Cookies AISO sets.

AISO sets the minimum cookies needed to keep you signed in, attribute referral signups fairly, and (optionally) measure feature usage via PostHog. The list below is exhaustive for the application itself — third-party processors (Stripe, Privy) may set their own cookies on their own domains during checkout / sign-in flows.

Last updated: 2026-06-02 · Operational v1 pending qualified legal review.

1. Essential cookies (no consent required)

aiso_session — HttpOnly, SameSite=Lax, 30-day lifetime. Holds a hashed session token after sign-in. Without this you cannot reach /app/*.
aiso_ref — HttpOnly, SameSite=Lax, 30-day lifetime. HMAC-signed referral code captured from ?ref= at first visit so referral attribution survives the signup flow.
aiso_visit — HttpOnly, SameSite=Lax, session-scoped. Anti-bot marker that the middleware sets so the public profile only logs real human visits.

2. Non-essential cookies (consent required in EEA / UK)

ph_* — PostHog analytics. Loaded only after consent in EEA / UK; loaded by default elsewhere (CCPA notice instead). Track which features visitors use. Opt out via the cookie banner or by enabling your browser DNT setting.

No advertising cookies, no third-party trackers, no fingerprinting libraries are loaded by AISO itself.

3. Third-party cookies on third-party domains

When you check out through Stripe (checkout.stripe.com) or sign in through Privy (privy.io), those vendors set their own cookies on their own domains. They're governed by Stripe's + Privy's own policies. AISO has no access to and cannot read them.

4. How to opt out

Essential cookies cannot be disabled — disabling them breaks sign-in. PostHog analytics can be opted out by toggling consent on first visit (EEA / UK), by setting navigator.doNotTrack = "1" / “Do Not Track”, or by clearing ph_* cookies in your browser.

5. Changes

If AISO ever introduces a new non-essential cookie, this page is updated and consent is re-requested in EEA / UK before the cookie loads.