Cookie policy.

1. The short version

• We set strictly necessary cookies only by default. These keep the product working: session, CSRF, anti-abuse challenge.
• We do not set analytics or marketing cookies until you opt in via the cookie banner.
• You can withdraw consent at any time by clicking “Cookie settings” in the footer.

2. The full cookie list

2.1 Strictly necessary (always on)

• shortlist_session — authentication session. Set after magic-link verification. httpOnly, secure, sameSite=lax. Lifetime: 30 days, rolling.
• cf_chl_* / cf_clearance — Cloudflare Turnstile challenge cookies. Set only when a form is submitted from your browser. Lifetime: minutes.
• st_consent— stores your cookie-banner choice so we don’t ask again on every page. Lifetime: 12 months.

2.2 Functional (set only if you accept)

• st_theme, st_density — your UI preferences. Lifetime: 12 months.

2.3 Analytics (set only if you accept)

When configured, we use [PostHog / Plausible — confirm before launch] for aggregated product analytics. We do not send personally identifying fields to the analytics provider. Cookies set are documented by the provider; we summarise them here once the integration is live.

2.4 Marketing

None at this time. If we add any, this policy will be updated and your consent re-requested.

3. Subprocessor disclosure

Cookies set by our subprocessors (Cloudflare Turnstile, payments provider, analytics if enabled) follow their own policies. See the relevant subprocessor in our Privacy Policy.

4. How to control cookies

• Via our banner: click “Cookie settings” in the footer to revise your choice.
• In your browser: all modern browsers let you block or delete cookies. Note that blocking strictly-necessary cookies will break login and form submission.
• Do Not Track: we treat a Do Not Track signal as a rejection of non-essential cookies.

5. Updates

We update this policy whenever the list of cookies changes. Material changes are announced by email to active customers and via an in-product notice.