Skip to content
Foundation CollabTrust

Trust

Cookies

Effective 2026-05-11.

Foundation Collab uses the smallest set of cookies and local-storage entries we can get away with. We do not run advertising or third-party tracking. This page explains what each one does and how to opt out where the choice is yours.

Always-on (necessary)

These keep sign-in working and protect the form posts. You cannot disable them and still use the product; we do not ask you to consent to them because there is no meaningful alternative.

  • authjs.session-token - your signed JWT session, set by Auth.js after you click a magic link. HTTP-only, secure, SameSite=Lax. Lifetime: 30 days rolling, refreshed on each sign-in.
  • authjs.csrf-token - anti-CSRF nonce paired with every form post. Same flags as above. Lifetime: session.
  • authjs.callback-url - short-lived hint set during the magic-link handshake so we can land you back where you started. Lifetime: a few minutes.
  • fc:consent:v1 - local-storage entry recording whether you accepted optional analytics. Lets us stop asking on every page load. Bumping the version suffix is how we re-prompt if the consent surface changes materially.

Optional (analytics)

Enabled only if you click Accept all on the cookie banner. We use PostHog (self-hosted reverse proxy at i.posthog.com) to understand product usage - page views, feature engagement, error rates. No third-party ad networks ever load.

  • ph_* - PostHog distinct ID and feature-flag cache. First-party cookie on the foundationcollab.org domain. Lifetime: 12 months.

Pick Necessary only in the banner (or clear the fc:consent:v1entry from your browser's site data) and PostHog will not load at all.

Embedded tiles & conferencing

  • OpenStreetMap tiles are fetched directly from tile.openstreetmap.org. OpenStreetMap may set its own cookies for its own analytics; we have no insight into or control over those.
  • LiveKit (conference center) opens a WebRTC connection when you join a room. It does not set first-party cookies on our domain, but it does maintain its own session state for the duration of the call.

Opt-out

Open the cookie banner again from the footer (Cookie choices) or clear site data in your browser. Sign-in cookies will obviously be cleared too, so you will need to sign in again on your next visit.

Changes

If we add a new cookie we update this page first, then ship the change. The effective date at the top of the page tells you when the current set went live.