time from your browser settings. Below are links to the official guides for the main browsers:
- Google Chrome: support.google.com/chrome/answer/95647
- Mozilla Firefox: support.mozilla.org — Enhanced Tracking Protection in Firefox
- Apple Safari: support.apple.com — Manage cookies in Safari
- Microsoft Edge: support.microsoft.com — Delete cookies in Microsoft Edge
- Opera: help.opera.com — Web preferences, cookies
For managing PWA storage (Cache API, IndexedDB, localStorage), the main browsers provide tools in the Developer Tools (DevTools), under Application > Storage.
What happens if you disable technical cookies: The cookies we use are strictly necessary. If you block or delete them:
- on the showcase website
minomo.ioyou will notice no practical difference during ordinary browsing; - on the PWA app
app.minomo.ioyou will not be able to maintain an active login session between visits. Offline functionality will not be available if you also delete local storage data.
Changes to this Notice
When the cookie inventory changes — due to the introduction of new services, the removal of existing ones, or regulatory developments — we update this document, record the change in the changelog below, and, if the change involves adding cookies that are not strictly necessary, we will notify you proactively with at least 30 days’ notice.
Change log
| Version | Date | Main changes |
|---|---|---|
| 3.1 | 17 June 2026 | Added the first-party, cookieless audience measurement section (self-hosted Matomo, IP anonymised, Do Not Track honoured), with its legal basis. The no-banner position is unchanged: nothing requiring consent is stored on the device. |
| 3.0 | 15 May 2026 | First standalone version of the MINOMO Cookie Notice. Full inventory of cookies and local storage technologies, with explicit legal basis for the absence of a consent banner. Aligned with Privacy Policy v3.0 and Subprocessors v1.0. |
| 2.x | up to 14 May 2026 | Legacy version inherited from the previous platform, no longer applicable. |
Contact
For any questions about this Notice, the cookie inventory, or the exercise of GDPR rights:
- Privacy email: [email protected]
- GDPR requests form: minomo.io/en/legal/data-request/
- Postal address: AVi Kairos Srl — Strada Lungă 188, Corp C2, Ap. 2, Brașov 500051, România
- General enquiries: [email protected]
This Cookie Notice forms an integral part of MINOMO’s Privacy Policy.