Cookie Policy
Last updated: 2026-06-07
The short version
- We use one first-party session cookie to keep you logged in and a CSRF token cookie to prevent cross-site request forgery.
- We use a single preference cookie to remember the cookie-notice acknowledgement so we don't show it again.
- We do not use third-party advertising cookies, retargeting pixels, social plug-ins, or analytics SDKs (no Google Analytics, no Meta Pixel, no Hotjar).
- Because we only set cookies that are strictly necessary for the service you requested (ePrivacy Art. 5(3) / PECR Reg. 6(4) exemption) and a preference cookie you control, we do not require an upfront consent banner — but we still show you a no-tracking notice on first visit so it's explicit.
1. What is a cookie?
A cookie is a small piece of data your browser stores when you visit a website. We also use
the term loosely to include similar technologies (HTML localStorage and sessionStorage), which we use to keep small UI preferences (eg, light/dark theme)
on your device.
2. Cookies we set
| Name | Type | Purpose | Duration | Category |
|---|---|---|---|---|
session | First-party, HTTP-only, Secure, SameSite=Lax | Keeps you signed in. Required for any authenticated feature. | 30 days rolling, or until logout | Strictly necessary |
csrf_token | First-party, HTTP-only, Secure | Prevents cross-site request forgery on POST/PUT/DELETE requests. | Session | Strictly necessary |
cookie_notice_ack | First-party | Remembers that you dismissed the one-time no-tracking notice. | 180 days | Preference (set on your action) |
tier_override (dev only) | First-party | Allows local-dev contributors to simulate tier behaviour. Not set on production. | Session | Strictly necessary (dev) |
3. localStorage / sessionStorage items
| Key | Purpose | Cleared when |
|---|---|---|
cookie_notice_ack | Mirror of the cookie above to suppress the notice if cookies are blocked. | You clear site data. |
theme | Stores your light/dark/system preference. | You clear site data or change the setting. |
draft_text | Auto-saves the textarea so a refresh doesn't lose your work. Local to your browser. Never sent to us. | On submit, or you clear site data. |
4. What we do NOT use
- No third-party analytics (no Google Analytics, no Plausible, no PostHog — until we change this policy and add a real consent banner).
- No advertising or retargeting pixels (no Meta Pixel, no TikTok Pixel, no Google Ads conversion).
- No fingerprinting (Cloudflare Turnstile is used only as a CAPTCHA challenge, not for cross-site tracking).
- No session replay tools (no FullStory, no Hotjar).
- No social plug-ins that drop cookies (we use icon-link buttons, not embedded SDKs).
5. Why we don't show a consent banner
Under the EU ePrivacy Directive (Art. 5(3)) and the UK PECR (Reg. 6(4)), consent is required only for cookies that are not strictly necessary for the communication or service the user has requested. Authentication and CSRF protection meet that exemption. The single preference cookie is set only when you dismiss the notice — that is your action, not an implicit consent.
If we ever add non-essential cookies (analytics, marketing), we will roll out a proper consent management platform with granular opt-in, opt-out, and Global Privacy Control honouring, and we will update this page.
6. Managing cookies in your browser
You can clear or block cookies through your browser settings — typically Settings → Privacy → Cookies. Blocking the session cookie will prevent login. Useful links:
7. Server-side observability (not cookies, but disclosed for transparency)
Like every web service, we log basic request data at our edge (Cloudflare): hashed IP fingerprint, user-agent, requested path, response code, timing. These logs are retained for 24 hours and used only for security and reliability. They do not use cookies and they are not used to track you across sites.
8. Changes
If we change which cookies we use, we will update this page and re-prompt acknowledgement. The "Last updated" date above reflects the current version.
9. Contact
Questions? Email [email protected].