Trusted Rw
Cookie Policy
Version 3.0. Applies to all Trusted Rw users globally.
Last updated:
1. Overview and Commitments
This Cookie Policy explains what cookies are, which cookies Trusted Rw uses, why we use them, and the choices you have. We believe cookie usage should be transparent, limited to what is necessary, and subject to meaningful user control.
Platform commitments
We do not use cookies to build advertising profiles. We do not sell or share cookie data with third-party advertisers. We do not place tracking cookies without your prior consent. We disclose every cookie we set, the legal basis for setting it, and how long it persists. We honour your opt-out choices promptly and without degrading core service functionality beyond what is technically unavoidable.
2. What Are Cookies
A cookie is a small text file placed on your browser or device by a website you visit. Cookies allow the site to recognise your browser on return visits, maintain session state, and store small amounts of data related to your preferences or activity.
Cookies are not programs and cannot execute code or deliver malware. They are inert data files readable only by the domain that set them (subject to same-site rules) and, where applicable, by third parties whose scripts are embedded on the page.
Related technologies
We do not currently use browser fingerprinting, supercookies, pixel tracking, or localStorage-based tracking as alternatives to cookies. If we introduce any such technology in future we will update this policy and, where required, seek your consent before activation.
3. Legal Basis for Cookie Use
Our use of cookies is governed by Rwanda Law No. 058/2021 on the Protection of Personal Data and Privacy and, where applicable to European-resident users, the General Data Protection Regulation (GDPR) and the ePrivacy Directive.
| Category | Legal basis | Consent required |
|---|---|---|
| Strictly necessary | Legitimate interest in providing a secure, functioning service. Exempt from consent requirement under ePrivacy Article 5(3). | No Cannot be disabled without breaking core service |
| Functionality / preference | Legitimate interest in delivering the experience you have configured. Consent requested for any data beyond technical minimum. | Contextual Optional where not technically required |
| Analytics | Legitimate interest in improving service quality. Only aggregated, non-identifiable metrics collected. | Optional You may opt out without loss of service access |
| Authentication hint | Legitimate interest in reducing sign-in friction on returning visits. You may clear it at any time. | Auto-set after sign-in Clearable via account menu |
4. Cookies We Set
The table below lists every first-party cookie currently set by Trusted Rw. We do not set any cookies not listed here without first updating this policy.
| Cookie name | Category | Purpose | Duration | HttpOnly |
|---|---|---|---|---|
sessionid |
Strictly necessary | Maintains your authenticated session so you stay signed in as you navigate. Without this cookie, you would be signed out on every page load. | Session / configurable retention period | Yes |
csrftoken |
Strictly necessary | Cross-Site Request Forgery protection token. Validates that form submissions and API calls originate from Trusted Rw pages, not from third-party sites attempting to act on your behalf. | Up to one year | No (must be readable by JS) |
cookie_consent |
Preference | Stores the consent choice you made via the cookie banner (accepted / declined optional cookies). Without this cookie the consent prompt would re-appear on every visit. | Up to one year | No |
trusted_g_hint |
Authentication hint | Stores a URL-encoded summary of the Google account you last used to sign in (display name and email address). Used to render the personalised "Continue as [name]" button on the login and register pages, avoiding a full account-picker prompt when you return. Contains no access token or credential. You may clear it by choosing "Use a different Google account" on the login page or by clearing your cookies. | 30 days | No (must be readable by JS) |
5. Third-Party Cookies and Scripts
Trusted Rw integrates with a limited number of third-party services. These services may set their own cookies subject to their own privacy policies. We do not control third-party cookies and cannot guarantee their content.
| Service | Purpose | Their policy |
|---|---|---|
| Google Sign-In (OAuth 2.0) | Authentication flow. Google may set cookies on accounts.google.com during the OAuth redirect. Trusted Rw does not control these cookies. After authentication completes and you return to trusted.rw, only our first-party cookies listed above are set. | Google Privacy Policy at policies.google.com/privacy |
| Google Fonts / Font Awesome CDN | Delivers typography assets. These CDNs may log your IP for capacity planning. No persistent tracking cookies are set by these services on our pages. | Respective provider policies |
We do not embed social-media share buttons, advertising networks, retargeting pixels, or third-party analytics scripts that set persistent identifiers without your consent.
6. How We Protect Cookie Data
We apply the following technical controls to every cookie we set:
- HttpOnly flag on session cookies prevents JavaScript from reading the session identifier, reducing the impact of cross-site scripting attacks.
- SameSite=Lax on all cookies restricts cross-origin delivery, blocking most cross-site request forgery vectors by default.
- Secure flag in production ensures cookies are transmitted only over HTTPS, preventing interception over unencrypted connections.
- Minimal data principle: we store only what is required for the stated purpose. The
trusted_g_hintcookie contains only display name and email address, never an access token, refresh token, or password. - Expiry discipline: session cookies expire when the browser is closed. Persistent cookies use the shortest duration technically appropriate for their purpose.
7. Your Rights and Controls
You have the right to be informed about the cookies we use (this policy), to withdraw consent for non-essential cookies, and to delete any cookie we have set. These rights are recognised under Rwanda Law No. 058/2021 and the GDPR for EU-resident users.
Browser-level control
Every major browser allows you to view, block, or delete individual cookies. Common paths:
- Chrome: Settings > Privacy and security > Cookies and other site data
- Firefox: Settings > Privacy and Security > Cookies and Site Data
- Safari: Preferences > Privacy > Manage Website Data
- Edge: Settings > Cookies and site permissions > Cookies and site data
Blocking sessionid or csrftoken will prevent sign-in and form submission. All other cookies can be removed without loss of site access.
Consent banner
On your first visit we display a consent notice for optional cookies. You may change your choice at any time by clearing the cookie_consent cookie or through your browser settings. Withdrawing consent does not affect any processing carried out before withdrawal.
Google Sign-In hint
If you signed in using Google, the personalised "Continue as [name]" button on the login page is powered by the trusted_g_hint cookie. To remove it: select "Use a different Google account" on the login screen, or clear the cookie directly in your browser. The button will no longer appear until you sign in with Google again.
Account privacy settings
Signed-in users may review data retention and privacy preferences at any time from the account settings page. Deleting your account removes all server-side data associated with you, though browser cookies must still be cleared manually using the methods above.
8. Cookie Retention Schedule
| Cookie | Retention | Reset trigger |
|---|---|---|
sessionid |
Ends when browser session closes, or after the inactivity timeout configured in account security settings | New sign-in, password change, or explicit sign-out |
csrftoken |
Up to one year from last page load | Refreshed on every page that renders a Django form |
cookie_consent |
Up to one year from consent date | Overwritten when you change consent preference |
trusted_g_hint |
30 days from last successful Google sign-in | Cleared on "Use a different Google account" action or manual deletion |
9. What We Do Not Do
We make the following binding commitments regarding cookie use:
- We do not sell cookie data or any data derived from cookies to any third party.
- We do not use cookies to build behavioural advertising profiles or cross-site tracking graphs.
- We do not share cookie identifiers with advertising networks, data brokers, or social-media platforms.
- We do not deploy fingerprinting, evercookies, or any technique designed to re-identify you after cookie deletion.
- We do not set cookies on pages that serve only public, non-personalised content unless strictly necessary for security.
- We do not store sensitive data (passwords, payment card numbers, government ID numbers) in any cookie.
10. Children's Privacy
Our service is not directed to children under 16 years of age. We do not knowingly set cookies on devices used by children. If you are a parent or guardian and believe a child under 16 has accessed our service and we have set cookies on their device, please contact privacy@trusted.rw. We will take appropriate steps to delete any cookies and associated data within 30 days of a verified request.
11. Changes to This Policy
We may update this Cookie Policy to reflect changes in the cookies we use, applicable law, or service features. When we make material changes we will:
- Update the "Last updated" date at the top of this page.
- Post a notice on the platform for at least 14 days before the change takes effect.
- Notify registered users by email when the change affects cookies that require consent.
- Re-display the consent banner where a new category of cookie is introduced.
Continued use of the platform after notice is given constitutes acknowledgement of the updated policy. If you disagree with a change, you may close your account and remove our cookies using the browser tools described in Section 7.
12. Contact
Questions about this Cookie Policy or requests to exercise your rights should be directed to our Privacy Team:
- Email: privacy@trusted.rw
- Postal address: Trusted Rw, Kigali, Rwanda
- Response time: We aim to respond to all privacy inquiries within 30 days. Complex requests involving data access or deletion may take up to 60 days, in which case we will notify you of the delay and its reason.
If you are dissatisfied with our response, you have the right to lodge a complaint with the Rwanda National Cyber Security Authority (NCSA) or the supervisory authority in your country of residence.
13. Change History
| Version | Date | Summary of changes |
|---|---|---|
| 3.0 | Full rewrite. Added legal basis table, third-party disclosure, retention schedule, platform commitment section, children's privacy clause, detailed user controls guide, and NCSA complaint right. Aligned with Rwanda Law No. 058/2021. | |
| 2.0 | 2025 | Added trusted_g_hint cookie following Google Sign-In integration. Expanded cookie table. |
| 1.0 | 2024 | Initial policy. Covered session, CSRF, and consent cookies. |