Cookie Policy
Last updated 2026-04-22
Short version
Caladria uses a small number of strictly-necessary cookies to keep you signed in and to keep our infrastructure online, plus a single first-party analytics cookie set by PostHog so we can understand how the site is used. We do not use cookies for advertising, profiling, or cross-site tracking. Every cookie listed below either exists for as long as your session lasts, expires in minutes once its job is done, or holds an anonymous device ID that you can clear from your browser at any time.
What cookies are
A cookie is a small piece of text your browser stores on your device at a website's request. On every subsequent visit the browser hands that text back so the site can recognise you. Some cookies exist only for a single browsing session; others persist across visits. Most of our cookies are "essential" or "strictly necessary"; the PostHog analytics cookie listed below is the one exception. You can block or clear it at any time via your browser's normal controls with no effect on the rest of the site.
Cookies we set
| Name | Purpose | Lifetime |
|---|---|---|
caladria_session | Signed session after Discord sign-in. Stores your Discord ID, username, avatar hash, and an admin flag so the header and store know who you are. | Session (cleared on sign-out) |
caladria_oauth | CSRF token set at the start of the Discord OAuth handshake so we can verify the redirect-back is ours. | 10 minutes |
caladria_oidc | CSRF token used when the admin panel signs in via the Caladria OIDC provider. Same role as caladria_oauth, different flow. | 10 minutes |
caladria_admin_env | Admin panel only: remembers whether you're editing the dev or prod database so the selector doesn't reset when you navigate between pages. | 30 days |
ph_<project>_posthog | PostHog product analytics. Holds an anonymous device ID so repeat pageviews register as the same browser, plus session metadata used to group events. Linked to your Discord ID only after you sign in or complete a purchase. No advertising or cross-site tracking use. | 1 year |
Session and CSRF cookies are set with HttpOnly
(inaccessible to page JavaScript), Secure
(transmitted over HTTPS only), and SameSite=Lax
(not sent on cross-site POSTs). The PostHog cookie is readable by
page JavaScript, because the PostHog client library needs to read
it to attach the device ID to outgoing events; it is still set
first-party on playcaladria.com and is never sent cross-site.
Cookies set by third parties
Two providers the Service depends on may set their own cookies:
- Cloudflare (CDN, DDoS,
bot management). Most commonly
__cf_bmfor bot-management fingerprinting, andcf_clearanceif you complete a challenge page. Cloudflare describes these in their cookie policy. Neither is used for advertising; removing them just means Cloudflare has to work harder to tell you apart from a bot. - Tebex (payment processing). When you launch the Tebex.js checkout overlay during a purchase, Tebex may set cookies on their domain to keep your basket consistent and complete the payment. We don't receive or control those cookies; see Tebex's cookie policy for details.
Beyond the first-party PostHog analytics cookie described above, we do not embed Google Analytics, Meta pixels, TikTok pixels, AdSense, or any other third-party advertising tags.
Other browser storage
The store uses a small amount of browser
localStorage (not technically a
cookie, but worth mentioning) to hold a pending Tebex basket
identifier while your purchase is in flight. The value is cleared
as soon as the thank-you page confirms the transaction, or after
about 10 minutes if you abandon checkout. Nothing personal is
stored there, just an opaque basket ID.
PostHog additionally mirrors its device ID and a short queue of
pending events into localStorage
under the ph_<project>_posthog
key, so events captured while the network is flaky can still be
delivered once the browser reconnects.
Managing cookies
You can block or clear any of our cookies via your browser's normal controls. The main consequences are:
- Block
caladria_session: the store won't recognise you after sign-in, so your gold chip, account page, and store checkout won't work. - Block
caladria_oauth/caladria_oidc: Discord / admin sign-in will fail the CSRF check and loop back to the login page. - Block
ph_<project>_posthog: no effect on any feature. PostHog will treat you as a new anonymous visitor on each page load, which just means we lose a little accuracy in our usage stats. - Block Cloudflare's cookies: you may be challenged more often or rate-limited.
- Block Tebex's cookies: you won't be able to complete a purchase through the in-page overlay.
To opt out of PostHog specifically while keeping everything else,
clear the ph_<project>_posthog
cookie and matching localStorage
entry, or block the us.i.posthog.com
host with an extension like uBlock Origin. No feature of the
Service depends on PostHog running.
Changes
If we ever add or change a cookie this page will be updated and the date above bumped. Material changes will also be announced in the Caladria Discord.
Contact
Questions about cookies or any other part of our data handling go through the Caladria Discord. See the Privacy Policy for the full picture of what data we collect and how we use it.