Technical Policy
Document No. CP-2026-001
Effective Date
November 6, 2025
Last Revised
July 2, 2026
Jurisdiction
Republic of the Philippines
Regulatory Framework
Data Privacy Act of 2012
This Cookie Policy ("Policy") explains how OOPA Philippines, Inc. ("Company," "we," "us," or "our") uses cookies and similar storage technologies on the OOPA vehicle rental platform, including the website at app.oopa.phand the mobile application available on Android and iOS ("Platform").
This Policy supplements our Privacy Policy and should be read together with it. It describes exactly which cookies and storage mechanisms are in use, who sets them, what they do, and how you can control them.
This Policy applies to the technologies actually deployed on the Platform as of the Last Revised date above. We do not use any tracking technology that is not listed here.
Cookies are small text files stored on your device (computer, tablet, or smartphone) when you visit a website. They allow the website to recognize your device across requests within the same session, or across multiple visits. The Platform also uses browser localStorage, which is a similar storage mechanism with larger capacity that persists until explicitly cleared, and session storage, which is cleared when you close the browser tab.
Session cookies: Deleted automatically when you close your browser. Used for login sessions.
Persistent cookies: Remain on your device until they expire or you delete them. Used for performance monitoring.
First-party cookies: Set by OOPA directly.
Third-party cookies: Set by external services integrated into the Platform (e.g., New Relic, Cloudflare).
The following table is a complete, accurate inventory of all cookies and storage technologies in use on the Platform. We do not use advertising cookies, tracking pixels, or remarketing technologies.
These are essential for the Platform to function. They cannot be disabled without preventing you from logging in or using core features. No consent is required for these under the DPA.
| Name | Type | Set By | Purpose | Duration |
|---|---|---|---|---|
| customer_access_token | HttpOnly, Secure cookie | OOPA (1st party) | Stores your authentication JWT (about 60 minutes). Proves you are logged in. Transmitted only over HTTPS, inaccessible to JavaScript. | Session / auto-refreshed by token rotation |
| customer_refresh_token | HttpOnly, Secure cookie | OOPA (1st party) | Renews your access token so you stay signed in without re-entering your password. Single-use with rotation. Inaccessible to JavaScript. | Up to 30 days (web) / 90 days (app), sliding |
| oopa_user (localStorage) | Browser localStorage | OOPA (1st party) | Stores minimal non-sensitive session state (your user ID, a signed-in flag, and KYC verification status) as a Zustand store, so the app can restore your session without an extra request on every page load. Contains no name, password, or payment data. | Until logout or manual clear |
These first-party localStorage entries remember your preferences and app state so the Platform works smoothly across visits. They stay on your device, are never used for advertising or cross-site tracking, and can be cleared at any time (see Section V). None contains your password or payment card data.
| Key | Purpose |
|---|---|
| oopa-favorites | Vehicles you have favorited. |
| oopa-view-history | Recently viewed vehicles. |
| oopa-saved-searches | Searches you have saved. |
| unified-search-storage | Your current search bar state and filters. |
| location_history | Recent location searches in the location picker. |
| booking-trip-session | An in-progress booking / trip draft. |
| oopa-notifications | Your in-app notification list. |
| oopa_account_mode | Whether you are browsing as a renter or a host. |
| oopa_support_chat | Your support-chat conversation state. |
| oopa_onboarding_completed | Whether you have finished first-run onboarding. |
| app-banner-dismissed | Whether you dismissed the "Get the app" banner. |
| oopa-rq-v2 | A cache of recently loaded data (TanStack Query) for faster page loads. |
| reverse_geocode_cache_v1 / forward_geocode_cache_v1 | Cached map/geocoding lookups to reduce repeat requests. |
A few short-lived sessionStorage entries are also used during sign-in and checkout (for example, to remember where to return you after a social login or a payment redirect); these clear automatically when the task completes or you close the tab.
These help us understand how the Platform performs and identify errors. They are active only in the production environment and only when the required environment variables are configured. No personally identifiable information is intentionally transmitted.
| Name | Type | Set By | Purpose | Duration |
|---|---|---|---|---|
| New Relic Browser Agent (NRBA) | Persistent cookie + session storage | New Relic, Inc. (3rd party, US) | Collects page load times, JavaScript errors, AJAX request durations, and browser session traces for application performance monitoring and error diagnosis. Session replay is disabled. Data is retained by New Relic in the US. | Up to 1 year |
The Platform's DNS and web traffic are routed through Cloudflare's global network for security, performance, and DDoS protection. Cloudflare may set cookies at the network level before a request reaches OOPA's servers. These are set by Cloudflare, Inc. (United States), not by OOPA.
| Name | Type | Set By | Purpose | Duration |
|---|---|---|---|---|
| __cf_bm | Secure cookie | Cloudflare, Inc. (3rd party, US) | Bot Management: distinguishes between human users and automated bots to protect against malicious traffic and DDoS attacks. | 30 minutes |
| _cfuvid | Secure cookie | Cloudflare, Inc. (3rd party, US) | Rate Limiting: tracks users for identifying and managing abusive traffic patterns. Used in conjunction with bot management. | Session |
| cf_clearance | Secure cookie | Cloudflare, Inc. (3rd party, US) | Challenge Clearance: set after a visitor passes a Cloudflare security challenge (e.g., CAPTCHA or JS challenge), permitting continued access. | 30 minutes to 24 hours |
These cookies are strictly necessary for network-level security. They cannot be disabled without potentially blocking your access to the Platform. For more information, see Cloudflare's Cookie Policy at cloudflare.com/cookie-policy.
These are only relevant if you choose to log in using a social account. If you use email/password login, none of these technologies are invoked.
| Provider | Type | Purpose | Duration |
|---|---|---|---|
| Google (accounts.google.com) | Google-set cookies | OAuth 2.0 authentication flow. Google sets its own session cookies to verify your identity during sign-in. Governed by Google's Privacy Policy. | Per Google's policy |
| Facebook (facebook.com) | Meta-set cookies | OAuth 2.0 authentication flow. Meta sets its own cookies during Facebook Login. Governed by Meta's Privacy Policy. | Per Meta's policy |
| Apple (appleid.apple.com) | Apple-set tokens | Sign in with Apple. Apple handles authentication on its own domain; OOPA receives only an identity token. Governed by Apple's Privacy Policy. | Per Apple's policy |
OOPA does not place any advertising or tracking cookies on behalf of Google, Meta, or Apple. The OAuth flow is a redirect to their respective domains; any cookies they set are governed entirely by their own policies.
When you open a map or use a location / address feature, the Platform loads the Google Maps JavaScript APIfrom Google. Google serves the map tiles and may set its own cookies and receive your IP address together with the location text or coordinates you enter, governed by Google's Privacy Policy. If you do not use a map or location feature, this script is not loaded.
WHAT WE DO NOT USE:
The Platform does not use Google Analytics, Facebook Pixel, advertising cookies, retargeting cookies, heatmapping tools (Hotjar, Mouseflow), A/B testing cookies, or any other marketing or behavioural tracking technology. If this changes in the future, this Policy will be updated and you will be notified in accordance with Section VII.
The OOPA mobile app (App ID: ph.oopa.app) is built with the Capacitor framework and runs as a native WebView loading m.oopa.ph. The same first-party cookies and localStorage mechanisms described in Section III apply within the WebView.
On first launch, if you grant notification permission, the app registers with Firebase Cloud Messaging (FCM), a service by Google LLC (United States), and receives a device registration token. This token:
• Is stored server-side associated with your account to enable delivery of booking updates, payment confirmations, and operator messages;
• Does not identify you personally (it identifies your device's notification channel);
• Is de-registered and deleted from our systems when you delete your account or disable push notifications.
Push notification permission is optional. You can withdraw it at any time. iOS: Settings > Notifications > OOPA > Allow Notifications (toggle off); Android: Settings > Apps > OOPA > Notifications > All OOPA notifications (toggle off).
The mobile app may request the following permissions when relevant:
| Permission | Why it's requested | Optional? |
|---|---|---|
| Push Notifications | Booking updates, payment confirmations, messages from operators | Yes (app works fully without it) |
| Camera / Photo Library | Uploading KYC documents and profile photo | Yes (only requested when you initiate upload) |
| Location (GPS) | Finding vehicles near you, prefilling your city, and setting a delivery pickup point | Yes (only requested when you tap "use my location") |
| Storage (Android) | Reading photos for KYC/profile upload | Yes (only requested when you initiate upload) |
Location access is optional and is only requested when you tap "use my location" (or a delivery-location picker). If you decline, you can still search by typing a location instead. When granted, your device's GPS coordinates are used to show nearby vehicles and, if you choose, to set a delivery pickup point; they are not used for advertising or continuous background tracking.
The native app includes the New Relic mobile agent, which records performance, interaction, network, and crash data to help us keep the app stable. It does not use cookies. The app also updates itself over the air by downloading signed update bundles from our own update service (hosted on Cloudflare R2); this request transmits only the app's current version, not personal data.
You can view, delete, or block cookies using your browser's built-in privacy controls. Note that blocking the customer_access_token cookie will prevent you from logging in.
Google Chrome
Settings → Privacy and Security → Cookies and other site data
Mozilla Firefox
Settings → Privacy & Security → Cookies and Site Data → Manage Data
Safari (macOS)
Safari → Settings → Privacy → Manage Website Data
Safari (iOS)
Settings → Safari → Advanced → Website Data
Microsoft Edge
Settings → Privacy, Search, and Services → Cookies and Site Permissions
New Relic browser monitoring is injected only in the production environment. To opt out, you can:
• Use a browser content-blocking extension (e.g., uBlock Origin) and block js-agent.newrelic.com;
• Review New Relic's own privacy opt-out options at newrelic.com/termsandconditions/privacy.
Cloudflare security cookies (__cf_bm, _cfuvid, cf_clearance) are strictly necessary for network security and cannot be disabled without potentially blocking access to the Platform entirely. They expire quickly (30 minutes to 24 hours) and contain no personal information beyond a hashed session identifier. For more information, see Cloudflare's Cookie Policy at cloudflare.com/cookie-policy.
To clear the oopa_user localStorage entry:
• Log out of the Platform (this clears it automatically); or
• Open your browser's Developer Tools (F12) → Application tab → Local Storage → app.oopa.ph → delete the oopa_user key; or
• Use your browser's "Clear site data" or "Clear browsing data" function.
Some browsers offer a "Do Not Track" (DNT) signal. Because there is no universal standard for how websites should respond to DNT signals, the Platform does not alter its behaviour based on DNT headers. However, because we do not use behavioural advertising or cross-site tracking cookies, the practical effect of enabling DNT on OOPA is minimal. You may use the browser and opt-out mechanisms described in Section V to control data collection more precisely.
This Policy is updated whenever we add, remove, or change cookies or storage technologies on the Platform. Material changes, such as adding a new third-party analytics or advertising tool, will be communicated by email to your registered address and by a prominent notice on the Platform at least fifteen (15) days before taking effect. Non-material changes (e.g., updating cookie durations or descriptions) will be reflected in an updated notice at the top of this document without advance notice.
This Policy is governed by the laws of the Republic of the Philippines, including Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations. Any disputes relating to this Policy shall be resolved in accordance with Section XII of our Privacy Policy.
Cookie & Privacy Inquiries:
Registered Office:
OOPA Philippines, Inc.
Bonifacio Global City
Taguig City, Metro Manila 1634
Republic of the Philippines
ACKNOWLEDGMENT
BY CONTINUING TO USE THE PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS COOKIE POLICY AND CONSENT TO THE USE OF THE STRICTLY NECESSARY AND PERFORMANCE COOKIES DESCRIBED HEREIN. THIS POLICY CONSTITUTES NOTICE PURSUANT TO SECTION 16(A) OF REPUBLIC ACT NO. 10173.