Short version: we use the minimum cookies needed to keep you signed in. No analytics, no tracking pixels, no third-party scripts. That's why there is no consent banner: under EU rules, "strictly necessary" cookies are exempt from consent, so we don't ask for any.
What is a cookie
A cookie is a small text file a website stores in your browser and reads back on later visits. Cookies can be used for many things: keeping you signed in, remembering your preferences, tracking you across sites, profiling you for advertising. We use the first kind only.
The cookies unspook actually sets
The full list, with what each one does and how long it lasts:
Authentication session
Once you sign in, NextAuth writes a session cookie so the next page you load knows it's still you. Without it you would have to log in on every click. This cookie holds an opaque signed token, not your password, not your email in plain text.
- next-auth.session-token (or its __Secure- variant over HTTPS): first-party, HttpOnly, SameSite=Lax. Lasts up to 30 days; refreshed each time you visit.
- next-auth.csrf-token: first-party, used to protect sign-in forms against cross-site request forgery. Session-only.
- next-auth.callback-url: first-party, remembers where to send you after sign-in. Session-only.
Sign-in and sign-up flow
While you are signing up or signing in with Google, we set two short-lived first-party cookies to carry you safely through the redirect dance. Both are temporary and clear themselves once the flow finishes.
- idp_pending: first-party, HttpOnly, SameSite=Lax. Holds the in-progress sign-in request and a one-time anti-forgery value while you complete the "Sign in with Google" round-trip. Lasts up to 10 minutes.
- invite_token: first-party, HttpOnly, SameSite=Lax. Only set if you arrive with an invite link; it keeps your invite alive across the Google sign-in round-trip. Lasts up to 30 minutes and is deleted as soon as your account is created.
Zitadel auth flow
Our identity provider (Zitadel, self-hosted on the auth.unspook.com subdomain) sets a small number of cookies on its own domain while you are logging in or signing up. These are first-party from your point of view (same registrable domain) and exist solely to complete the OIDC login dance; they go away when you finish signing in.
What we don't do
- No analytics cookies. No Google Analytics, no Plausible, no Matomo, no PostHog, no Hotjar, no session replay.
- No advertising cookies. No Meta Pixel, no Google Ads, no LinkedIn Insight Tag, no retargeting.
- No third-party scripts. The site doesn't load fonts, embeds, or trackers from any domain that would set a cookie in your browser on someone else's behalf.
- No fingerprinting. We don't build a device profile from your screen size, fonts, or canvas rendering.
Why no consent banner
Under the ePrivacy Directive (the rule behind most cookie banners), the cookies that need explicit consent are the non-essential ones: analytics, advertising, profiling. Cookies that are strictly necessary to deliver a service the user actively requested are exempt. Sign-in cookies are the classic example.
Because unspook only uses strictly-necessary cookies, there is nothing to ask consent for. If we ever add an optional cookie (the most likely candidate is a cookie-free EU analytics product like Plausible), we would still need to update this page first. If we did add anything that required consent, a banner would appear and you would be able to decline without losing access to the site.
How to clear or block cookies
Every browser lets you view, delete, and block cookies. The relevant settings live under:
- Chrome / Edge: Settings → Privacy and security → Cookies and other site data.
- Firefox: Settings → Privacy & Security → Cookies and Site Data.
- Safari: Settings → Privacy → Manage Website Data.
If you block or delete the unspook session cookie, you will be signed out. The site will still work for browsing jobs without an account.
Changes to this notice
If we add a cookie, change what an existing one does, or extend how long it lasts, this page will be updated and the effective date at the top will change. Material changes will also be called out in the next release notes.
Contact
Questions about cookies or anything else on this page: sam@unspook.com.