Cookie Policy
Effective Date: June 9, 2026. Last Updated: June 9, 2026.
1. What This Policy Is For
Cookies are tiny text files your browser stores when you visit a site. We use them to keep you signed in, remember your preferences, and understand which parts of amtil.co are getting traffic. This policy tells you what each cookie does, who sets it, how long it sticks around, and how you can switch off the optional ones.
If a term in this policy conflicts with our Privacy Policy, the Privacy Policy controls. Both should agree, but if there is a gap, that is the rule.
2. Categories
We group cookies into four categories.
- Strictly necessary: without these the site does not function. Sign-in, CSRF protection, load balancing.
- Functional: these remember your preferences (saved language, "remember me" choices, recently opened 3D models).
- Analytics: these tell us, in aggregate, which pages and features are being used. They do not identify you to us individually.
- Advertising: used today only by external ad platforms when you click an AMTIL ad on LinkedIn or Google. We do not drop advertising cookies on amtil.co ourselves.
3. The Actual Cookies We Set
| Name | Provider | Purpose | Lifetime | Category |
|---|---|---|---|---|
sb-access-token | Supabase | Signed-in session token | 1 hour (refreshed) | Necessary |
sb-refresh-token | Supabase | Refreshes the session token | 30 days | Necessary |
amtil-csrf | AMTIL | Protects form submissions from cross-site forgery | Session | Necessary |
__cf_bm | Cloudflare | Distinguishes humans from bots for DDoS protection | 30 minutes | Necessary |
amtil-prefs | AMTIL | Stores your UI preferences (theme, language) | 1 year | Functional |
_ga | Google Analytics 4 | Distinguishes returning visitors for aggregate traffic reports | 2 years | Analytics |
_ga_* | Google Analytics 4 | Stores session state for a specific GA4 property | 2 years | Analytics |
We do not currently run the LinkedIn Insight Tag or the Meta Pixel on amtil.co. If we add either we will list it here before going live.
4. Third-Party Cookies When You Sign In With Google or LinkedIn
If you sign in using a third-party identity provider, that provider may set its own cookies in your browser during the OAuth handshake. Those cookies are governed by the provider's policy, not ours.
5. How to Manage Cookies
You can clear or block cookies at any time in your browser settings. Quick links:
If you block strictly-necessary cookies, parts of AMTIL (anything that requires signing in) will stop working. That is not a design choice, it is the nature of how session cookies work.
To opt out of Google Analytics across every site that uses it, install the Google Analytics opt-out browser add-on.
6. Do Not Track
Some browsers send a Do Not Track signal. There is no industry standard on what a site should do with it, but we treat a DNT header as a signal to disable Google Analytics for that session.
7. Changes
If we add, remove, or materially change a cookie we update this page and bump the "Last Updated" date at the top. If the change affects what data is collected about you, we also note it in the Privacy Policy.
8. Contact
Email privacy@amtil.co with questions.