Cookie Policy
Last updated: 3 July 2026
Short version: we use only strictly necessary cookies — the ones required to sign you in and keep your session secure. There are no analytics cookies, no marketing cookies, and no third-party trackers on this site at launch.
1. What cookies we set
All cookies below are first-party, set by mycelium.netcraft.works, and are technically required for the Service to work. Authentication is built on Auth.js; the cookie names follow its conventions.
| Cookie | Purpose | Lifetime |
|---|---|---|
__Secure-authjs.session-token |
Your sign-in session (JWT). Keeps you logged in. | Up to 30 days, refreshed while you use the Service |
__Host-authjs.csrf-token |
CSRF protection — verifies that sensitive actions come from you, not a malicious site | Browser session |
__Secure-authjs.callback-url |
Remembers where to return you after Google sign-in completes | Browser session |
__Secure-authjs.pkce.code_verifier |
Secures the Google OAuth sign-in flow (PKCE) | ~15 minutes, only during sign-in |
myc_cookie_notice |
Remembers that you dismissed the cookie notice, so we do not show it again | 12 months |
All cookies are set with Secure (HTTPS-only) and, where applicable, HttpOnly (not readable by page scripts) and SameSite=Lax.
2. Why there is no consent pop-up
Consent requirements apply to cookies that are not strictly necessary — analytics, advertising, cross-site tracking. We do not use any of those. Because every cookie we set is required to deliver the service you are requesting (signing in and staying signed in securely), no consent wall is needed. Instead, we show a one-time informational notice so you know what is (and is not) going on.
If we ever introduce non-essential cookies, we will update this policy first and ask for your consent before setting them.
3. How to control cookies
You can block or delete cookies in your browser settings at any time (look for "Privacy" or "Cookies" in Chrome, Firefox, Safari, or Edge settings). Be aware that blocking the cookies listed above will prevent sign-in — they are how the Service knows who you are.
4. Questions
Email <LEGAL_CONTACT_EMAIL> (see the Privacy Policy for full contact details and your rights).