Cookies Policy
HumanCapital: Use of Cookies and Similar Technologies
| Version | 1.1 |
|---|---|
| Effective from | 4 May 2026 |
| Last updated | 4 May 2026 |
| Operator | Vistinct Consultancy (Pty) Limited |
| Registration | 2636/2019 |
| Trading platform | HumanCapital |
| Data Protection Officer | Yeukai Musakwa |
1. Summary
The HumanCapital Platform uses a small number of cookies for the limited purposes of authenticating users, protecting forms against forgery, remembering user-interface preferences, and supporting the onboarding process.
The Operator does not use cookies for analytics, advertising, profiling, or tracking, and does not permit third parties to set tracking cookies on Platform pages. All cookies set by the Platform are essential to its operation. No consent banner is required, because under the Cyber and Data Protection Act [Chapter 12:07] of Zimbabwe, cookies that are strictly necessary for the operation of a service requested by the user do not require separate consent.
This Cookies Policy explains, in detail, what cookies the Platform sets, why, and how long each persists. It is a complement to the Privacy Policy and the Data Protection Notice; please read those documents for the broader picture of how the Platform handles personal information.
2. What Cookies Are
A cookie is a small text file stored by a web browser on the user's device when the user visits a website. Cookies allow the website to recognise a return visit, maintain a logged-in session across page navigations, remember user preferences, and protect against certain categories of attack.
Cookies are first-party (set by the website the user is visiting) or third-party (set by another domain whose content is embedded in the page). The Platform sets only first-party cookies on the humancapital.co.zw domain. The Platform does not embed third-party content that sets cookies on the humancapital.co.zw domain.
3. Cookies Set by the Platform
The Platform sets only the cookies described in this clause. Each is essential — that is, the Platform cannot perform the user's requested function without it.
3.1 Authentication Cookie
| Name | humancapital.auth |
|---|---|
| Purpose | Maintains the authenticated session of a signed-in user. Without this cookie, the user would have to re-enter their credentials on every page. |
| When set | On successful sign-in. |
| Expiry | Sliding fourteen (14) days from the last activity. The cookie expires automatically if the user is inactive for fourteen days, and is renewed on each authenticated request. |
| Flags | HttpOnly, Secure, SameSite=Lax |
| Essential | Yes |
| Lawful basis | Performance of the contract with the Client and the Authorised User |
3.2 Anti-Forgery Cookie
| Name | humancapital.csrf |
|---|---|
| Purpose | Protects browser-based state-changing operations against Cross-Site Request Forgery (CSRF) attacks by pairing a server-issued token with a client-issued one. |
| When set | On any page that contains a form or that is otherwise expected to issue a state-changing request. |
| Expiry | Session — cleared when the browser closes. |
| Flags | HttpOnly, Secure, SameSite=Strict |
| Essential | Yes |
| Lawful basis | Legitimate interest in the security of the Platform |
3.3 External Sign-In Cookie
| Name | .AspNetCore.Identity.External |
|---|---|
| Purpose | Maintains transient state during an external sign-in flow (for example, OAuth or third-party identity provider). Set only if and when external sign-in is used. |
| When set | At the start of an external sign-in flow; cleared on completion. |
| Expiry | Session — typically a few minutes. |
| Flags | HttpOnly, Secure, SameSite=Lax |
| Essential | Yes (when the user has chosen external sign-in) |
| Lawful basis | Performance of the contract |
3.4 Flash-Message Cookie
| Name | humancapital.flash |
|---|---|
| Purpose | Carries short-lived, single-use messages (for example, "Your changes have been saved") across an HTTP redirect. The cookie is consumed and deleted on the next page load. |
| When set | When a controller produces a flash message via the framework's TempData mechanism. |
| Expiry | Session, but typically deleted within seconds of being set. |
| Flags | HttpOnly, Secure, SameSite=Lax |
| Essential | Yes |
| Lawful basis | Performance of the contract |
3.5 Onboarding Session Cookie
| Name | hc_onb |
|---|---|
| Purpose | Maintains the state of the public Onboarding wizard for a Visitor or invited user completing onboarding. Holds an encrypted reference to a server-side session record; the cookie itself does not contain personal information in plain form. |
| When set | On entering the Onboarding wizard. |
| Expiry | Thirty (30) days, or earlier if the onboarding session completes or expires server-side. |
| Flags | HttpOnly, Secure, SameSite=Strict, Path=/Onboarding |
| Essential | Yes |
| Lawful basis | Performance of the contract; legitimate interest in providing a coherent multi-step process |
3.6 Grid Page-Size Preference
| Name | platform.grid.pageSize |
|---|---|
| Purpose | Remembers the user's chosen page size for paginated lists (for example, 10, 25, 50, or 100 items per page) so that the chosen size persists across visits. |
| When set | When the user changes the page-size setting on a paginated list. |
| Expiry | One (1) year. |
| Flags | Secure, SameSite=Lax. This cookie is not marked HttpOnly, because the user-interface code reads it from the browser to display the current selection in the page-size selector. |
| Essential | Yes — supports the requested user-interface preference. |
| Lawful basis | Performance of the contract; legitimate interest in providing a usable interface |
This is the only cookie the Platform sets that is readable by client-side script. The cookie holds a small integer (the chosen page size); it does not hold personal information, identifiers, or session tokens.
4. Cookies the Platform Does Not Use
For the avoidance of doubt, the Platform does not set or permit any of the following:
- Analytics cookies (Google Analytics, Plausible, Matomo, Microsoft Clarity, etc.);
- Advertising or marketing cookies of any kind;
- Profiling, behavioural, or tracking cookies;
- Cross-site tracking cookies;
- Social-media sharing cookies (no Facebook Pixel, no LinkedIn Insight, no equivalent);
- Heatmap or session-replay cookies;
- A/B testing cookies;
- Affiliate or referral tracking cookies.
If, in future, the Operator considers introducing any non-essential cookie technology, the Operator will:
- Update this Cookies Policy in advance to describe the proposed cookie, its purpose, and its provider;
- Implement an explicit, freely-given, granular consent mechanism in accordance with the Cyber and Data Protection Act, before any non-essential cookie is set;
- Ensure the Platform remains fully functional for users who decline consent.
5. Third-Party Resources
The Platform's pages reference a small number of third-party content delivery networks (CDNs) for static assets such as fonts, icon libraries, and JavaScript bundles. These CDNs serve assets to the user's browser; they do not set cookies on the humancapital.co.zw domain.
The third-party origins currently in use are:
| Origin | Purpose | Sets cookies on humancapital.co.zw? |
|---|---|---|
cdnjs.cloudflare.com | Icon library (Font Awesome) | No |
cdn.jsdelivr.net | JavaScript and CSS bundles | No |
fonts.googleapis.com | Web font stylesheets (Google Fonts) | No |
fonts.gstatic.com | Web font binary files (Google Fonts) | No |
When the user's browser fetches an asset from one of these origins, the browser transmits standard HTTP request metadata (including the user agent, the requested URL, and the referrer header) to the origin. This is an inherent feature of how browsers fetch assets from third-party CDNs and is not specific to the Platform.
The Operator may, from time to time, host these assets directly to remove the third-party request entirely, or replace a CDN with another of equivalent function. Material changes will be reflected in updates to this Policy.
6. How to Manage Cookies
Most browsers allow the user to view, restrict, or delete cookies through their settings. Browser-specific instructions are available from the publisher of the browser:
- Microsoft Edge — Settings → Cookies and site permissions
- Google Chrome — Settings → Privacy and security → Third-party cookies (or Cookies and other site data)
- Mozilla Firefox — Settings → Privacy & Security
- Safari — Preferences (or Settings) → Privacy
- Opera — Settings → Privacy & security
If the user blocks or deletes the Platform's essential cookies, the Platform will not function correctly for that user. Specifically:
- Blocking the authentication cookie prevents the user from staying signed in;
- Blocking the anti-forgery cookie prevents the user from submitting any form that updates data;
- Blocking the onboarding session cookie prevents the onboarding wizard from working;
- Blocking the flash-message cookie suppresses certain confirmation messages;
- Blocking the grid page-size cookie causes the page size to revert to the default on each visit.
Because all the cookies the Platform sets are essential, there is no opt-out option that preserves Platform functionality.
7. Local Storage and Other Technologies
Beyond cookies, modern browsers provide other client-side storage technologies, including localStorage, sessionStorage, IndexedDB, and the cache. The Platform's web interfaces may make limited use of these technologies for the same essential purposes described in clause 3 — for example, caching of static interface assets to improve responsiveness. They are not used for analytics, profiling, or tracking.
8. Mobile Applications and Messaging Channels
The Platform's WhatsApp Business channel does not use cookies — cookies are a web-browser concept and do not apply to the WhatsApp Business Platform. Messages exchanged through that channel are governed by the Platform's Privacy Policy and by the WhatsApp Business Platform's own terms.
9. Updates to this Cookies Policy
The Operator will update this Cookies Policy if the cookies the Platform sets change, if applicable law changes, or if guidance from POTRAZ on cookies and similar technologies is updated.
When a change is made:
- The "Last updated" date and version number at the top will be updated;
- For material changes, a notice will be published on the Platform's website;
- Earlier versions remain available on request from the Data Protection Officer.
10. Contact
Questions about cookies should be directed to:
| Data Protection Officer | Yeukai Musakwa |
|---|---|
| yeukai@humancapital.co.zw | |
| Postal address | 10 Sanmarco Court, Central Avenue, Harare, Zimbabwe |
A user who is dissatisfied with the Operator's response may complain to the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) in its capacity as Data Protection Authority.