BakedIn.coTechFoundations.ai
Cookies · v1.0 · Effective 2026-06-01

Cookie Policy

A short, honest list of the cookies we set today and the categorised choices the banner gives you.

ePrivacy
Art 5(3)
GDPR
Art 7
GPC
Honoured

Effective: 2026-06-01 · Version: 1.0

This policy explains the cookies BakedIn actually sets and the choices you have. It is intentionally short because, today, BakedIn sets a very small number of cookies. We will update this page when that changes.

For background on how we treat your personal data, see the Privacy Policy.

1. What a cookie is

A cookie is a small text file a website stores on your device so it can remember something between page loads or visits. Browsers also expose similar storage mechanisms (localStorage, sessionStorage, IndexedDB) — for the purposes of this policy we treat them the same way as cookies.

2. The legal basis for cookies on bakedin.co

Under the ePrivacy Directive 2002/58/EC (as amended by 2009/136/EC) and GDPR Article 7, we may only set non-essential cookies after you give informed, freely-given consent. Essential cookies — the ones strictly necessary to provide a service you asked for — are exempt.

In the United States, several state laws (CO CPA, VA CDPA, CT CTDPA, UT UCPA, and others) add their own rules on opt-out for sale/share and targeted advertising. We do not engage in sale, share, or targeted advertising, so those opt-outs do not apply today; if that ever changes we will add a "Do Not Sell or Share" link.

ePrivacy Directive 2002/58/EC Art 5(3); GDPR Art 7; Cal. Civ. Code §1798.135

3. The four categories we use

We use the same four standard categories the ICO and EDPB recommend. The consent banner lets you opt in to each category independently — there is no "accept all" dark pattern.

3.1 NECESSARY (always on)

These cookies make the Service work. The law lets us set them without consent because you cannot use the Service without them.

CookiePurposeTypeExpires
__Host-bakedin.sessionAuth.js session token. Opaque value mapped to a session row in our database. Set only when you sign in.First-party, Secure, HttpOnly, SameSite=Lax30 days (rolling, refreshed on activity)
bakedin-consent-v1Records your cookie-category choices and the timestamp you made them, so we can honour them and prove we asked.First-party, Secure, SameSite=Lax365 days
authjs.callback-url / authjs.csrf-tokenAuth.js anti-CSRF and post-sign-in redirect bookkeeping.First-party, sessionUntil the auth flow ends
bakedin-anonAnonymous session id assigned on first visit. Lets us count unique visits and stitch your pre-auth activity forward when you later sign in. Contains no PII.First-party, Secure, SameSite=Lax365 days

3.2 FUNCTIONAL (opt-in)

These cookies remember small UX preferences. We do not set any functional cookie today. When we add them — likely locale, theme, or accessibility preferences — they will appear here.

3.3 ANALYTICS (opt-in)

These let us understand how the Service is used in aggregate so we can improve it.

We run first-party, privacy-preserving measurement of our own: an anonymous per-browser identifier (no PII, never shared, never used for advertising) records which steps of the site a visitor reaches. This is stored in our own database, not sold or shared, and you can opt out by leaving the Analytics category off.

If enabled by the operator, we also use Plausible Analytics — a privacy-respecting, cookieless tool — for aggregate pageview and referrer reporting. Plausible loads only after you opt into this Analytics category; nothing from it runs before consent. We do not use Google Analytics or any cross-site tracking tool.

3.4 MARKETING / ADVERTISING (opt-in)

We do not run any marketing or advertising cookie today and we do not plan to in the foreseeable future. We do not engage in cross-context behavioural advertising.

4. How to manage your cookies

4.1 Our banner

On your first visit, the cookie banner asks for your choices. Your choice is saved to bakedin-consent-v1 for 365 days. To revisit it, click Cookie settings in the footer at any time.

4.2 Your browser

You can clear or block cookies in your browser settings. Note that blocking the necessary set will sign you out and break the Service. Useful guides:

4.3 Global Privacy Control

We honour the Global Privacy Control signal. If your browser sends GPC, we treat it as an opt-out of all non-necessary cookies and of any future "sale" or "share" of your data.

Cal. Civ. Code §1798.135(b); Colo. Rev. Stat. §6-1-1306(1)(a)(IV)

5. Third-party cookies

We do not set third-party cookies from our own pages today. When you sign in via Sign in with Google in a future phase, you may see cookies from accounts.google.com during the auth flow — those are covered by Google's policy. If we add embeds (YouTube, Vimeo, etc.) we will disclose them here.

6. Do Not Track

Some browsers send a "Do Not Track" header. The DNT signal is not defined by a single standard, so we follow the GPC signal instead (Section 4.3). We do not track in the cross-site advertising sense regardless.

7. Changes to this policy

We will update this page when our cookie use changes. Material changes will appear at the top of the page.

VersionDateChange
1.02026-06-01Initial publication

8. Contact

Questions: privacy@bakedin.co

Maintained by BakedIn LLC. Licensed CC BY-NC 4.0. Source: app/(legal)/_content/cookie-policy.md.