Cookie Policy.
This page lists every cookie element59 sets, what each one does, how long it lives, and which processor (if any) is involved.
Not legal advice. This document was drafted by the founding team and is awaiting review by a UK- and US-qualified privacy attorney. The interactive consent banner ships in a follow-up release; until then, only essential cookies are set on first visit and the cookies listed under "Optional analytics" are inactive.
Section 1 — What cookies are
▷ In one sentence: Small text files your browser stores so we can remember things between page loads.
1.1 Cookies are key-value strings the browser stores per origin and re-sends with subsequent requests to that origin. We use them only for first-party purposes — there are no third-party advertising or cross-site tracking cookies on element59.
1.2 Some cookies are strictly necessary for the service to work (the session cookie that proves you're logged in, the CSRF token that prevents request forgery). Others are optional (analytics) and are only set after you grant consent.
Section 2 — Strictly necessary cookies
▷ In one sentence: These keep you logged in and prevent CSRF — the service breaks without them.
| Name | Duration | Purpose | Processor | | ---- | -------- | ------- | --------- | | e59_session | 7 days (artist) / 1 hour (operator) | Holds your signed JWT session — proves you're logged in. HttpOnly, Secure, SameSite=Lax. | element59 (first-party) | | e59_csrf | Session | Synchroniser-token CSRF protection on POST endpoints. | element59 (first-party) | | __e59_consent | 180 days | Records your cookie-consent choice so the banner doesn't reappear on every visit. Set on first interaction with the banner; never a third-party cookie. | element59 (first-party) |
These cookies are exempt from consent under PECR / GDPR Article 5(3) because they are strictly necessary for the service you requested.
Section 3 — Optional analytics cookies
▷ In one sentence: Off by default; only set after you click Accept in the banner.
| Name | Duration | Purpose | Processor | | ---- | -------- | ------- | --------- | | _vercel_anonymous_id | 24 hours | Aggregate visitor counting on Vercel Web Analytics — cookieless mode normally; the ID exists only when consent is granted to enable per-visitor de-duplication for the day. | Vercel | | ph_* (multiple) | 365 days | Posthog product analytics — funnels and feature-usage events. We do not enable session replay. | Posthog |
If you decline analytics in the consent banner, none of these cookies are set, and the analytics scripts are not loaded.
Section 4 — How to change your choice
▷ In one sentence: Open the cookie banner from the footer and pick again.
4.1 The cookie banner re-opens via the "Cookie preferences" link that ships in the page footer alongside the legal links. Changes take effect immediately — opting out clears the corresponding cookies and unloads the analytics scripts on the next navigation.
4.2 You can also delete cookies directly from your browser's settings. Doing so deletes the consent record (__e59_consent) and the banner will reappear on your next visit.
Section 5 — Do Not Track and Global Privacy Control
▷ In one sentence: We honour Global Privacy Control automatically; Do Not Track is treated as a soft opt-out for analytics.
5.1 When your browser sends the Sec-GPC: 1 header (Global Privacy Control), we treat it as an opt-out of the optional analytics cookies for the visit, regardless of any prior banner choice.
5.2 When your browser sends the legacy DNT: 1 header (Do Not Track), we apply the same treatment.
Section 6 — Changes to this policy
▷ In one sentence: Material changes are logged at /legal/changelog.
6.1 Any material change to the cookies we set (a new processor, a longer retention window, a new category) will be logged at /legal/changelog with the previous version archived. We will also re-prompt the consent banner so you can review and re-consent before the change takes effect.