Loading…
Loading…
Every cookie and browser-storage key Coloseos sets, what it's for, and how long it stays.
Coloseos uses a small number of first-party cookies for the parts of the site that require signing in, plus — only if you accept analytics — anonymous first-party product analytics and Google Analytics loaded through Google Tag Manager. We don't run advertising cookies, we don't use Google's advertising integrations, and we don't sell or share your data.
You can change your preferences any time from Cookie preferences or the link in the site footer. Revoking after the page has loaded stops new events from firing, but already-set cookies from services loaded in this session persist until you clear them or they expire.
Set even if you reject analytics. Without these the site can't run.
| Name | Category | Purpose | Retention |
|---|---|---|---|
| coloseos_session | Necessary | Keeps you signed in after log-in. HttpOnly, SameSite=Lax, Secure in production. | 30 days |
| coloseos_consent | Necessary | Stores your cookie preferences so we don't ask again on every page. Required for the consent system itself to work. | 13 months |
Small bits of state kept in your browser's localStorage. Never sent to a server.
| Name | Category | Purpose | Retention |
|---|---|---|---|
| theme | Necessary | next-themes stores your light/dark preference so the UI doesn't flash on next load. | Until you clear it |
Everything below is gated on you accepting analytics in the cookie banner or preferences page. The first two rows are first-party — our own `/api/e` endpoint stores the events. The last two rows describe Google Tag Manager and the Google Analytics tag loaded through it; these are third-party and only fire when analytics is granted.
| Name | Category | Purpose | Retention |
|---|---|---|---|
| /api/e — pageviews | Analytics | Anonymous pageview with path, referrer, and a daily-rotated hash of IP+user-agent. No cookie is set by this request; the hash is re-derived each day so visitors can't be followed across sessions. | Rolling 13 months in aggregate |
| /api/e — Core Web Vitals | Analytics | Same anonymous record, carrying LCP / CLS / INP / FCP / TTFB so we can see what's fast or slow on your device. | Rolling 13 months in aggregate |
| Google Tag Manager (GTM) | Analytics | Loads analytics tags our team has configured. The GTM container script itself sets no cookies; the services it loads do (see below). Only loaded after you accept analytics — never before. | Loaded per session; see downstream services |
| _ga, _ga_<container-id> | Analytics | Google Analytics 4 identifiers, set by the GA tag loaded through GTM. _ga distinguishes visitors; _ga_<id> persists session state. Aggregated traffic reporting only — we do not use Google's advertising integrations. | 2 years (Google default) |
When you make a choice, we store an audit row with a daily- rotated salted hash of your IP (never the IP itself), your browser user-agent, the version of the consent prompt you saw, and the categories you accepted or rejected. We keep those rows for 13 months so we can answer a data-subject request or a regulator's question.
If we add a new category or change what's collected under an existing one, we'll bump the consent version and ask again. Your previous choice stays on file in the audit log.