We use the minimum set of cookies + browser storage required to run a multi-tenant authenticated platform. We do not run third- party advertising trackers.
1. Strictly necessary (no consent required)
| Name | Purpose | Lifetime |
|---|---|---|
lydos_refresh_token | Long-lived auth refresh (HttpOnly, SameSite=Strict) | 7 days |
lydos-locale | Language preference | 365 days |
lydos-theme (localStorage) | Light/dark theme to prevent flash on load | persistent |
x-lydos-nonce (per-request header) | CSP nonce for inline scripts | request only |
2. Functional (consented)
| Name | Purpose | Lifetime |
|---|---|---|
lydos-onboarding-state (localStorage) | Tutorial progress, dismissed banners | persistent until cleared |
3. Analytics
Self-hosted, privacy-respecting analytics only (no IP storage, no cross-site tracking, no third-party CDN beacons). Anonymous page-view counts; you can opt out from settings.
4. Third-party
We embed Google Fonts (CSS only, no analytics). LLM provider calls happen server-side; provider cookies do not reach your browser.
5. Manage your preferences
Account dashboard → Settings → Privacy. Browser-level: clear cookies for this site. Note that clearing the auth cookie will sign you out.