Cookie Policy
Last updated: Effective:
1. What this Policy covers
This Policy explains the cookies and other client-side storage technologies Exohaven uses on exohaven.app. For convenience we use the word “cookies” loosely to include true HTTP cookies as well as localStorage and sessionStorage, which function in similar ways.
3. The cookies and storage we use
| Name / key | Type | Set by | Storage | Purpose | Approximate lifetime |
|---|---|---|---|---|---|
better-auth.session_token | Strictly necessary | Exohaven (Better Auth) | HTTP cookie — HttpOnly, Secure, SameSite=Lax | Authenticates you while you are signed in. | Session, up to 30 days |
better-auth.csrf_token | Strictly necessary | Exohaven (Better Auth) | HTTP cookie | Protects authentication endpoints from cross-site request forgery. | Session |
_ga | Analytics | Google Analytics 4 (Google LLC) | HTTP cookie | Distinguishes unique visitors. | 2 years |
_ga_T14K2TCD5J | Analytics | Google Analytics 4 (Google LLC) | HTTP cookie | Persists session state for our GA property. | 2 years |
ai-itinerary | Functional | Exohaven | sessionStorage | Stores the in-progress AI itinerary builder form so navigating away does not lose your input. | Until you close the tab |
exohaven:returnTo | Functional | Exohaven | sessionStorage | Remembers where to send you after sign-in (for example when you arrive via an invite link). | Until you close the tab |
exohaven-notifications | Functional | Exohaven | localStorage | Persists background-job notification status across page loads (so you do not get notified twice about the same itinerary). | Until you clear browser site data |
4. Why strictly necessary cookies cannot be disabled
Without better-auth.session_token you cannot stay signed in. Without better-auth.csrf_token our authentication endpoints will reject requests as a security measure. Disabling these in your browser will break sign-in and most of the Service.
5. Analytics cookies and how to opt out
We load Google Analytics 4 on every page to understand which features people use, which pages perform well, and how to improve the Service. Google sets the _ga and _ga_T14K2TCD5J cookies described above. Google’s use of this data is governed by Google’s Privacy Policy.
Google Analytics does not load until you grant consent on the cookie banner that appears on your first visit. If you accept and later change your mind, use the preferences control immediately below to switch analytics off — we’ll stop loading the script and make a best-effort attempt to clear the cookies it set.
Loading your preferences…
You can also opt out of Google Analytics independently by:
- installing the Google Analytics Opt-out Browser Add-on; or
- using a privacy-blocking extension (for example uBlock Origin) or a browser’s tracking-protection feature; or
- clearing your browser’s site data for exohaven.app.
6. localStorage and sessionStorage
localStorage and sessionStorage are not technically HTTP cookies but they serve a similar purpose — storing data in your browser between page loads. We list the keys we use in the table above so you can see exactly what we store. Clearing your browser’s site data for exohaven.app removes all of them.
7. Third-party cookies via links and embeds
If you follow a link from Exohaven to a third-party site — for example a Blacvolta event page, the Google OAuth consent screen, or the Paystack checkout — that third party will set its own cookies under its own policy. Map tiles from OpenStreetMap are served from third-party servers; loading a map sends your IP and request headers to those servers.
8. Changes to this Policy
We may update this Cookie Policy from time to time. The current version is always available at this URL.
9. Contact us
Questions about cookies? Email [PRIVACY_CONTACT_EMAIL].
