Skip to main content
← Back to Coren

COREN COOKIE NOTICE

Last updated: May 3, 2026
Document version: v1.1
Applies to: Coren — the family financial-literacy product operated by The Hiwat Group Sociedad Limitada ("THG SL").

1. About this Notice

This Notice explains how Coren uses cookies and similar browser-storage technologies (such as localStorage and sessionStorage) when a parent or child uses the Coren web or mobile application.

This Notice complements the THG SL Privacy Notice and the Coren Privacy Addendum — the underlying processing of any personal data placed in cookies is governed by those documents.

This Notice is published in line with Spain's Law on Information Society Services and Electronic Commerce (Law 34/2002, LSSI-CE), the GDPR, and Spanish Organic Law 3/2018 (LOPDGDD), which together require informed consent or a documented legitimate basis for the use of non-essential cookies.

2. What is a cookie?

A cookie is a small text file that a website places on the visitor's device to remember information across pages and visits. Similar technologies — such as localStorage, sessionStorage, and IndexedDB — also store data on the visitor's device and are covered by this Notice where they are used by Coren.

3. Categories of cookies used by Coren

3.1 Strictly necessary cookies and storage

These are required for Coren to function. Without them, the parent cannot log in, the child cannot use their PIN, and the product cannot remember which household is active. Strictly necessary cookies do not require consent under Spanish and EU law because they are essential to provide the service the parent has explicitly requested.

Examples in Coren include:

  • The authentication session cookie set after a parent or child logs in
  • A session token used to verify the household and active child
  • Storage of the user's language preference (en/es/nl), so the product loads in the same language on the next visit
  • Storage of CSRF tokens used to protect the parent's account from cross-site request forgery attacks
  • Local storage of the parent's selected theme and avatar so the product loads quickly without re-fetching

3.2 Functional preferences

These cookies and storage entries remember in-product choices that improve the experience but are not strictly necessary. They do not personally identify the user beyond what is already stored in their account.

Examples include:

  • Whether a parent has dismissed an in-product onboarding step
  • A child's last-visited tab in their dashboard

3.3 Analytics

Coren may use limited, privacy-respecting analytics to understand which features are used and to improve the product. Where analytics technology requires consent under Spanish law, Coren will request that consent before activating it.

Coren does not use third-party advertising trackers, fingerprinting, or behavioural-profiling technologies in the kid-facing surfaces.

3.4 Marketing

Coren does not use marketing cookies in the kid-facing product. Marketing communications, where the parent has opted in, are sent by email and are governed by §3.4 of the Coren Privacy Addendum, not by browser-side cookies.

4. Third-party processors that may set cookies on Coren's behalf

Where Coren relies on third-party infrastructure, those providers may set their own technical cookies necessary for the service. These currently include:

  • The hosting and authentication provider (currently Supabase / its underlying cloud provider)
  • The application-hosting provider (currently Vercel)
  • The payment provider used for subscription billing

All such providers are contractually bound to handle data only on documented instructions from THG SL and to apply at least the same standard of protection as THG SL itself.

5. Cookies and child users

Coren is designed so that child accounts use the minimum technical cookies and storage necessary to operate the in-app experience. No marketing or behavioural-tracking cookies are placed on child users.

The parent who set up the child's profile is treated as the consenting party for any cookie use in the child's session, consistent with Coren's universal parental-control model (see §4.1 of the Coren Privacy Addendum and §6.2 of the Coren Terms Addendum).

6. Managing cookies

The parent can manage cookies via their browser settings — most browsers allow blocking, deleting, or restricting cookies on a site-by-site basis. Note that blocking strictly necessary cookies will prevent Coren from functioning properly, since core features (login, household state, PIN session) depend on them.

The parent can also clear browser storage from their device's browser settings. Doing so will log the parent and any active child out of Coren on that device.

For Coren-specific questions about cookies or browser-side storage, contact assistant@thehiwatgroup.com.

7. Updates to this Notice

This Notice may be updated from time to time. Material changes will be reflected in the version number and last-updated date at the top of this document.

8. Governing Law

This Notice is governed by Spanish law and read together with the THG SL Privacy Notice and Legal Notice, in line with §7 of the THG SL Legal Notice.

9. English Version Notice

This Notice is provided in English for convenience. If a Spanish version is published, the Spanish version shall prevail in the event of any discrepancy, consistent with §7 of the THG SL Legal Notice.

Coren Cookie Notice · Coren · The Hiwat Group SL