Cookie Policy

Cookies are small text files that websites place on your device to remember preferences or track behaviour between visits. Some are set by us (first-party) and some by third parties loaded inside our pages (third-party). We also use comparable technologies (localStorage, session storage) — treated the same way by this policy.

Strictly necessary (always on — no consent required):

• __Host-session — Clerk authentication for /admin/*. HTTP-only, Secure, SameSite=Lax. Expires: session.
• sf-consent — records your cookie-banner choice so we don't ask again. 12 months.
• cf_clearance, __cf_bm — Cloudflare bot protection. Cloudflare-managed, see their docs.

Analytics (only after you accept "Analytics"):

• Plausible sets no cookies — it fingerprints nothing, uses a rotating hash of IP+UA+domain that expires daily.

Product (only after you accept "Product analytics"):

• PostHog sets ph_* cookies (distinct ID, feature-flags) for up to 12 months. Data region: EU.

The first time you visit surfient.com you'll see a cookie banner with three options: "Accept all," "Only necessary," and "Customise." Your choice is stored in sf-consent and respected on every page load.

To change later, click Cookie settings in the site footer. You can also clear cookies from your browser settings at any time — we'll simply ask again on your next visit.

If your browser sends the Global Privacy Control (GPC) signal or the legacy Do Not Track (DNT) header, we treat that as an opt-out from non-essential cookies — same as clicking "Only necessary" in the banner. You don't need to do anything else.