Cookie policy
Last updated: 23 April 2026
This page explains the small pieces of data, generally called cookies, that our site stores in your browser, why, and how long they stick around. You can change your choice at any time using the button at the bottom of this page.
What a cookie is
A cookie is a small text file that a website stores in your browser. Some cookies are essential to make a site work (for example, to keep you logged in). Others count visitors, measure what works, or remember your preferences.
Under UK PECR, we need your consent for anything that is not strictly necessary. That is why you see a banner the first time you visit. Until you choose, we do not load analytics.
Strictly necessary
These are always on because the site cannot work properly without them. No consent is required.
xmahub-session
Keeps you signed in to the members area after you verify a magic link. Contains a base64-encoded copy of your email and an HMAC signature. HttpOnly, SameSite=Lax.
Duration: 30 days, cleared on sign-out · Set by: xmahub
xmahub-consent
Remembers your cookie-banner choice so we do not ask you again on every visit.
Duration: 12 months · Set by: xmahub
Analytics, if you consent
These are only set if you click “Accept all” on the banner. They help us understand how the site is used so we can improve it. They do not follow you across other sites.
_ga, _ga_*
Google Analytics 4. Counts visits, measures funnel performance, attributes traffic sources. IP anonymisation is enabled by default.
Duration: Up to 2 years · Set by: Google LLC (US, transfers covered by the UK IDTA)
ph_*
PostHog product analytics. Measures feature usage and funnel performance. Identifies you only after you submit the assessment; anonymous before then.
Duration: Up to 12 months · Set by: PostHog Inc. (EU region, eu.i.posthog.com)
_vercel_*
Vercel Analytics. Anonymous page-view and web-vitals measurement. No personal identifier.
Duration: Session · Set by: Vercel Inc. (US, transfers covered by the UK IDTA)
What we do not use
We do not run advertising or retargeting pixels. No Facebook pixel, no Google Ads conversion tag, no TikTok pixel. We do not sell your data. If that ever changes, we will update this page and ask for fresh consent.
Change your mind
To change your consent choice, use the button below. You can also delete the xmahub-consentcookie in your browser's settings and the banner will reappear on the next visit. Your browser's “Clear cookies” option will reset all of the above.