We don’t run third-party analytics or advertising trackers on foldr.com. The Foldr SaaS app uses cookies and local storage strictly to keep you signed in and to remember your UI choices.
Last updated 2026-05-05
Foldr only uses cookies and local storage where they’re necessary to deliver the product or to remember a preference you set yourself. We don’t set any tracking cookies, and we don’t share data with advertisers.
| Name | Where | Purpose | Lifetime |
|---|---|---|---|
foldr-theme | browser localStorage | Remembers your light / dark / auto theme choice. Never sent to us. | Until you clear browser data |
__cf_bm | first-party cookie set by Cloudflare | Bot management. Distinguishes humans from automated traffic; required for the site to load reliably under attack. | 30 minutes |
_cfuvid | first-party cookie set by Cloudflare | Rate-limiting and load-balancing across Cloudflare’s edge. | Session |
Refresh tokens are stored server-side as database records, never as a cookie or in browser storage. Revoking a session terminates that device’s refresh token specifically; other devices continue working until their own tokens expire or are revoked.
| Name | Where | Purpose | Lifetime |
|---|---|---|---|
token | first-party cookie | Authentication. Carries your signed JWT so each request identifies you. Default name; some Foldr deployments rename it. | Up to your access-token lifetime, configurable per customer |
FOLDR_TICKET | first-party cookie | Symfony session identifier. Used for short-lived pre-auth state (CSRF nonces, multi-step sign-in flows). Not an authentication credential by itself. | Session, cleared when you close the browser |
XSRF-TOKEN | first-party cookie | CSRF protection on state-changing requests. | Session |
FOLDR_TRUSTED_DEVICE | first-party cookie | Trusted-device flag, set when you opt in during a two-factor challenge so you don’t need to re-verify on the same browser. | Up to 365 days, configurable |
OAUTH_SESSION | first-party cookie, set only during Microsoft sign-in | Binds the OAuth state nonce and post-sign-in return URL to your browser so the callback can reject login-CSRF attempts. HttpOnly, single-use, cleared once you complete the round-trip. | 10 minutes (cleared on success) |
links_<hash> | first-party cookie, set only when you open a password-protected public link | Remembers that you have entered the correct link password so you don’t need to retype it for follow-up requests in the same browser session. One cookie per link. | 60 minutes |
foldr-color-scheme | browser localStorage | Remembers your light / dark / auto theme choice. | Until you clear browser data |
foldr-files-view | browser localStorage | Remembers whether you prefer the file browser in list or grid view. | Until you clear browser data |
foldr-shares-view | browser localStorage | Remembers your view choice on the shares list. | Until you clear browser data |
foldr-shares-cache | browser localStorage | Caches your shares list locally so the app loads instantly while we revalidate in the background. | Until you clear browser data |
foldr:pinned | browser localStorage | Stores items you have pinned for quick access. | Until you clear browser data |
foldr-notifications | browser localStorage | Tracks which notifications you have already read so we don’t re-announce them. | Until you clear browser data |
foldr-last-activity | browser localStorage | Timestamp used to detect idle sessions. | Until you clear browser data |
We don’t embed third-party analytics, advertising or social sharing widgets that set cookies on foldr.com.
Cloudflare provides our edge and bot-protection layer; the __cf_bm and _cfuvid cookies above are set by Cloudflare on our behalf and treated as strictly necessary for the site to load reliably.
Inside Foldr SaaS, third-party providers may set cookies on their own domains when their services are used (for example, a Microsoft sign-in flow).
Those are governed by the provider’s own policies.
You can clear or block cookies and local storage from your browser settings. The marketing site stays fully functional without them, you’ll just see the default theme. The SaaS app needs the authentication cookies to keep you signed in; blocking them means signing in on every request.
Email [email protected].
