Cookie Policy — Get Causality

Summary. We use essential cookies to keep the platform working and optional analytics cookies to understand how people use the site. You are always in control of which cookies are active.

1. What are cookies?

Cookies are small text files stored on your device by your web browser when you visit a website. They serve various purposes such as remembering your preferences, keeping you signed in, and helping us understand how our platform is used. Some cookies are strictly necessary for the site to function; others are optional and require your consent.

2. Essential cookies

These cookies are required for the platform to function correctly. They cannot be disabled without breaking core functionality.

Authentication session (fcm_session): Keeps you signed in while you use the platform. HttpOnly, SameSite=Strict; expires when your session ends or after the configured session timeout. Cannot be read by JavaScript and is only sent to our servers.
CSRF token (fcm_csrf): Protects against cross-site request forgery. HMAC-signed double-submit cookie validated on every state-changing request.
Cookie consent preferences (fcm_cookie_consent): Stored in localStorage to remember your cookie consent choices so we don't repeatedly prompt you. Expires after 12 months per GDPR guidance.

3. Optional analytics cookies

These cookies are only set if you explicitly consent via the cookie banner or the privacy preferences panel. They help us understand how visitors use the platform so we can improve the experience.

PostHog Analytics: When you consent to analytics, PostHog may set cookies to track page views, feature usage, and session information. No PII is sent to PostHog — user IDs are pseudonymized before transmission. You can opt out anytime through the privacy preferences panel.

3a. Server-side security telemetry (legitimate interest)

Separately from the consent-gated analytics, we send a limited set of security-related events to PostHog from our servers — regardless of cookie consent — under the legal basis of legitimate interest (GDPR Art. 6(1)(f)) for fraud prevention and security monitoring.

These events include: failed and successful authentication attempts, password resets, two-factor verification outcomes, account lockouts, data export and erasure requests, CSRF and rate-limit violations, and suspicious access patterns. Events are tagged in PostHog with category=security and data_basis=legitimate_interest.

What we never include in security telemetry: email addresses, IP addresses (only short non-reversible HMAC fingerprints for grouping), passwords, tokens, survey response contents, or anything that would allow re-identification of an individual outside our internal audit log.

You may request deletion of security-telemetry records via our data erasure endpoint or by contacting [email protected]. We may retain a minimum subset of security records (e.g., account-takeover indicators) for the period required under Article 32, with anonymization applied where feasible.

4. Third-party cookies

We use a limited number of third-party services that may set their own cookies:

PostHog (analytics): Sets cookies to track anonymous usage data when you have consented to analytics. PostHog processes data per their privacy policy. Only activated when you accept analytics cookies.
Sentry (error tracking): Used for error monitoring and performance tracking when you have consented to analytics cookies. May use cookies or local storage to correlate error reports. All PII is scrubbed via a beforeSend hook before transmission. The frontend Sentry SDK is consent-gated — it loads only when analytics consent is granted and respects the Do Not Track browser signal. When you revoke analytics consent, the Sentry client is closed and any associated state is cleared. (Backend error monitoring, which never sees end-user devices, runs unconditionally for production reliability.)
Cloudflare Turnstile (bot protection): Sets challenge-response cookies on signup and survey submission. No tracking; challenge response only. Strictly necessary for platform security.

We do not use any marketing or advertising cookies. We do not sell or share cookie data with advertisers.

5. How to manage cookies

5.1 Privacy preferences banner

When you first visit the platform, a cookie consent banner offers three choices: Accept (enables all cookies), Reject (disables non-essential cookies), or Manage (opens a detailed preferences panel where you can toggle individual cookie categories). Your choice is remembered for 12 months.

5.2 Updating your preferences

You can change your cookie preferences at any time using the button below, or via the Privacy Policy page.

5.3 Browser settings

You can also control cookies through your browser settings. Blocking essential cookies may prevent you from signing in or using the platform.

Chrome: Settings → Privacy and Security → Cookies and other site data
Firefox: Settings → Privacy & Security → Cookies and Site Data
Safari: Preferences → Privacy → Manage Website Data
Edge: Settings → Cookies and site permissions → Cookies and site data

6. Data retention

Essential cookies persist only for the duration of your session or until the configured timeout. Analytics cookies set by PostHog follow PostHog's default retention policies and are cleared when you revoke analytics consent. Your consent preferences are stored for 12 months before re-prompting.

7. Changes to this policy

We may update this Cookie Policy. Changes will be reflected by updating the "Last Updated" date. If we make material changes, we will re-prompt you for consent.

8. More information

For more details about how we handle your personal data, see our Privacy Policy. Questions about cookies or your privacy: [email protected].

Cookie settings

Manage your cookie preferences at any time: