Necessary access remains available
Security, authentication and consent-choice technologies operate only to provide and protect the service requested by the user.
This policy explains how Collty uses cookies and similar browser technologies, which technologies are necessary, when optional analytics may run, and how you can control your choices.
Security, authentication and consent-choice technologies operate only to provide and protect the service requested by the user.
Google Analytics remains disabled unless analytics consent is granted through Collty's cookie controls.
Collty may introduce optional campaign or communication measurement later, but any such technology will be identified before Collty relies on the user's choice.
This policy covers cookies and comparable storage or access technologies used on collty.com and in Collty browser applications. The Privacy Policy explains the broader processing of personal information.
This Cookie Policy applies when you visit collty.com or use a Collty browser application. In this policy, a cookie means a small value stored by a browser for a website. Similar technologies include local storage, session storage, pixels, tags and scripts that store information on, or read information from, a browser or device.
Some technologies process identifiers or usage information and therefore also fall within the Collty Privacy Policy. This policy should be read together with that policy.
These technologies support secure sign-in, session protection, OAuth integrity, account routing, fraud prevention and storage of the user's cookie choice. They are used because the requested service cannot operate securely without them. They cannot be disabled in Collty's preference center, although a browser may block or delete them.
Collty stores interface and workflow state in the browser so the product can remember theme, panel positions, onboarding progress, pending navigation, local drafts and other choices. Depending on the feature, this storage may be necessary for a requested workflow or used to improve continuity and convenience.
Analytics helps Collty understand website performance, navigation and product usage. Google Analytics is configured with analytics storage denied by default and its script is not requested until the user grants analytics consent. Advertising storage and ad personalization remain denied.
Collty may in the future use optional technologies for campaign attribution, referral measurement, communication performance or advertising measurement. No marketing or advertising script is currently activated through the Collty consent system. Before Collty relies on a newly introduced technology, this policy and the preference information will identify its provider, purpose and duration. Fresh consent will be requested where the technology or purpose is materially different.
| Technology | Provider and purpose | Duration | Category |
|---|---|---|---|
| ct_session | Collty. Authenticates the account, protects access and maintains the signed-in session. | Up to 12 hours | Strictly necessary |
| ct_oauth_state | Collty. Protects the integrity of a Google OAuth sign-in request and its callback. | Up to 10 minutes | Strictly necessary |
| ct_pkce_* and related short-lived OAuth cookies | Collty authentication flow. Completes secure PKCE identity-provider authentication and prevents request substitution. | During the OAuth flow, normally minutes | Strictly necessary |
| collty_cookie_consent | Collty. Records whether optional analytics or marketing categories were enabled for this browser. | 180 days | Strictly necessary |
| _ga | Google Analytics. Distinguishes browser instances for aggregate usage measurement after analytics consent. | Up to 2 years, subject to browser limits | Analytics; optional |
| _ga_<container-id> | Google Analytics. Maintains analytics session state after analytics consent. | Up to 2 years, subject to browser limits | Analytics; optional |
Collty also uses localStorage and sessionStorage. Unlike a traditional cookie, these values normally stay in the browser and are not automatically attached to every network request. They can still be covered by storage and access rules and are disclosed here for transparency.
| Storage group | Purpose | Typical duration |
|---|---|---|
| collty.cookie-consent.v1 | Keeps a browser-side copy of the optional-cookie choice and consent version. | 180 days or until cleared |
| Theme and interface preferences | Remembers light or dark theme, collapsed panels, canvas viewport, dock position and similar interface choices. | Until cleared or replaced |
| Workflow and local draft state | Preserves selected boards, local agent or canvas drafts, temporary assembly state, onboarding progress and recent feature state requested by the user. | Feature-dependent; until cleared or replaced |
| Session navigation and recovery state | Carries a pending navigation, OAuth or password-recovery step across pages in the current browser tab. | Current browser-tab session |
| Limited account routing hints | Helps the interface restore the selected workspace or role and coordinate sign-in state between tabs. The protected session remains in the HttpOnly session cookie. | Until sign-out, replacement or browser clearing |
On a shared device, sign out when finished and consider clearing site data. Deleting browser storage may reset preferences, local drafts and interface state. It does not necessarily delete information already stored in an authorized Collty account or workspace; account deletion and privacy requests are governed by the Privacy Policy.
When analytics consent is enabled, Collty may load Google Analytics 4 through googletagmanager.com. The current configuration requests page-view measurement, enables IP anonymization and keeps Google advertising storage, ad-user-data storage and ad-personalization storage denied. Google processes analytics information under its own applicable terms and privacy materials.
Google documents _ga and _ga_<container-id> as first-party analytics cookies with a default expiration of two years. Browser restrictions can shorten that duration. Collty does not load the Google Analytics script while analytics consent is absent or withdrawn.
If you choose Google sign-in, the identity provider may use its own cookies on its domains to authenticate the provider account and complete the sign-in request. Those technologies are controlled by the provider and described in its own privacy and cookie materials. Collty's first-party OAuth cookies are listed above.
Collty may update this policy when technologies, providers, purposes or legal requirements change. The effective date and version identify the current policy. Where a new optional purpose requires consent, Collty will not treat an earlier, materially different choice as consent for that purpose.
privacy@collty.com
office@collty.com
When contacting Collty, describe the browser, device and technology or preference you are asking about. Do not send passwords, session tokens or other authentication secrets.