Legal Documents
Cookie Policy
- Effective date
- April 22, 2026
- Version
- 2.0
Contents
Legal notice. The Russian version of this document is the authoritative text.
1. General
1.1. This Policy describes which cookies and similar technologies the KMS service uses on https://kms-system.com and *.kms-system.com.
1.2. This Policy is an integral part of the KMS Privacy Policy.
1.3. Cookies are small text files a site stores in a browser for operation, session continuity, fraud protection, and other technical purposes.
2. Cookies used in KMS
KMS uses strictly necessary cookies only. No advertising, tracking, or third-party analytics cookies are used.
| Cookie name | Purpose | Lifetime | Type | Attributes |
|---|---|---|---|---|
kms_token | Session JWT (authentication) | 1 hour (auto-refresh) | Necessary | httpOnly, Secure, SameSite=Lax |
kms_refresh | Refresh token to extend sessions without re-login | 30 days | Necessary | httpOnly, Secure, SameSite=Lax |
csrf_token | CSRF protection (double-submit pattern) | Session | Necessary | Secure, SameSite=Lax |
kms_oauth_state | Google OAuth PKCE nonce | 5 minutes | Necessary | httpOnly, Secure, SameSite=Lax |
kms_observer_kg | Platform admin kindergarten-observer mode | Session | Necessary | httpOnly, Secure |
kms_user_role | Role cache for fast front-end routing | 30 seconds | Necessary | Secure, SameSite=Lax |
kms_user_kg | Kindergarten id cache for subdomain routing | 30 seconds | Necessary | Secure, SameSite=Lax |
NEXT_LOCALE | Saved interface language (ru / ky / en) | 1 year | Necessary | Secure, SameSite=Lax |
2.1. Third-party cookies
The only third party placing cookies is Google LLC during Google OAuth sign-in. Those cookies belong to Google domains and are governed by Google's policies.
KMS does not deploy Google Analytics, Yandex Metrika, Facebook Pixel, TikTok Pixel, or other analytics / ad trackers.
3. Why consent to cookies is not required
3.1. Under Art. 9 of KR Law No. 179 and international practice, consent is not required for cookies strictly necessary for a service requested by the user.
3.2. All cookies in section 2 qualify as strictly necessary:
- Required for user authentication;
- Required for CSRF protection;
- Required for multi-tenant sub-domain routing;
- Required to preserve language across pages.
3.3. Hence no cookie-consent banner is used in KMS.
4. Similar technologies
4.1. LocalStorage. KMS stores user UI preferences under the kms-ui key (theme, sidebar state). No server transmission unless the user is authenticated and the theme syncs with the profile (users.theme_preference).
4.2. SessionStorage. Used for per-tab ephemeral data.
4.3. IndexedDB. Not used.
5. Managing and blocking cookies
5.1. Users may clear cookies and local storage in browser settings:
- Chrome / Edge: Settings → Privacy and security → Cookies and other site data;
- Firefox: Settings → Privacy & Security → Cookies and Site Data;
- Safari: Settings → Privacy → Manage Website Data.
5.2. After clearing:
- A new login is required;
- Language and theme reset to defaults;
- Transient UI glitches may occur until state is restored.
5.3. Fully blocking cookies in the browser makes KMS unusable because cookies deliver authentication and protection.
6. Transfers outside KR
6.1. All KMS-set cookies (kms_*, csrf_token, NEXT_LOCALE) are processed on the operator's own servers in the Kyrgyz Republic.
6.2. Google cookies set during OAuth are sent to Google servers in the USA. The user agrees to this by clicking "Sign in with Google." Google policy: https://policies.google.com/privacy.
7. Changes
7.1. The current version is at https://kms-system.com/{locale}/legal/cookies.
7.2. Material changes are announced in-app at least 14 days in advance.
8. Contacts
- DPO: [email protected]
- Support: [email protected]
- Website: https://kms-system.com
