Last updated: 2026-06-04 | Effective date: 2026-06-04
This notice explains the small set of cookies and similar browser-storage technologies Cobalt (app.cobalt.photos, marketing site cobalt.photos) uses, and our approach to consent. It supplements our Privacy Policy. Cobalt is operated by Jakub Ludwig, IČO 88711111, Czech Republic.
We keep browser storage to the minimum needed to run the Service securely. We do not use third-party advertising cookies, and we do not use cross-site tracking or ad-profiling cookies. The items we set are strictly necessary for sign-in and security, so — under the ePrivacy rules (Directive 2002/58/EC, as transposed in the Czech Republic by § 89 of Act No. 127/2005 Coll. on electronic communications) — they are exempt from the consent requirement. No cookie consent banner is required for strictly necessary storage.
| Name / item | Type & where stored | Purpose | Duration | Category |
|---|---|---|---|---|
drift_token |
Authentication token in the browser's localStorage (not a cookie; same-origin only) | Keeps you signed in to the app after you authenticate with Google, so each request can be authorised. It is not sent to third parties. | Persists until you sign out or clear it; the underlying token expires after the configured token lifetime (currently 7 days). | Strictly necessary |
drift_workspace |
Preference value in localStorage | Remembers which workspace you are currently acting in (e.g. a shared workspace you switched into). | Until changed or cleared. | Strictly necessary / preference |
drift_oauth_state |
Short-lived cookie; httpOnly, SameSite=Lax |
Carries an anti-forgery (CSRF) nonce during the "Sign in with Google" redirect to protect the login flow. | Up to about 10 minutes; cleared as soon as sign-in completes. | Strictly necessary (security) |
| Cloudflare security tokens | Cookies/challenge tokens set by our CDN (Cloudflare) at the network edge | DDoS/bot protection and reliable content delivery. | As set by Cloudflare (typically short-lived). | Strictly necessary (security) |
| Umami analytics (self-hosted) | No cookie and no browser storage — Umami is cookieless and stores nothing on your device | Aggregate, anonymous usage analytics (e.g. page-view counts) to help us improve the Service. No personal data, no cross-site tracking. | Not stored on your device. | Analytics (cookieless — no consent required) |
The strictly necessary items above are required to provide the Service you ask for (signing in, staying signed in, and securing the connection), and consent is not legally required for strictly necessary storage. Our analytics (self-hosted Umami) is cookieless and stores or reads nothing on your device, so it too falls outside the consent requirement. We do not place any non-essential or tracking cookies that would require consent.
You can clear cookies and local storage at any time through your browser settings, and you can sign out of Cobalt to clear the authentication token. Note that blocking strictly necessary items will prevent sign-in and stop the app from working.
Signing in uses "Sign in with Google" (Google OAuth). Google may set its own cookies on Google's own domains during authentication; those are governed by Google's privacy and cookie policies, not this notice.
We will update this notice if our use of cookies or browser storage changes, and update the "Last updated" date above. Questions: [email protected].
© 2026 Jakub Ludwig — Cobalt (cobalt.photos). Last updated: 4 June 2026.