Board Platform
Cookies Policy
1. What are cookies and why are they used?
A cookie is a short text string sent to the user’s browser and, if necessary, is saved on the computer or mobile device, when you are using the Board Platform (the “Platform”) and is used to gather information on such access and usage. Some cookies are set by us and called first-party cookies. We also use third-party cookies, which are cookies from a domain different than the domain of the Platform.
Cookies may be stored permanently on the user’s computer or mobile device and have a variable duration (persistent cookies) but may also disappear after logging out the Platform or be of limited duration (session cookies).
2. Types of cookies used and purposes
- Strictly necessary cookies, such as .AspNetCore.Antiforgery., are necessary are necessary for the Platform to function and for the security of the Platform and cannot be switched off in our systems. You can block these cookies, but some parts of the site will not then work. These cookies do not store any personal identifiable information.
- Functional cookies, such as route-cookie if used only to maintain UI/navigation state, enable the Platform to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
- Performance cookies are used to gather information on how the Platform is used. These cookies gather data such as Microsoft cookies. Board uses these cookies to analyze user activities and improve the Platform functions.
- Security cookies, such as Google reCAPTCHA, process data for their own purposes, which are security and protective ones.
3. Cookie List
Cookie | Provider | Purpose | Category | Storage | Data Shared | Type of Cookie |
.AspNetCore.Antiforgery. | board.com | Protects forms from cross-site request forgery (CSRF) by storing an anti-forgery token used to validate form submissions | Strictly necessary | Session | First-party | Necessary for site security and operation |
route-cookie | board.com | Preserves route/navigation or UI state after redirects (used to keep users on the correct page after login/redirect) | Functional | 1 day | First-party | Functional, necessary for service/ user experience |
Google reCAPTCHA (and related cookies/identifiers, e.g., NID, SID, HSID, SAPISID, __Secure-3PAPISID, etc.) | Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Bot detection and risk analysis to protect the site against spam and automated abuse | Security | Varies (session → month). Controlled by Google | Transferred to Google (United States) and may be combined with other Google data | This is a Security cookie, and since this is a third-party cookie, the customer can revoke their use |
idsrv.session | Board Subscription Hub | Maintains the active user session with the identity server during authentication flows | Strictly necessary | Session | First-party | Without it, the login/session continuity breaks |
.AspNetCore.Identity.Application | Board Platform | Authentication cookie used by ASP.NET Core Identity to keep users logged in and recognize authenticated requests | Strictly necessary | Session | First-party | Core auth cookie → security + access control |
Board Platform | Stores the user’s selected culture/locale for formatting (e.g. dates, numbers) | Functional | Persistent | First-party | They improve UX but are not strictly required to authenticate or secure the Platform. They also do not look like tracking cookies | |
BOARD-UI-LANGUAGE | Board Platform | Stores the user’s language preference for the UI | Functional | Persistent | First-party | They improve UX but are not strictly required to authenticate or secure the Platform. They also do not look like tracking cookies |
ai_session | Microsoft Application Insights | Groups telemetry events into a browsing session | Performance | Session | First-party These cookies remain in the system of the customer | Data is typically pseudonymized, not anonymous. Microsoft may process data as a processor (EU → US transfer possible) |
ai_user | Microsoft Application Insights | Distinguishes unique users for aggregated analytics | Performance | Persistent | First-party These cookies remain in the system of the customer | Data is typically pseudonymized, not anonymous. Microsoft may process data as a processor (EU → US transfer possible |
4. Google reCAPTCHA
What the browser sends to Google when reCAPTCHA is loaded/executed.
When the reCAPTCHA widget or script loads and runs in the browser, Google receives standard HTTP request data such as your IP address, User-Agent string, and other request headers. Google may also read or set cookies in the browser for its domains. The reCAPTCHA JavaScript collects device and browser signals and user interaction data as part of risk analysis. This can include (but is not limited to) mouse movements, touch events, timing of interactions, screen size, language, browser plugins, and other device characteristics. These signals are used for automated risk scoring. The reCAPTCHA widget produces a token (g-recaptcha-response) in the browser. This token is submitted as part of the form and posted to our server.
What our server sends to Google.
When you submit a form protected by reCAPTCHA, our server sends the browser-generated token to Google for verification using a server-side call to: https://www.google.com/recaptcha/api/siteverify?secret={your_secret_key}&response={g-recaptcha-response}
The server-to-server request therefore contains the g-recaptcha-response token and our secret key (kept on the server). Google will respond with a verification result. This server call also carries our server’s request metadata (e.g., server IP).
What Google may do with the data Google processes the token and the device/interaction signals to assess risk and decide whether the interaction appears to be from a human or a bot. Google may store or combine these signals with other information it holds and may set or read cookies/identifiers on the user’s device. Data is processed by Google in the United States and is subject to Google’s privacy policy and terms. For more details, see Google’s privacy policy: https://policies.google.com/privacy and reCAPTCHA documentation: https://developers.google.com/recaptcha.
Automated decision-making/profiling.
reCAPTCHA performs automated risk scoring (an automated decision-making process) to determine the likelihood that an interaction is automated. This processing is performed by Google and may involve profiling. We disclose this automated processing and provide the right to object or seek human review as described below.
Data transfer and safeguards.
Data sent to Google in connection with reCAPTCHA is transferred to the United States. Where personal data is transferred outside the European Economic Area, we will implement appropriate safeguards to protect your data (for example, Standard Contractual Clauses or other lawful mechanisms). For details on how Google handles and protects data, see Google’s privacy policy: https://policies.google.com/privacy.
Where to find more information.
Google reCAPTCHA documentation and privacy: https://developers.google.com/recaptcha and https://policies.google.com/privacy.
5. Microsoft Application Insights
Microsoft Application Insights is an application performance management and analytics service provided by Microsoft Corporation. It is used to monitor the performance, reliability, and usage of the Board Platform and to help identify, diagnose, and resolve technical issues.
What the browser sends to Microsoft when Application Insights is loaded.
When Application Insights is loaded and executed in the user’s browser, the browser may send telemetry data to Microsoft, which can include:
- IP address (which may be truncated or anonymized, depending on configuration)
- User-Agent string (browser type and version, operating system)
- Device and browser characteristics
- Pages visited and navigation events within the Platform
- Timestamps, session duration, and interaction timing
- Error information (such as JavaScript exceptions or failed network requests)
- Performance metrics (for example, page load times and response times)
Application Insights may read or set cookies or similar identifiers (such as ai_session and ai_user) in the browser to associate telemetry events with a browsing session or a pseudonymous user identifier.
Purpose of the processing.
The collected data is used exclusively for:
- Monitoring the performance and availability of the Platform
- Detecting and diagnosing technical errors and failures
- Improving stability, security, and user experience
- Producing aggregated and statistical reports on Platform usage
The data is not used for advertising or marketing purposes.
What our server sends to Microsoft.
In addition to client-side telemetry, our servers may send technical and diagnostic information to Microsoft Application Insights, such as server-side request logs, response times, and error details. These data are used to correlate client-side and server-side events for troubleshooting and performance analysis.
Nature of the data and identifiers.
The cookies and identifiers used by Application Insights are intended to be pseudonymous and do not directly identify a user by name or email address. However, because online identifiers and telemetry data may still be considered personal data under applicable data protection laws, their use is subject to consent where required.
Data processing, transfers, and safeguards.
Telemetry data collected via Microsoft Application Insights may be processed by Microsoft as a data processor on behalf of Board. Data may be transferred to and processed in countries outside the European Economic Area, including the United States. Where such transfers occur, appropriate safeguards are implemented in accordance with applicable data protection laws (for example, Standard Contractual Clauses).
For more information on how Microsoft processes data in Application Insights, please refer to Microsoft’s privacy documentation:
https://learn.microsoft.com/azure/azure-monitor/app/data-collection
https://privacy.microsoft.com
6. Disabling the cookies
Please note that by disabling the cookies some personalised services may no longer be provided and some of the Platform functions may not be usable. However, each browser is different, so consult the “Help” menu of your browser for instructions on how to change your cookie preferences. After this operation, however, some Platform functions may not run correctly.
For Google reCAPTCHA and Microsoft cookies, cookies are directly installed on the Platform by these providers in order to enable security features (e.g., protection against automated abuse) and/or the proper functioning of Microsoft services integrated into the Platform. Users may revoke the use of these cookies at any time by submitting a support ticket to the Cloud Operations team, which will handle the request and apply the appropriate configuration changes where technically feasible. After this operation, however, some Platform functions may not run correctly (for example, certain forms may not work, access may be limited, or security checks may prevent completion of requests).
7. Contacts
The data collected through the use of cookies may be processed by employees and/or collaborators of Board, indicated as representatives for the processing of data under the authority of Board, in its capacity as Controller, or by the Processor, where appointed. The aforementioned data collected could also be processed by third companies providing various types of service to Board. The complete list of processors is constantly updated and is available on request by sending an e-mail to: [email protected]. The personal data will not be disclosed in any case.