Skip to content
Legal

Cookie Policy

Last updated: 2026

This policy explains what cookies and similar technologies CiteAgentic uses, why we use them, and how you can control them. It should be read alongside our Privacy Policy, which covers how we handle personal information more broadly.

What cookies are

A cookie is a small text file that a website stores on your browser when you visit it. Cookies let a site remember things between page loads and visits - that you're signed in, what theme you prefer, or how many people land on a given page. Some cookies are set by the site you're visiting ("first-party"); others are set by services that the site embeds, such as analytics providers ("third-party"). We also use localStorage, a similar browser-storage mechanism, for a couple of small client-side preferences - we treat it the same way as a cookie for the purposes of this policy.

Cookies we set

NamePurposeTypeDuration
trace_sessionAuthenticated session (HttpOnly - not readable by page scripts)Essential30 days
trace_csrfCSRF token, JS-readable, echoed back as a header on state-changing requestsEssential30 days
trace_themeRemembers your light/dark theme choicePreferencePersistent
Google Analytics (_ga, _ga_*)Aggregated website usage analytics (production only)AnalyticsUp to 2 years
PostHog analytics cookies (if configured)Product usage analytics inside the signed-in appAnalytics1 year

Essential cookies

trace_session and trace_csrf are what make the product work. The session cookie is how the server recognises you as signed in across page loads; it's marked HttpOnly, so it can't be read or tampered with by page scripts, which protects it from cross-site-scripting attacks. The CSRF cookie is a security pairing token: when you take an action that changes data (saving a brand, running a scan, updating billing), the app reads this cookie and echoes its value back to the server as a header, proving the request came from our own page rather than a malicious third-party site. Neither cookie is used for advertising, profiling, or tracking you across other websites - they exist purely to keep your account secure and your session alive.

Preference cookies

trace_theme simply remembers whether you last viewed the app in light or dark mode, so you don't have to reselect it on every visit. It carries no personal information beyond that single preference value.

Analytics cookies

On our public marketing pages (production only - not in local development) we use Google Analytics to understand aggregate traffic: which pages people land on, how they navigate, and roughly how many visitors we get. Inside the signed-in dashboard, we may additionally use PostHog to understand how customers use product features, so we can prioritise what to build next. Both are configured to avoid storing information that would let us identify you as an individual from the analytics data alone, and neither is used to build advertising profiles.

Cookies we don't set

  • No advertising or retargeting cookies
  • No cross-site fingerprinting or device-fingerprinting scripts
  • No social-media tracking pixels embedded in our pages
  • No sale or sharing of cookie-derived data with data brokers

How to control or opt out of cookies

Most browsers let you view, block, or delete cookies through their settings - look for "Privacy", "Cookies", or "Site data" in your browser's preferences. Because every browser organises these settings a little differently, the exact path varies: in Chrome and Edge it's under Settings → Privacy and security → Cookies and other site data; in Firefox it's Settings → Privacy & Security → Cookies and Site Data; in Safari it's Settings → Privacy → Manage Website Data. You can typically choose to block third-party cookies only, clear cookies on exit, or block all cookies from a specific site.

Keep in mind that blocking the essential trace_session and trace_csrf cookies will prevent the signed-in dashboard from working - you simply won't be able to stay logged in. Everything outside the authenticated app (the marketing site, free tools, blog, and docs) will continue to work normally without them.

If you'd like to opt out of Google Analytics specifically, without affecting any other cookies, Google provides a dedicated opt-out browser add-on that prevents its JavaScript from sharing visit information.

Do Not Track

Some browsers offer a "Do Not Track" signal. There isn't yet a common industry standard for how sites should respond to it, so we don't currently change our behaviour based on that signal - but the controls above let you achieve the same outcome directly.

Changes to this policy

We may update this Cookie Policy as our product, providers, or applicable law change. If we make a material change, we'll update the "Last updated" date above; for significant changes we'll aim to give existing customers reasonable notice (for example, by email or an in-app notice).

Contact

Questions about this policy or how we use cookies? Reach us at [support@citeagentic.com].