What PhishNet stores on your device, why, and how to clear or block it. We don't use tracking cookies — but we do use browser storage to keep you signed in and to cache scans.
This page explains what PhishNet stores on your device, why we store it, and how to clear or block it. It covers both traditional cookies and other browser-storage technologies (localStorage, sessionStorage, chrome.storage), because the privacy considerations are the same whether the data lives in a cookie or somewhere else.
localStorage in the web app and chrome.storage in the extension. We do not use any advertising, tracking, or analytics cookies.HTTP Cookies
| Cookie name | Purpose | Attributes | Lifetime |
|---|---|---|---|
refresh_token | Keeps you signed in. The server reads this cookie to issue a new access token when your session expires, without requiring you to log in again. | HttpOnly · Secure · SameSite=Strict · first-party only | Until you sign out, or the token expires (set per session). |
oauth_state | CSRF protection during Google OAuth sign-in. A one-time nonce set before you are redirected to Google and verified when Google redirects back. | HttpOnly · Secure · SameSite=Lax · first-party only | 10 minutes (cleared immediately after use). |
workos_oauth_state | Same CSRF protection as above, for enterprise SSO (SAML / WorkOS) sign-in flows. | HttpOnly · Secure · SameSite=Lax · first-party only | 10 minutes (cleared immediately after use). |
Browser storage (non-cookie)
| Where | Key | Purpose | Lifetime |
|---|---|---|---|
| localStorage (web app) | phishnet_access_token | Short-lived access token used to authenticate API requests. The refresh token (in the cookie above) is used to renew it. | Until you sign out or clear browser storage. |
| localStorage | phishnet:theme | Remember your light/dark mode preference. | Until you change it or clear browser storage. |
| chrome.storage (extension) | Scan cache, sensitivity, trusted-senders allowlist, panel state. | Avoid re-scanning the same email twice; remember your in-product preferences. | Per your scan-cache TTL setting (default 10 minutes for scans; preferences persist). |
| sessionStorage | Transient UI state (e.g. OAuth redirect destination). | Preserve where to send you after sign-in completes. | Until you close the tab. |
PhishNet does not use:
All cookies we set are strictly necessary for authentication and security — they are not used for advertising, analytics, or personalisation. Under ePrivacy rules, strictly-necessary cookies do not require consent. If we ever introduce non-essential cookies we will request your consent before setting them and update this page first.
Some pages of the marketing site embed resources from third parties. These providers may set their own cookies on your device, governed by their own policies:
We never share your PhishNet identity with these providers. They see only the embed itself (font request, payment session) — not your email content or account details.
You can clear what PhishNet stores on your device at any time:
refresh_token cookie server-side immediately.chrome://extensions, find PhishNet, click "Details" → "Extension options" → "Reset". Or remove the extension entirely.You can also block all storage for our domain at the browser level. The web app and extension will not function without their essential storage — there is no usable fallback for an unauthenticated session.
If we ever start using new storage technologies — particularly if any of them become non-essential or third-party — we will update this page and notify you in-product before the change takes effect.
Questions about what we store on your device: privacy@phishnet.ai. See also our Privacy Policy.