Cookie policy
Last updated 10 June 2026
The short version: a handful of essential cookies keep you signed in, and analytics cookies are set only if you say yes. No advertising cookies, no cross-site tracking, ever.
Essential cookies (always on)
These make the site work — signing in, form security, remembering your cookie choice. They don't track you and can't be switched off; without them you couldn't have an account at all. (In production, session cookies carry a __Secure- prefix.)
| Cookie | Purpose | Lifetime |
|---|---|---|
| authjs.session-token | Keeps you signed in (your session). | 30 days |
| authjs.csrf-token | Protects forms against cross-site request forgery. | Session |
| authjs.callback-url | Returns you to the right page after sign-in. | Session |
| riff_consent | Remembers your cookie choice so we don't ask again. | 12 months |
Analytics cookies (only with your consent)
Until you choose Accept all, analytics run in cookieless mode: PostHog keeps nothing on your device, and Google Analytics receives only consentless pings (Consent Mode v2, storage denied). Accepting sets the cookies below; declining — or never choosing — means they are never written.
| Cookie | Purpose | Lifetime |
|---|---|---|
| ph_*_posthog | PostHog (EU servers): which pages and features are used, Web Vitals performance. | 12 months |
| _ga, _ga_* | Google Analytics 4: visit and traffic-source statistics. | Up to 24 months |
PostHog is configured for EU data residency and we don't build person profiles for anonymous visitors. We also honor your browser's Do Not Track setting.
Third-party security challenges
Sign-up and sign-in forms use Cloudflare Turnstile to block bots. Turnstile runs in an embedded frame and may set its own cookies on Cloudflare's domain to tell humans from scripts — a security necessity, covered by Cloudflare's privacy policy.
Change your mind anytime
Your choice is yours to change — withdrawing consent is as easy as giving it. Reopen the banner here:
Choosing Essential only after having accepted stops all analytics storage immediately and clears what PostHog kept on your device. Cookies previously set by Google Analytics stop being used; you can remove them entirely from your browser settings.
More detail
What we do with data overall — including your rights and how to delete everything — lives in the privacy policy. Questions: privacy@riffiter.com.