Sign In Join the Initiative
Legal

Cookie Policy

Last updated: May 11, 2026 · Effective immediately

1. What This Policy Covers

This Cookie Policy explains how URBAN STUDIO ("we", "us", "our") uses cookies and similar technologies on demonetization.org and how you can control them. It should be read together with our Privacy Policy, which describes how we handle the personal data associated with these cookies.

2. What Are Cookies?

Cookies are small text files placed on your device by your browser when you visit a website. They allow the website to remember you between page loads and to keep you signed in. Similar technologies include browser localStorage and sessionStorage, which work in your browser only and never travel back to our servers automatically.

3. The Cookies We Use

We use a deliberately small number of cookies, all of which are strictly necessary to provide the service you have asked for. Under Article 5(3) of the ePrivacy Directive and Recital 32 GDPR, strictly necessary cookies do not require prior consent — that is why you do not see a cookie banner on the Platform.

cu_session — session cookie

  • Purpose: keeps you signed in between page loads after you log in.
  • Type: first-party, strictly necessary.
  • Properties: HttpOnly (not readable by JavaScript), Secure (sent only over HTTPS), SameSite=Lax (mitigates cross-site request forgery).
  • Lifetime: up to thirty (30) days from the last sign-in.
  • Contents: a randomly generated, opaque session token. The corresponding session record is stored on our servers in hashed form.

cu_oauth_state — OAuth security cookie

  • Purpose: protects the X (Twitter) sign-in flow against cross-site request forgery (CSRF) attacks.
  • Type: first-party, strictly necessary.
  • Properties: HttpOnly, Secure, SameSite=Lax, scoped to the /auth/twitter path.
  • Lifetime: a few minutes — set only while you are signing in with X and removed as soon as the sign-in completes (successfully or otherwise).
  • Set only if: you click "Sign in with X (Twitter)" on the login or registration page.

cu_oauth_verifier — OAuth PKCE cookie

  • Purpose: implements the PKCE step of the OAuth 2.0 flow used to authenticate with X. This prevents authorisation-code-interception attacks.
  • Type: first-party, strictly necessary.
  • Properties: HttpOnly, Secure, SameSite=Lax, scoped to the /auth/twitter path.
  • Lifetime: a few minutes — set only during the X sign-in flow and removed at the end of it.
  • Set only if: you start a sign-in with X.

4. Browser Storage (Not Cookies)

We may use a small amount of browser localStorage or sessionStorage to remember UI preferences — for example, whether you have collapsed a section of the petition document or your scroll position when navigating between pages. This information is stored in your browser, is not automatically sent to our servers, and is cleared when you clear your browser data.

5. Third-Party Cookies

We do not set or load third-party cookies for analytics, advertising, behavioural tracking, social-media tracking, or any similar purpose. We do not embed Google Analytics, Meta Pixel, or any comparable tracker on the Platform.

Two limited exceptions exist, and both are activated only if you take a specific action:

  • NowPayments donation widget. If you open the donation widget in the "Support" modal, content is loaded from NowPayments and they may set their own cookies on their domain. Their handling is governed by their Privacy Policy.
  • X (Twitter) sign-in. The OAuth handshake happens on X's own pages and is subject to the X Privacy Policy. Cookies set by X live on X's own domain, not on ours.

6. Legal Basis

All cookies we set are strictly necessary either to deliver the service you have requested (signing you in and keeping you signed in) or to protect the security of the sign-in process. The relevant legal bases are Article 5(3) of the ePrivacy Directive (in its national implementations) for the storage on your device, and Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interest in security) for any associated processing of personal data.

7. How to Control Cookies

You can control or delete cookies through your browser settings at any time. Please note that disabling our session cookie (cu_session) will prevent you from signing in to the Platform, because there is no other way to keep you authenticated between requests.

Help articles for the most common browsers:

8. Changes to this Policy

We may update this Cookie Policy from time to time, for example when the list of cookies actually used by the Platform changes. The "Last updated" date above always reflects the current version. Material changes will, where reasonably possible, be notified on the Platform.

9. Contact

For questions about cookies or to exercise any of your data-protection rights, please contact us at support@demonetization.org.