This page lists every cookie Credgle sets and what it does. We do not set marketing or advertising cookies. The consent banner that runs on this site is provided by Termly.
Strictly necessary
These cookies are required for the service to work; you cannot opt out.
- __Host-session — your authenticated session ID. HttpOnly, Secure, SameSite=Lax. Cleared on logout or after expiry.
- __Host-csrf — CSRF double-submit token. HttpOnly, Secure, SameSite=Lax. Pairs with the client-readable mirror below.
- csrf-token — mirror of the CSRF token, readable from the SvelteKit form action layer. SameSite=Lax.
Functional
These cookies remember your interface preferences. They are first-party and not shared.
- credgle.theme — dark / light theme preference. SameSite=Lax, 1 year.
- credgle.lang — interface locale. SameSite=Lax, 1 year.
- credgle.pwa.install.dismissed_until — local-storage entry (not a cookie) that suppresses the install banner for 30 days after dismissal.
Analytics (opt-in)
PostHog tracks anonymous page views and key events (signup, first-earn, first-cashout). It masks
all input fields and respects the
Do Not Track and
Sec-GPC: 1 opt-out signals.
Third-party (during specific flows)
- Cloudflare Turnstile — CAPTCHA challenge cookies during signup / phone verification. Removed once the challenge completes.
- Persona — KYC hosted flow cookies, only when you opt to verify at L3+.
Managing cookies
Block third-party cookies in your browser, use a private window, or revoke consent through the Termly banner footer link. Note that disabling strictly-necessary cookies will sign you out and break the service.