Cookie Policy | MongoQUI MongoDB Database Tool

01 · IntroductionIntroduction

This Cookie Policy describes how MongoQUI ("MongoQUI", "we", "our", "us") uses cookies and similar technologies on our marketing website (mongoqui.com), our documentation portal (docs.mongoqui.com), our web application (app.mongoqui.com), our billing portal (license.mongoqui.com), and the shared report viewer. It supplements the Privacy Policy and should be read together with it.

A cookie is a small text file that a website places on your browser's storage area when you visit. Cookies can be first-party (set by the domain you are visiting) or third-party (set by a different domain referenced by the page). A cookie can be a session cookie (deleted when you close the browser) or a persistent cookie (retained for a stated duration). Cookies have no access to your hard drive or to files outside the browser.

Where this policy refers to "cookies", it also includes similar technologies that perform an equivalent function, such as browser local storage, session storage, and first-party analytics beacons. Where we use those technologies they are treated under the same consent rules as the equivalent cookie.

Counsel to confirm: whether the definition of "cookies and similar technologies" requires a more detailed enumeration of local storage, session storage, and device fingerprinting under the UAE PDPL, the EU ePrivacy Directive 2002/58/EC, and the UK PECR.

02 · Strictly necessary cookiesStrictly necessary cookies

These cookies are required for the Services to function. They do not require consent under the EU ePrivacy Directive or the UK Privacy and Electronic Communications Regulations (PECR), because they are strictly necessary to provide the service that you explicitly requested. You cannot disable them through our banner, but you can block all cookies at the browser level (doing so will break sign-in).

Session cookie.
- Name: __Host-mqui_session
- Purpose: keeps you signed in to the MongoQUI web app, billing portal, and shared report viewer for the duration of your session. Scoped with the __Host- prefix for extra security (Secure, HttpOnly, SameSite=Lax, path scoped to /).
- Duration: session (deleted when the browser closes) or up to 30 days on "Keep me signed in".
CSRF token.
- Name: mqui_csrf
- Purpose: a cryptographic token used to prevent cross-site request forgery on form submissions and authenticated API calls.
- Duration: session.
Cookie-consent record.
- Name: mqui_cookie_consent
- Purpose: remembers your response to the cookie banner so that we do not ask again every visit, and records the categories you consented to, the timestamp, and the policy version.
- Duration: 12 months.

These cookies are set by mongoqui.com and its subdomains; they are first-party.

Counsel to confirm: the exact cookie names, retention periods, SameSite posture, and whether the 12-month consent-record retention aligns with EU guidance (typical range 6–13 months).

03 · Performance & analytics cookiesPerformance and analytics cookies

These cookies help us understand how visitors interact with our sites in aggregate: which pages are most read, which flows drop off, and which browsers and devices are in common use. They do not identify you personally; analytics is anonymised before any aggregation.

Web analytics. Our primary analytics provider is a first-party, privacy-centric analytics product that does not set third-party cookies, does not fingerprint the browser, and does not build cross-site profiles. It collects anonymised pageview data using first-party beacons. Because it does not set cookies or use any client-side identifier, no prior consent is strictly required under the EU ePrivacy Directive. It is nonetheless listed here in the spirit of transparency, and can be disabled at the browser level (for example, via a DNT signal, which we respect; see Section 9).
Optional self-hosted analytics stub. We maintain a disabled-by-default code path for a future self-hosted Plausible installation. It is not currently active. If we activate it, this policy will be updated with the cookie name, duration, and opt-out mechanism at least thirty (30) days before activation, and the cookie banner will surface a new consent prompt where consent is required.

Counsel to confirm: whether web analytics meets the relevant "cookieless analytics" exemption under EDPB and UK ICO guidance, and whether to offer a more granular opt-out for EEA visitors even though no consent is legally required.

04 · Functional cookiesFunctional cookies

These cookies remember the choices you make so that the site can deliver a more personalised experience. They are loaded only after you have accepted the "Functional" category in the cookie banner (or equivalent consent), unless they are strictly necessary to deliver a feature you have explicitly requested.

Theme preference.
- Name: mqui_theme
- Purpose: stores your selected theme (light or dark) so that the next visit renders in the correct theme.
- Duration: 12 months.
Active organisation.
- Name: mqui_org_id
- Purpose: remembers which organisation you last selected in a multi-org account, so that you land in the correct workspace on next sign-in.
- Duration: 12 months.
UI-state cookies. We may use small, first-party cookies to remember state like "left sidebar collapsed" or "default result view: table". These cookies never contain Personal Data.
- Duration: up to 12 months each.

Counsel to confirm: whether theme and org-selector cookies qualify as "strictly necessary" under EDPB guidance on user-interface-preference cookies, and whether they should be relocated to Section 2.

05 · Marketing cookiesMarketing cookies

MongoQUI does not currently set any third-party marketing or advertising cookies. We do not use ad networks, retargeting pixels, social-tracking pixels, or cross-site tracking on our own sites.

If this changes in the future (for example, if we run a time-bound paid campaign) we will update this policy, list the relevant cookies with vendor, purpose, and retention, and require prior opt-in consent on the cookie banner before any marketing cookie is set.

Counsel to confirm: the policy for opt-in consent under GDPR / UK PECR / UAE PDPL before any future marketing cookie is activated.

06 · Third-party cookiesThird-party cookies

In a small number of places, a third party may set a cookie from its own domain. We list every such case below.

Stripe (checkout). When you are in the billing portal and initiate a payment, Stripe's embedded checkout may set cookies required for fraud prevention and session continuity on stripe.com. These are strictly necessary for the payment flow. Stripe's cookie and privacy notices are authoritative: https://stripe.com/privacy and https://stripe.com/cookies-policy/legal.
Bot protection. On certain forms (for example, trial sign-up and password reset), we use bot protection to protect against automated abuse. It may set a short-lived challenge cookie on the provider's domain.
GitHub Releases (desktop auto-update). The desktop app periodically checks for updates via GitHub's release feed; GitHub's web infrastructure may set standard operational cookies when your app makes that request. These are outside the browser context of our websites.

We do not embed social-media share buttons, YouTube iframes, or similar widgets that set third-party cookies on page load.

Counsel to confirm: whether Turnstile's interaction with page-level consent banners requires an explicit notice prior to the form rendering, and whether Stripe's cookies should be listed individually in the table below or covered by the link to Stripe's own notice.

07 · The full cookie tableThe full cookie table

A single reconciled table, by cookie. This replaces the two overlapping tables on the previous version of this page.

Cookie	Provider	Type	Purpose	Retention	Opt-out
`__Host-mqui_session`	MongoQUI (first-party)	Strictly necessary	Keeps you signed in; securely scoped with `__Host-` prefix	Session, or 30 days with "Keep me signed in"	Browser-level cookie blocking (will break sign-in)
`mqui_csrf`	MongoQUI (first-party)	Strictly necessary	CSRF protection for authenticated forms and API calls	Session	Browser-level cookie blocking (will break sign-in)
`mqui_cookie_consent`	MongoQUI (first-party)	Strictly necessary	Records your cookie-banner choices and policy version	12 months	Clear cookies to re-prompt the banner
`mqui_theme`	MongoQUI (first-party)	Functional	Remembers light / dark theme	12 months	Decline "Functional" in the banner; clear cookies
`mqui_org_id`	MongoQUI (first-party)	Functional	Remembers your active organisation	12 months	Decline "Functional" in the banner; clear cookies
Web analytics beacon	Analytics provider	Performance (cookieless)	Anonymised pageview analytics; no client-side identifier	N/A: no cookie is set	DNT signal respected; browser-level network blocking
`challenge_*` (bot protection)	Bot protection provider	Strictly necessary	Bot-protection challenge during sign-up / reset	Minutes (short-lived challenge)	Not recommended to block; required to submit the form
Stripe checkout cookies	Stripe, Inc.	Strictly necessary (billing flow only)	Fraud prevention and session continuity inside checkout	As described in Stripe's notice	See Stripe's cookie notice

Counsel to confirm: final cookie names, durations, and the inclusion of any additional operational cookies not yet listed. Any change made between counsel review and publication must be reflected in the banner's cookie-scanner configuration.

08 · How to manage cookiesHow to manage cookies

You have several ways to control cookies.

8.1 The MongoQUI cookie preference centre

Open the cookie preference centre from:

the "Cookie settings" link in the footer of any mongoqui.com page;
the "Cookies" entry in the account-settings menu when signed in to the web app; or
the initial banner shown on first visit.

You can switch Functional and Performance categories on or off independently. Strictly necessary cookies cannot be switched off because the site cannot function without them. Your choice is recorded in mqui_cookie_consent and applies to all MongoQUI subdomains.

8.2 Browser controls

You can also manage or delete cookies directly in your browser. The steps below are correct at the time of writing; please consult your browser's current help for the definitive path.

Google Chrome: Settings → Privacy and security → Third-party cookies (and Site data).
Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data.
Apple Safari: Preferences → Privacy → Manage Website Data.
Microsoft Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data.
Brave, Vivaldi, Arc, and other Chromium-based browsers: similar paths; consult each browser's help.

Blocking all cookies will prevent you from signing in. Blocking only non-essential cookies has no effect on core functionality.

8.3 Mobile devices

On iOS and Android, in-app web views honour the browser-level cookie settings for the system browser on each platform.

Counsel to confirm: whether the "Cookie settings" footer link and in-account settings entry are in place on all subdomains before publication, and whether the banner needs a region-specific first-load behaviour (EEA/UK opt-in vs rest-of-world implied consent).

09 · DNT & Global Privacy ControlDo Not Track and Global Privacy Control

We respect the browser-level Do Not Track (DNT) signal. If your browser transmits DNT, we treat it as a decline of the Performance category, equivalent to declining performance cookies in our banner.

We also respect the Global Privacy Control (GPC) signal as an opt-out of any sale or sharing under the CCPA/CPRA. Because we do not sell or share Personal Information in the first place, GPC in practice has no additional effect for MongoQUI users; we nevertheless record the signal and honour it.

Counsel to confirm: whether DNT treatment should be more conservative (opt-out of Functional + Performance), whether GPC handling should be documented in the Privacy Policy in addition to here, and whether a "Do Not Sell or Share My Personal Information" link is required on the site footer despite the fact that we do not sell or share.

10 · Updates to this policyUpdates to this policy

We will update this Cookie Policy when our cookie usage changes, when we add a new Sub-processor that sets cookies, or when we change durations. When we make a material change:

we will update the "Last updated" date at the top of this document;
we will re-trigger the cookie banner so that you can review and re-consent; and
for changes that materially affect your rights, we will notify registered users by email.

Minor wording or typographic corrections may be made without separate notice.

Counsel to confirm: notice mechanism for material change (30-day banner re-prompt is common), and whether email notice is required in addition to the in-app banner.

11 · ContactContact

Privacy enquiries and cookie questions: privacy@mongoqui.com
General support: support@mongoqui.com
Postal address: MongoQUI (legal entity name TBC), United Arab Emirates. Full address to be inserted by counsel prior to publication.

If you believe we are using cookies in a way that breaches applicable law, you may contact the supervisory authority in your country (see Privacy Policy, Section 13.4).

A small, honest list of cookies.