CivilQuants — Cookie Policy
Effective date: 2026-05-31
Version: v1.3
Last updated: 2026-06-01
1. About this Cookie Policy
This Cookie Policy explains how Ember Forge Pte Ltd ("we", "us", "our") uses cookies and similar tracking technologies on civilquants.com and the related surfaces of the CivilQuants service.
It supplements our Privacy Policy and Terms of Service. For broader information on how we handle personal data, please read the Privacy Policy.
2. What are cookies?
A cookie is a small text file stored on your device (computer, tablet, phone) by a website you visit. Cookies let the site remember your choices and actions across pages and visits. They can be:
- First-party (set by
civilquants.comitself) or third-party (set by another domain we have integrated, such as Stripe or PostHog) - Session (deleted when you close your browser) or persistent (kept for a set period)
- Essential (the site needs them to work), functional (they remember preferences), analytics (they tell us how the site is used), or marketing (they measure which advertising led to a purchase — Google Ads conversion measurement, consent-gated)
We also use similar technologies — like localStorage, sessionStorage, and pixel tags — for the same purposes. Where we say "cookies" in this policy, we mean cookies and similar technologies together.
3. Your choices — the cookie banner
The first time you visit civilquants.com, we show a cookie banner. You have three equally-prominent choices:
- Reject all — only essential / strictly-necessary storage operates. Analytics, performance, and marketing are disabled. The site still works for browsing and for paid usage.
- Accept all — all categories operate (essential + analytics + performance + marketing).
- Customize — granular control: toggle Analytics, Performance, and Marketing each on or off independently; Essential cannot be disabled.
The Reject-all and Accept-all buttons are presented with equal visual weight (UK ICO / EU EDPB guidance on consent: rejection must be as easy as acceptance).
Your choice is stored as described in §4.1 below. You can change your preferences at any time by clicking Cookie preferences in the site footer, which reopens the banner.
3.1 Browser privacy signals
We honour the Global Privacy Control (GPC) signal. If your browser transmits a GPC signal, our system interprets this as an opt-out of non-essential storage, equivalent to selecting "Reject all." You may still subsequently choose to opt in via the cookie banner.
We do not specifically honour the legacy "Do Not Track" (DNT) header, which has been formally deprecated by major browsers and is no longer treated as a meaningful consent signal under current regulatory guidance. If your browser sends DNT but not GPC, you should set your preferences via our cookie banner.
4. Cookies and similar technologies we use
Note on storage technologies. "Cookies" in this section is a shorthand. The PECR Regulation 6 / EU ePrivacy Article 5(3) framework applies to any storage of, or access to, information on your device, regardless of whether the mechanism is an HTTP cookie,
localStorage,sessionStorage, IndexedDB, a service-worker cache, a Web Storage API entry, an SDK-managed identifier, or a similar technology. Where the storage mechanism is not an HTTP cookie, this is noted in the Storage technology column of the tables below.
4.1 Essential / strictly-necessary storage (always on)
These items are strictly necessary for the Service to function. You cannot opt out of these without breaking the site (you would not be able to log in or pay). They do not require consent under PECR Regulation 6(4) / EU ePrivacy Article 5(3) because they fall within the strict-necessity exception.
| Name | Provider | Purpose | Duration | Storage technology |
|---|---|---|---|---|
__session (Clerk) | Clerk (auth provider) | Maintains your authenticated session | Session | HTTP cookie |
__client (Clerk) | Clerk | Identifies your device for security | 7 days | HTTP cookie |
cq_csrf_token | civilquants.com | CSRF protection for form submissions and API calls | Session | HTTP cookie |
cq_currency | civilquants.com | Remembers your selected display currency | 1 year | HTTP cookie |
cq_cookie_consent | civilquants.com | Records your cookie-banner choice | 1 year | localStorage (mirror also written to a same-named HTTP cookie for server-side awareness on the first request of the next session) |
__stripe_mid, __stripe_sid | Stripe | Fraud prevention during checkout | 1 year / 30 minutes | HTTP cookie |
cf_clearance, __cf_bm | Cloudflare | Bot mitigation, DDoS protection | Session / 30 minutes | HTTP cookie |
| Sentry error-capture state | Sentry (EU region) | Diagnostic identifiers necessary to capture security-critical errors, stripped of project content | Session | In-memory + transient HTTP headers (sentry-trace, baggage) — not persisted to your device |
4.2 Optional product analytics (consent required)
These items operate only after you accept Analytics in the cookie banner (or click "Accept all"). Until consent, our analytics provider is fully disabled — no events are captured and no analytics identifiers are written.
| Name | Provider | Purpose | Duration | Storage technology |
|---|---|---|---|---|
ph_*_posthog | PostHog (EU region — verified at deployment) | Product analytics — understand which features are used, how users move through the funnel | 1 year | HTTP cookie + localStorage (PostHog uses both; both are gated on consent) |
| Sentry session-replay / performance-tracing identifiers (when present beyond strict error capture) | Sentry (EU region — verified at deployment) | Performance monitoring beyond strict error capture | Session | localStorage + transient HTTP headers — gated on consent for any session-replay or non-essential performance tracing |
Strict error capture vs optional performance tracing — Sentry distinction. Sentry is used in two modes: (i) essential error capture — capturing security-critical and operational errors that we need to know about to keep the Service reliable and secure (this is treated as strictly necessary; no consent required; project content is stripped from error payloads); (ii) optional session replay and non-essential performance tracing — only operates after Analytics consent. Build-Claude verifies the boundary at deployment.
We do not use Google Analytics, Facebook Pixel, or LinkedIn Insight Tag. Our only advertising technology is the Google Ads conversion measurement described in §4.3 below, and it is gated behind a separate Marketing consent.
4.3 Marketing cookies (consent required)
These items operate only after you accept Marketing in the cookie banner (or click "Accept all"). Until you do, Google's advertising tag is not loaded and no advertising identifiers are written. Marketing consent is separate from Analytics consent — accepting one does not enable the other, in line with UK ICO / EU EDPB guidance that advertising consent must be sought distinctly.
We use a single marketing technology: Google Ads conversion measurement. Its only purpose is to tell us whether an advertising click led to a 7-day-pass purchase or a subscription, so we can judge whether our advertising is worth running. The tag fires only on the post-purchase confirmation pages — not while you browse — and we do not use it for cross-site retargeting or to build advertising profiles.
| Name | Provider | Purpose | Duration | Storage technology |
|---|---|---|---|---|
_gcl_* (Google Ads conversion linker) | Google Ireland Limited ("Google Ads") | Attribute a 7-day-pass purchase or subscription to the advertising click that led to it, so we can measure advertising effectiveness | Up to 90 days | HTTP cookie + localStorage |
If we ever add further marketing or retargeting technologies, we will update this policy and present the banner again so you can choose.
5. How long cookies last
Each cookie has its own duration, listed in the tables above:
- Session cookies are deleted when you close your browser
- Persistent cookies stay on your device for the duration shown (max 1 year for any cookie we set)
- You can delete cookies any time via your browser's settings — though this will reset your preferences
6. Third-party cookies
Some cookies above are set by third parties whose services we integrate:
- Stripe — processes payments. Stripe's cookie use is governed by https://stripe.com/cookies-policy
- Clerk — authentication. Clerk's cookie use: https://clerk.com/legal/cookie-policy
- Cloudflare — security and CDN: https://www.cloudflare.com/cookie-policy/
- PostHog (with consent) — product analytics: https://posthog.com/privacy
- Sentry (with consent for performance tracing) — error monitoring: https://sentry.io/privacy/
- Google Ads (with Marketing consent) — advertising-conversion measurement: https://policies.google.com/technologies/cookies
We have a Data Processing Agreement with each of these providers restricting their use of cookie data to providing services to us.
7. How to manage cookies in your browser
Independently of our cookie banner, you can manage cookies via your browser settings:
- Chrome: https://support.google.com/chrome/answer/95647
- Firefox: https://support.mozilla.org/kb/cookies-information-websites-store-on-your-computer
- Safari (macOS): https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac
- Safari (iOS): https://support.apple.com/HT201265
- Edge: https://support.microsoft.com/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
Note that blocking essential cookies (or all cookies entirely) will break parts of the Service — you will not be able to log in or complete a purchase.
8. Updates to this Cookie Policy
We may update this policy when we add or change cookies. The "Last updated" date at the top records the most recent change. Material changes (a new category, a new third-party tracker) will trigger a fresh consent prompt; we will not re-enable a category you previously declined without re-asking.
9. Contact
For questions about this Cookie Policy or our use of cookies:
- DPO:
dpo@emberforge.sg - General privacy questions: see Privacy Policy