Cookie Policy for ExpressAI
Powered by ExpressVPN
Last Updated: January 28, 2026
1. Purpose and Scope
This Cookie Policy (“Policy”) describes the use of cookies and browser-based storage technologies by ExpressAI, an artificial intelligence chat service operated by ExpressVPN (“ExpressAI,” “we,” “us,” or “our”), in connection with users’ access to and use of the service.
This Policy is intended to satisfy applicable transparency obligations under Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”), Directive 2002/58/EC as amended (the “ePrivacy Directive” or “Cookie Law”), and all other applicable data protection and privacy laws.
ExpressAI deploys exclusively first-party cookies and storage mechanisms that are strictly necessary for the provision, security, and integrity of the service. ExpressAI does not employ analytics cookies, advertising cookies, tracking pixels, fingerprinting technologies, or third-party tracking mechanisms of any kind.
2. Definition of Cookies and Storage Technologies
“Cookies” are small text files placed on a user’s device by a website or application for the purpose of enabling core technical functionality. Browser storage technologies, including localStorage and sessionStorage, serve analogous functional purposes, either persistently or for the duration of a browser session.
3. Cookies and Storage Technologies in Use
All cookies and storage items described below are first-party, strictly necessary for the operation of ExpressAI, and exempt from consent requirements pursuant to GDPR Recital 32 and Article 5(3) of the ePrivacy Directive, as they are essential to the provision of the service expressly requested by the user.
| Type | Name / Key | Purpose | Retention Period | Personal Data Considerations | Security Safeguards |
|---|---|---|---|---|---|
| Session Cookie | Session ID | Authenticates user sessions and maintains a secure login state | 24 hours | Contains a randomly generated identifier. Although it does not directly identify a user (e.g., by name or email), it is linked to an authenticated session and therefore constitutes personal data under the GDPR. | Secure and httpOnly flags enabled; transmitted exclusively over HTTPS |
| localStorage | master_password_created | Records master password setup status to prevent repeated prompts | Persistent (until user deletion) | Boolean value only. No personal data stored or inferred. | Encrypted at rest; restricted to ExpressAI origin |
| localStorage | master_password_created_{krn} | Tracks master password status on a per-subscription basis | Persistent (until user deletion) | Key contains a one-way cryptographic hash of a subscription identifier (“KRN”). No raw identifier or personally identifiable information is stored. Value is a boolean flag. | One-way hashing; non-reversible; origin-isolated |
| sessionStorage | processed_code | Prevents duplicate OAuth token exchanges during authentication | Until browser tab closure | Temporary functional indicator. No personal data stored. | Session-scoped; automatically deleted upon tab closure |
Clarification on KRN:
“KRN” refers to a subscription identifier processed using a one-way cryptographic hash function. The original identifier cannot be reconstructed from the stored value.
4. Legal Basis for Processing
The processing of cookies and storage data described in this Policy is conducted pursuant to the following legal bases under Article 6 GDPR:
- Session ID cookie: Article 6(1)(b) (processing necessary for the performance of a contract, namely the provision of an authenticated service) and Article 6(1)(f) (legitimate interests in ensuring service security and preventing unauthorized access).
- localStorage and sessionStorage items: Article 6(1)(b), as such processing is strictly necessary to deliver the functionality explicitly requested by the user, including authentication integrity and password persistence.
- No processing is carried out for profiling, marketing, behavioral analysis, or other non-essential purposes.
5. User Rights and Control
Although the cookies and storage mechanisms described herein are essential to the operation of ExpressAI, users retain the following controls and rights:
- Browser-level controls: Users may configure their browser settings to block or delete cookies and local storage (e.g., via Chrome, Firefox, Safari, or Edge). Please note: Disabling session cookies will terminate authenticated sessions, and clearing local storage will reset password-related prompts.
- Data subject rights: To the extent that personal data is processed, users retain all rights afforded under the GDPR, including the rights of access, rectification, erasure, and restriction of processing. Requests may be directed to ExpressVPN’s Data Protection Officer.
- Consent exemption: As ExpressAI uses only strictly necessary technologies, no cookie consent banner is displayed, in accordance with EDPB Guidelines 04/2020.
6. Security Measures
ExpressAI and ExpressVPN implement appropriate technical and organizational measures, including:
- Cryptographically secure random generation of session identifiers;
- Enforcement of Secure (HTTPS-only) and httpOnly attributes on session cookies;
- Use of industry-standard cryptographic hashing algorithms (including SHA-256 or stronger) for hashed identifiers;
- Regular independent third-party security audits conducted by ExpressVPN.
7. Amendments to This Policy
Material changes to this Policy will be communicated by:
- Updating this Policy with a revised “Last Updated” date; and
- Providing an in-service notification upon the user’s next login where changes materially affect functionality.
9. Contact Information
For inquiries, data subject requests, or privacy-related concerns, please contact:
Data Protection Officer
Email: dpo@expressvpn.com
