Legal
Cookie Policy
A complete and up-to-date list of every cookie and piece of browser storage Coommit uses, what each one does, and how long it sticks around. No advertising trackers. That's a hard line.
Effective May 15, 2026 · Last updated May 15, 2026
1. What cookies are
Cookies are tiny pieces of text a website asks your browser to remember. They let a site recognize you between page loads, remember preferences, keep you signed in, and (sometimes) track your behavior.
Beyond cookies, websites can also store data using localStorage, sessionStorage, and similar APIs in your browser. We treat all of these together in this policy.
2. What we use cookies for
Two categories, and only two:
- Strictly necessary: cookies and storage required for the site or product to work: keeping you signed in, preventing CSRF, remembering a referral or UTM source between pages, holding form drafts.
- Analytics: Google Analytics 4, used to understand aggregated traffic and feature usage. We do not use Google Ads, advertising audiences, or any tracking pixel beyond GA4.
We do not use: advertising cookies, retargeting pixels, social-media trackers, behavioral profiling, or third-party ad networks. None. The browser-storage entries we set are all for the categories above.
3. The cookies we set
3.1 Marketing site (coommit.com)
| Name | Type | Provider | Purpose | Lifetime |
|---|---|---|---|---|
_ga |
Cookie | Google Analytics | Distinguishes unique visitors for aggregated traffic analysis | 2 years |
_ga_* |
Cookie | Google Analytics | GA4 session state (where * matches our property ID) |
2 years |
coommit_ref |
Cookie | Coommit | Persists a referral code (when you arrive via ?r=CODE) so it survives navigation and reaches the waitlist form |
90 days |
coommit_first_referrer |
sessionStorage | Coommit | Stores the first external referrer URL for attribution when you submit the waitlist form | Session (cleared when you close the tab) |
coommit_utm_source, coommit_utm_medium, coommit_utm_campaign, coommit_utm_term, coommit_utm_content |
sessionStorage | Coommit | Captures UTM parameters from your landing URL so they survive navigation and reach the waitlist form | Session |
coommit_gclid |
sessionStorage | Coommit | Captures Google Ads click ID (gclid) when present, for attribution on signup | Session |
Note: we do not run Google Ads campaigns today. The gclid capture exists in case we do in the future. It just sits idle when no gclid is present in the URL.
3.2 Product application (app.coommit.com)
| Name | Type | Provider | Purpose | Lifetime |
|---|---|---|---|---|
| Authentication session | HTTP-only cookie | Coommit | Keeps you signed in | 30 days (rolling) |
| CSRF token | Cookie | Coommit | Prevents cross-site request forgery on state-changing actions | Session |
| Waitlist session | Cookie | Coommit | Maintains your waitlist state between visits | 90 days |
| Guest session | Cookie | Coommit | Temporary identity when you join a room via guest invite link | 24 hours |
| Locale preference | Cookie / localStorage | Coommit | Remembers your interface language | 1 year |
| Theme preference | localStorage | Coommit | Remembers dark/light theme choice | Until you change it |
| OAuth flow state | HTTP-only cookie | Coommit | Used briefly during Google/GitHub sign-in to prevent CSRF on the OAuth callback | 10 minutes |
4. Third-party cookies
The only third-party cookies we currently set are those of Google Analytics 4 (_ga, _ga_*), used for aggregated traffic and feature-usage analytics. Google may use this data in line with its own privacy policy. See Google's Privacy Policy.
Other sub-processors we work with (Stripe, Resend, Sentry, etc.) may set their own cookies only on their own domains, when their interfaces or services are loaded. They do not set cookies on coommit.com or app.coommit.com.
When you choose to embed a third-party resource inside a Coommit room (for example, a YouTube video, a Twitter post, a Google Drive document), that third party may set cookies under their domain, governed by their policy, not ours.
5. How to control cookies
You can manage cookies in several ways:
- Browser settings. Every major browser lets you block or delete cookies (Chrome, Firefox, Safari, Edge). Blocking strictly-necessary cookies will break sign-in and parts of the product.
- Opt out of Google Analytics. Install the Google Analytics Opt-Out Browser Add-On, or use a tracker-blocking extension.
- "Do Not Track" / Global Privacy Control. We honor the Global Privacy Control (GPC) signal where applicable under California's CCPA. When GPC is set, we treat it as an opt-out request to the extent we have anything to opt out of (which is "not much," because we don't sell or share data for advertising).
6. Changes
If we add, remove, or change cookies, we'll update this page and bump the "Last updated" date at the top. For material changes (new categories, new third parties), we'll also notify registered users by email at least 30 days in advance.
7. Contact
Questions about cookies, browser storage, or anything else: hello@coommit.com.
TAAO, Inc.1007 N Orange St, 4th Floor 5510
Wilmington, DE 19801
USA