HeadsDown

Counsel-ready draft

Cookie Policy draft

Draft cookie policy covering essential cookies, optional analytics or preference cookies, consent posture, third-party cookies, and the cookie audit required before publication.

Draft version
0.1
Effective date
Pending counsel review
Last updated
May 2, 2026

Draft publication status

This page is counsel-ready draft content, not final legal advice and not a final published policy. It must stay draft-labeled until legal, security, product, subprocessor, and cookie/analytics reviews are complete.

1. Overview

This Cookie Policy explains how HeadsDown uses cookies and similar technologies on its websites, web application, and related services.

Cookies are small files stored on your browser or device. Similar technologies include local storage, pixels, SDK storage, and device identifiers where applicable.

TODO: Complete a cookie and analytics audit before publication. Do not claim optional analytics are off or on until verified.

2. Cookie inventory to complete before publication

Cookie or storage item Provider Category Purpose Duration Region/consent posture Status
TODO session cookie HeadsDown Essential Authentication/session management TODO Required for service Needs audit
TODO CSRF cookie or token storage HeadsDown Essential Request forgery protection TODO Required for service Needs audit
TODO preference storage HeadsDown Preference, if used Remember product preferences TODO TODO Needs audit
TODO analytics cookie, if any TODO Analytics, if used Aggregate product or funnel analytics TODO Requires legal/product review Needs audit
TODO third-party checkout cookies Payment provider, if any Essential/payment Checkout and fraud prevention TODO Provider controlled Needs audit

3. Essential cookies and similar technologies

HeadsDown may use essential cookies and similar technologies that are necessary to provide and secure the service. These may include:

  • Authentication and session cookies that keep you signed in.
  • CSRF and security cookies that help protect forms and requests.
  • Account, device, or preference storage needed for product operation.
  • Load balancing, routing, anti-abuse, rate-limit, and service reliability technologies.
  • Cookie-consent or preference storage if optional cookies are enabled later.

Essential cookies are required for the service to work and generally cannot be disabled through HeadsDown controls. You can block them through your browser, but some features may stop working.

TODO: Verify actual cookie names, lifetimes, domains, SameSite/Secure flags, and whether mobile/web storage beyond cookies should be listed.

4. Optional analytics and preference cookies

HeadsDown may use optional analytics or preference cookies only if product, legal, and security review confirm the implementation and required consent/opt-out flow.

Optional analytics may help HeadsDown understand aggregate product usage, page performance, signup funnel health, errors, and feature adoption. Optional preference cookies may remember non-essential UI choices.

This draft does not claim that optional analytics cookies are currently active. It reserves the policy structure in case the audited implementation includes them.

TODO: Confirm analytics providers, events collected, cookie names, retention, IP/device handling, consent mode, opt-out controls, and regional behavior.

5. What cookies should not be used for

HeadsDown should not use cookies or similar technologies to collect prompts, source code, file contents, file paths, repository names, branch names, terminal output, test logs, PR bodies, commit messages, calendar event details, message contents, or credentials.

HeadsDown learns from outcomes, not your code. Agent-run event and outcome-learning surfaces should rely on metadata-only reporting, not browser tracking of work content.

6. Third-party cookies and SDKs

Third-party service providers may set cookies or use similar technologies when they provide hosting, payment, email, analytics if enabled, error tracking, security, support, or other services to HeadsDown.

TODO: Verify whether any third-party cookies are set on public marketing pages, app pages, checkout flows, support tools, or analytics/error-reporting scripts. Do not publish named providers until the audit is complete.

7. Your choices

You can control cookies through your browser settings. You may be able to block, delete, or limit cookies. Blocking essential cookies may prevent login, account management, security, or other service features from working.

If HeadsDown enables optional analytics or preference cookies, the published policy must explain the available opt-out or consent controls.

TODO: Add region-specific consent mechanism details if optional cookies are used.

8. Changes

HeadsDown may update this Cookie Policy as products, providers, laws, and cookie usage change. The updated version will be posted with a new effective date.

TODO: Counsel to confirm notice process for material changes.

9. Contact

Questions about this Cookie Policy should be sent to TODO. Current product contact is [email protected].

Publication workflow and prior versions

Before any draft label is removed, the page needs legal review, security review of technical claims, product review for shipped-versus-planned behavior, subprocessor verification, and analytics/cookie audit where applicable.

Prior versions are archived manually in source control before publication changes: create a dated copy under `docs/legal/archive/`, record the version, effective date, last updated date, reviewer approvals, and the public route changed, then update this page in the same pull request.