REST Countries

Cookie Policy

Last updated: 08 June, 2026

In plain language. We use eight first-party cookies covering five purposes: authenticating your session, letting the dashboard show the right logged-in or logged-out UI, remembering your opt-in to stay logged in across browser sessions, tracking that we've shown you our cookie information banner, and securing the email-link confirmation forms. We don't use analytics, advertising, retargeting, or fingerprinting.

1. Who this policy is from

This Cookie Policy is part of the privacy framework operated by ONC Inc. ("REST Countries"), a corporation incorporated under the laws of the Province of Ontario, Canada. It complements our Privacy Policy and applies to restcountries.com, the customer dashboard, and any subdomains we operate.

2. What cookies are

Cookies are small files that a website asks your browser to store and return on subsequent visits. They can be set by the site you're visiting (first-party) or by a third party loaded on the page (third-party). Cookies fall into a few rough categories:

  • Strictly necessary: required for the site to function (log-in, security, load-balancing). No consent required under EU/UK/Quebec rules.
  • Functionality / preferences: remember non-essential choices (e.g. dark mode). Often consent-based.
  • Performance / analytics: measure how the site is used. Consent-based in most regulated jurisdictions.
  • Advertising / tracking: build a profile, target ads, retarget across sites. Consent-based everywhere it matters.

3. Cookies we set

We set eight first-party cookies, grouped here by purpose. The names below are the production cookie names you'll see in your browser's developer tools.

Authentication

  • s-tkn0_pI: holds the public identifier of your authenticated session token; the server uses it to recognize you between page loads. This cookie is HTTP-only, so browser JavaScript cannot read it. Expires at the end of the browser session unless you opt into persistent sessions, in which case it expires after thirty (30) days. Strictly necessary.
  • c-stat-lI: records that a logged-in session exists so browser-side dashboard controls can show the right logged-in or logged-out UI. It does not authenticate requests; only the server session token does. Expires at the end of the browser session unless you opt into persistent sessions, in which case it expires after thirty (30) days. Strictly necessary.

Email-link form security

  • s-stat-csrf: holds a short-lived security nonce used by the email-link confirmation pages (sign-up confirm, password reset, email change). The form on that page is rejected if the nonce in the submitted form doesn't match the cookie value, which blocks automated tools from confirming on your behalf. Expires after five (5) minutes. Strictly necessary.

Persistent sessions (stay logged in)

  • c-stat-pS: set when you have opted into persistent sessions ("keep me logged in"). Persistent (one year). Optional / opt-in.
  • c-stat-pSPG: records that you granted permission to enable persistent sessions. Persistent (one year). Optional / opt-in.
  • c-stat-pSPGT: timestamp of when you granted that permission. Persistent (one year). Optional / opt-in.

Cookie-information banner state

  • c-stat-cBS: records that we have shown you our cookie-information banner so we don't redisplay it on every visit. Persistent (one year). Strictly necessary.
  • c-stat-cBST: timestamp of when the cookie-information banner was last shown. Persistent (one year). Strictly necessary.

None of our cookies are tied to advertising and none cross domains. We use no Local Storage or IndexedDB for tracking purposes.

4. What we don't use

  • No analytics cookies: none of the cookies we set are used for analytics or usage measurement.
  • No advertising or retargeting cookies: we don't run paid retargeting and don't carry advertising pixels (Meta, Google Ads, LinkedIn Insight, X, Reddit, etc.).
  • No third-party trackers, pixels, or fingerprinting: no canvas fingerprinting, no audio fingerprinting, no font enumeration, no device-graph integration.
  • No session-replay tools: we do not use Hotjar, FullStory, LogRocket, or equivalents.

5. Why no consent banner

Under the EU ePrivacy Directive (2002/58/EC, as amended) and the corresponding national laws of EU member states and the UK, websites must obtain prior consent before storing cookies that are not strictly necessary for a service the user has explicitly requested. Quebec's An Act respecting the protection of personal information in the private sector (Law 25) applies the same standard. Because every cookie we set is strictly necessary to deliver the Service you've asked for, no consent is required and no banner is shown.

If we ever introduce a non-essential cookie (for example, anonymized analytics or A/B testing), we will present a clear opt-in mechanism, default to "off," and respect your choice, including any global signals such as Global Privacy Control where the law makes them binding.

6. Managing cookies

You can clear, block, or restrict cookies at any time through your browser settings. Helpful instructions are linked from each browser's official documentation:

Disabling s-tkn0_pI will prevent authenticated dashboard pages from recognizing your account. Clearing c-stat-lI may make browser-side controls treat you as logged out until the session state is refreshed; it does not, by itself, end your server session. Clearing the persistent-session cookies (c-stat-pS, c-stat-pSPG, c-stat-pSPGT) revokes the "keep-me-logged-in" preference; you'll be signed out at the end of each browser session until you opt in again. Clearing the cookie-banner cookies (c-stat-cBS, c-stat-cBST) just causes the cookie-information banner to be redisplayed on your next visit. Blocking s-stat-csrf stops the confirmation button on the email-link pages (sign-up confirm, password reset, email change) from working; the cookie regenerates every time you open one of those pages, so a refresh is enough to recover.

7. Do Not Track and Global Privacy Control

We honour the DNT header and Global Privacy Control (Sec-GPC) signal where applicable. Since we don't run cross-site trackers, the practical effect is the same regardless of the signal, but we record the preference for any future feature that might depend on consent.

8. Changes to this policy

If we add a new cookie, we'll update this page and, for any non-essential cookie, present a clear opt-in. Material changes will be announced by email or in-app notice at least fourteen (14) days in advance.

9. Contact

Questions about cookies, this policy, or any privacy-related matter? Contact our privacy team.