mycelium·

Cookie Policy

Last updated: 3 July 2026

Short version: we use only strictly necessary cookies — the ones required to sign you in and keep your session secure. There are no analytics cookies, no marketing cookies, and no third-party trackers on this site at launch.

1. What cookies we set

All cookies below are first-party, set by mycelium.netcraft.works, and are technically required for the Service to work. Authentication is built on Auth.js; the cookie names follow its conventions.

Cookie Purpose Lifetime
__Secure-authjs.session-token Your sign-in session (JWT). Keeps you logged in. Up to 30 days, refreshed while you use the Service
__Host-authjs.csrf-token CSRF protection — verifies that sensitive actions come from you, not a malicious site Browser session
__Secure-authjs.callback-url Remembers where to return you after Google sign-in completes Browser session
__Secure-authjs.pkce.code_verifier Secures the Google OAuth sign-in flow (PKCE) ~15 minutes, only during sign-in
myc_cookie_notice Remembers that you dismissed the cookie notice, so we do not show it again 12 months

All cookies are set with Secure (HTTPS-only) and, where applicable, HttpOnly (not readable by page scripts) and SameSite=Lax.

2. Why there is no consent pop-up

Consent requirements apply to cookies that are not strictly necessary — analytics, advertising, cross-site tracking. We do not use any of those. Because every cookie we set is required to deliver the service you are requesting (signing in and staying signed in securely), no consent wall is needed. Instead, we show a one-time informational notice so you know what is (and is not) going on.

If we ever introduce non-essential cookies, we will update this policy first and ask for your consent before setting them.

3. How to control cookies

You can block or delete cookies in your browser settings at any time (look for "Privacy" or "Cookies" in Chrome, Firefox, Safari, or Edge settings). Be aware that blocking the cookies listed above will prevent sign-in — they are how the Service knows who you are.

4. Questions

Email <LEGAL_CONTACT_EMAIL> (see the Privacy Policy for full contact details and your rights).