Cookie Notice
Updated: 2026-05-22
Effective from: 2025-10-01
This Cookie Notice explains how Citizen iD uses cookies and similar technologies. Read it together with the Privacy Policy.
1. Summary
Citizen iD uses necessary cookies and similar technologies for authentication, security, OAuth/OIDC authorization, account sessions, and service operation.
These are required and do not require consent.
Citizen iD may also use optional analytics through PostHog EU.
Analytics are disabled unless you allow them through Privacy Preferences, or unless the deployment is configured in a strictly anonymous, consent-exempt mode described in this notice.
Citizen iD does not use advertising cookies, retargeting pixels, third-party behavioral advertising cookies, or sell/share personal data.
2. Cookie and technology inventory
| Name or technology | Provider | Purpose | Category | Duration / retention | Notes |
|---|---|---|---|---|---|
| ASP.NET Identity application/session cookie | Citizen iD / ASP.NET Core Identity | Keeps you signed in and maintains authenticated sessions | Strictly necessary | Up to 14 days unless cleared or expired earlier | Required for account functionality |
| External OAuth correlation cookies | Citizen iD / external login handlers | Protects external login flows and correlates OAuth requests and callbacks | Strictly necessary / security | Approximately 5 minutes | Used during sign-in with providers such as Discord, Google, Twitch, or another configured provider |
| Antiforgery/session cookies | Citizen iD / ASP.NET Core | Helps protect forms and requests from CSRF and related attacks | Strictly necessary / security | Up to 14 days unless cleared or expired earlier | Required for application security |
| OAuth access and ID token metadata | Citizen iD / OpenIddict | Supports OAuth/OIDC authorization and API access | Strictly necessary / authorization | Up to 4 hours | Not always a browser cookie, but relevant to sessions and authorization |
| OAuth refresh token metadata | Citizen iD / OpenIddict | Supports continued authorization where applicable | Strictly necessary / authorization | Up to 14 days | Reference refresh-token behavior may apply |
| PostHog EU analytics | PostHog EU Cloud endpoints | Optional product analytics and reliability analysis | Optional analytics | Up to 3 months | Disabled unless allowed through Privacy Preferences or configured in the strictly anonymous, consent-exempt mode described in this notice. Session recording is disabled and analytics are not used for advertising. |
| RSI/Spectrum server-side cookies or tokens | RSI/Spectrum API | Server-to-third-party requests used for profile and verification data retrieval | Integration / security | Provider-controlled / operational | Not found as Citizen iD browser cookies; used for integration requests |
| Cloudflare CDN/network requests | Cloudflare | CDN, network routing, availability, and security | Functional / security | Provider-controlled | May process browser request metadata |
| Google Fonts and jsDelivr asset requests, if loaded externally | Google / jsDelivr | Loads fonts and frontend assets | Functional / CDN | Provider-controlled | May expose browser request metadata such as IP address to third-party asset providers unless self-hosted |
3. Necessary technologies
Necessary technologies are used to provide the service you request, keep you signed in, secure external login flows, prevent abuse, operate the service, and protect the service. These are required and do not require consent.
Blocking necessary cookies may prevent authentication, authorization, account settings, OAuth flows, or security features from working.
4. Analytics technologies
Analytics help Citizen iD understand aggregate service usage, diagnose bugs, improve reliability, and identify product issues.
Optional analytics through PostHog EU are disabled unless you allow them through Privacy Preferences, or unless the deployment is configured in a strictly anonymous, consent-exempt mode described in this notice.
PostHog analytics is not used for advertising, retargeting, sale or sharing of personal data, or cross-site behavioral advertising. Session recording is disabled. PostHog is configured to respect Do Not Track.
Analytics events are retained for up to 3 months.
A strictly anonymous, consent-exempt deployment mode means analytics must not identify a person, account, device, browser, or household and must not store or access non-essential browser cookies or similar local identifiers.
5. Your choices
You can control many cookies through your browser settings.
You can use the Citizen iD cookie/analytics banner or Privacy Preferences controls, where available, to accept, reject, or change analytics preferences.
If you enable Do Not Track in your browser, PostHog analytics should not track you according to the current configuration. Do Not Track is not the same as Global Privacy Control. Citizen iD does not currently sell personal data, share personal data for cross-context behavioral advertising, or use targeted advertising. If Citizen iD later enables processing covered by opt-out preference signal laws, it should implement and document Global Privacy Control before that processing begins.
6. Changes
Citizen iD may update this Cookie Notice as technologies, providers, or legal requirements change.
For questions, contact hi@citizenid.space.
