[ LEGAL ]
Cookie & Tracking Notice
Last updated: 2026-04-28
This Notice describes cookies and similar technologies set by getspinal.com and the Spinal Service. It supplements the Privacy Policy.
1. What are cookies?
Cookies are small text files browsers store on your device. We also use related technologies (browser localStorage, server-set HttpOnly tokens, first-party server logs). For brevity we refer to all of them as "cookies" in this Notice.
2. What we set
2.1 Strictly necessary (no consent required under § 25 (2) TTDSG)
| Identifier | Purpose | Lifetime |
|---|---|---|
spinal_access_token | Maintain signed-in session | Access-token lifetime configured by the Service |
fastapiusersoauthcsrf | Protect OAuth login/signup state | 15 minutes |
2.2 Functional
| Identifier | Purpose | Lifetime |
|---|---|---|
theme (localStorage) | Remember light/dark theme | Until cleared by user |
2.3 First-party product analytics (in the Service)
We log usage events via our own first-party endpoint. Events may be tied to your authenticated user id, workspace id, browser anonymous id, and browser session id, and are stored in Spinal's own infrastructure. We do not load Google Analytics, Segment, Mixpanel, PostHog, or similar third-party analytics in the Service. We do not set advertising or social-media tracking pixels in the Service.
| Identifier | Purpose | Lifetime |
|---|---|---|
spinal_anonymous_id | First-party product analytics and abuse/debug correlation | Until cleared by user |
spinal_session_id | First-party product analytics session grouping | Browser session; refreshed for active sessions up to 30 minutes |
2.4 Third-party assets in the Service
The Service may redirect to or load pages from a small number of third parties only when you initiate the relevant flow:
- Authentication providers (Google, Microsoft, and GitHub) on the sign-in flow you initiate
- Source-control providers (for example GitHub or GitLab) when you connect repositories
These providers may set cookies or read identifiers on their own domains as part of those flows, governed by their own privacy notices.
3. The public marketing site
If/when getspinal.com adds non-essential analytics, advertising, or social-media tracking, those identifiers will be gated behind a consent banner as required under § 25 TTDSG and the ePrivacy Directive. As of the date above, no such trackers are deployed.
4. Your choices
- Most browsers let you block or delete cookies via settings; the Service will not function without strictly necessary cookies.
- Signing out clears the authentication cookie.
- If we add cookies or trackers that require consent before use, we will present a consent banner before setting them.