Cookie And Storage Notice
Effective date: 2026-07-13 · Version cookies-2026-07-13-r2
This notice explains how repod uses cookies, browser storage, and similar technologies. repod is designed as a business SaaS service for GitHub access operations.
1. Required Service Storage
repod uses required cookies and similar storage to provide the service, keep users signed in, protect forms from CSRF, remember active account context, maintain security controls, and honour analytics choices. These are necessary for the service and are not optional analytics.
2. Optional Analytics
When Google Analytics 4 is enabled, repod asks for analytics consent before optional browser analytics begins. Choosing "Necessary only" or disabling analytics stops optional browser analytics on later page loads and removes repod analytics cookies.
repod honours Do-Not-Track and Global Privacy Control signals by preventing browser and request-linked analytics events.
Production configuration is strict opt-in for optional GA4 browser analytics. repod should not be configured to run GA4 browser measurement before consent unless the configuration has been separately reviewed against current UK storage/access rules.
3. First-Party Traffic Counters
repod may maintain aggregate first-party counters for public sitemap pages, such as daily page totals, coarse source category, device category, consent state, and bot category. These counters are intended for statistical service improvement and do not store visitor IDs, IP addresses, full referrer URLs, full user agents, or individual browsing histories.
4. Storage Names
- user_id: signed authenticated web session cookie. Default lifetime: 8 hours; absolute session limit: 24 hours unless deployment settings are changed.
- csrf_token / csrftoken: form protection tokens used to prevent cross-site request forgery. Lifetime: browser session or until replaced/cleared.
- mfa_verified: MFA trust cookie for privileged web actions after successful MFA. Default lifetime: 8 hours unless deployment settings are changed.
- active_account_id: selected account context for signed-in users. Lifetime: until changed, logout, or browser/site-data clearing.
- repod_public_audit: public access-audit session cookie used to reconnect an anonymous audit run. Default lifetime: 24 hours unless deployment settings are changed.
- repod_access_audit_flash: short-lived public-audit status message cookie. Lifetime: about 2 minutes.
- repod_analytics_consent: analytics consent choice. Lifetime: 180 days.
- repod_aid: optional first-party analytics visitor identifier used only after analytics consent. Lifetime: 365 days.
- repod_sid: optional first-party analytics session identifier used only after analytics consent. Lifetime: 30 minutes.
- repod_attr: optional first-party attribution storage used only after analytics consent. Lifetime: 90 days.
- _ga / _ga_*: Google Analytics cookies that may be set by GA4 only after analytics consent, subject to Google Analytics configuration.
- ui.theme.v2: localStorage preference for light/dark/system theme. Lifetime: until changed or browser/site-data clearing.
- rd_last_apply_ts, rd_dismiss_siloed_banner, rd_dismiss_risk_ribbon: localStorage values used to remember recent in-app UI state and dismissed notices. Lifetime: until replaced or browser/site-data clearing.
- repod_verify_complete: localStorage signal used to complete email verification across tabs. Lifetime: until replaced or browser/site-data clearing.
- org-map playback state: sessionStorage value used to keep the Org Map time-travel animation state during the browser tab session. Lifetime: browser tab session.
5. Changing Your Choice
You can change analytics consent from the Privacy Policy controls or by clearing site cookies in your browser. Browser or network-level blocking may also prevent analytics.