Cookie Policy

1. Introduction & Scope

This Cookie Policy explains how SteelCorr uses cookies, authentication tokens, and SDK-based tracking technologies across our web application (https://dpr.steelcorr.com/) and mobile applications (iOS & Android). Both platforms are hosted on Microsoft Azure Web App Service. By using our platforms, you consent to the tracking practices described below. You may withdraw or manage consent at any time as described in Section 5.

2. Tracking Technologies by Platform

Our web application uses browser cookies stored on your device. Our mobile applications (iOS & Android) do not use browser cookies — instead they use SDK-based identifiers, device advertising IDs (iOS IDFA / Android GAID), and secure device storage (iOS Keychain / Android Keystore) for equivalent functions. Microsoft Entra ID (Azure AD) is used for authentication across both platforms, issuing secure tokens upon login.

3. Complete Tracking & Cookie Inventory

The table below lists all cookies and tracking identifiers used across our web and mobile platforms:

Identifier / Cookie	Platform	Type	Purpose	Duration
session_id, auth_token	Web	Necessary	Session management & secure login	Session
csrf_token	Web	Necessary	Cross-site request forgery protection	Session
msal_token, msal.idtoken	Web & Mobile	Necessary	Microsoft Entra ID authentication	Session
cookie_consent	Web	Necessary	Records your consent preferences	1 year
user_prefs	Web	Functional	Stores UI preferences (layout, language)	30 days
remember_me	Web	Functional	Keeps user logged in if opted in	14 days
ai_session, ai_user	Web	Analytics	Azure App Insights — usage & performance	Session / 1 yr
App Insights SDK ID	iOS & Android	Analytics	Azure App Insights — app telemetry	90 days
iOS IDFA / Android GAID	iOS & Android	Analytics	Device ad ID — only with OS permission	Until reset
App Session Token	iOS & Android	Necessary	Secure in-app session (Keychain/Keystore)	Session

Analytics identifiers (Azure App Insights, iOS IDFA, Android GAID) are activated only with your explicit consent. Microsoft Entra ID tokens are strictly necessary for authentication and do not require separate consent.

4. Legal Basis & Third-Party Services

We process tracking data under the following legal bases:

Contractual Necessity: session tokens, auth tokens, CSRF — required for platform operation.
Consent: analytics (App Insights SDK, ai_session, ai_user, IDFA, GAID) and functional cookies — only activated with your prior consent.
Legitimate Interest: consent record cookie — to honor and store your stated preferences.

Third-party services used and their data processing scope:

Microsoft Azure App Insights (Microsoft Corp.): performance monitoring and usage analytics on web and mobile. Data may be processed on Microsoft's global infrastructure. Privacy Statement: privacy.microsoft.com
Microsoft Entra ID / Azure AD (Microsoft Corp.): user authentication on web and mobile. Tokens stored securely in browser session storage (web) or device Keychain/Keystore (mobile).

We do not permit third-party services to use collected data for their own advertising.

5. Managing Your Preferences

You may manage or withdraw consent for non-essential tracking at any time through the following methods:

Web App — Cookie Preference Center: accessible via the platform footer at any time. You may accept, reject, or customize non-essential cookies without affecting core functionality.
Web App — Browser Settings: use your browser's cookie management settings to view, delete, or block cookies. Note: blocking strictly necessary cookies will prevent login.
iOS — App Tracking Transparency: go to Settings > Privacy & Security > Tracking > DPR to enable or disable tracking.
Android — Advertising ID: go to Settings > Google > Ads to reset or opt out of your Advertising ID.
Mobile — In-App Settings: use the tracking preference screen in the app Settings menu to toggle analytics on or off at any time.
Uninstalling the App: removes all locally stored tokens and identifiers from your device immediately.

6. Data Retention & Your Rights

Session cookies and tokens are deleted when you close your browser or log out. Persistent cookies are retained as per the durations in Section 3. Azure App Insights telemetry is retained for 90 days. Server-side access logs are retained for 90 days for security and audit purposes, after which data is securely deleted.

You have the following rights regarding your personal data:

Your Right	What It Covers
Access & Correction	Request a copy or correction of your personal data
Deletion	Request deletion of your data where applicable
Withdraw Consent	Withdraw consent for non-essential tracking at any time
Portability & Objection	Request data transfer or object to processing
Lodge a Complaint	File a complaint with the UAE data protection authority

To exercise any right, contact our Data Protection Officer at info@steelcorr.com. We will respond within 30 days. Identity verification may be required.

7. Policy Updates & Contact

We may update this policy to reflect platform changes or legal requirements. Material changes will be communicated via a notice on the web app and an in-app notification on mobile, along with an updated effective date above. We encourage you to review this policy periodically.