We use the smallest possible set of cookies — all first-party, all strictly necessary or functional. No third-party tracking, no advertising cookies, no consent banner needed.
What we set
Strictly necessary
- sma_session — your sign-in token. httpOnly, Secure, SameSite=Lax. Set when you sign in; cleared on sign-out or after 30 days of inactivity.
- sma_oauth_state — CSRF protection for the Google sign-in flow. Lifespan: a few minutes.
- sma_oauth_return_to — remembers where to send you after sign-in. Same short lifespan as above.
- sma_pending_2fa — 5-minute holding cookie between your password and your 2FA code. Encrypted.
Functional
- sma_workspace— remembers which workspace you last opened, so we don’t reset you to the default each visit.
- sma_ref — captures a referral code from
?ref=…links so we can credit your friend after you sign up. 30-day lifespan, cleared on signup.
Local storage (not a cookie, but worth mentioning)
- sma_onboarding_hidden — set when you dismiss the getting-started checklist on your dashboard.
What we do NOT use
- No Google Analytics, no Facebook Pixel, no third-party trackers.
- No advertising cookies.
- No cross-site tracking.
How to clear them
You can clear cookies from your browser at any time. Doing so will sign you out and reset your workspace preference. Connected social accounts and your data stay safe — those live server-side.
Contact
Questions about cookies? deylian@heykoop.nl.