DRAFT, pending counsel review. This document is an internal draft prepared on 2026-04-26 by the engineering team. It has NOT been reviewed by external legal counsel. Do not rely on it for legal advice. Effective date is a placeholder pending sign-off. Apostle Pty Ltd makes no representation that this draft satisfies any specific jurisdictional requirement until counsel-reviewed.

Cookie Policy

Last revised: 2026-04-26 · Version: 0.1.0-draft

Table of contents

1. About this policy
2. What "cookies" means here
3. Categories we use (TCF v2.2 alignment)
4. Per-cookie register
5. Consent management, granular per-category opt-in
6. Withdrawing consent
7. Region-specific provisions (EU, UK, AU, US-CA)
8. Browser-level controls
9. Third-party vendors
10. Mobile applications
11. Effective date and review
12. Contact
13. Version history

1. About this policy

This Cookie Policy explains how PYLON, operated by Apostle Pty Ltd (Apostle Pty Ltd, NSW Australia, [ABN: TBD]), uses cookies and similar local-storage mechanisms on pylon.video and its subdomains (api.pylon.video, app.pylon.video, admin.pylon.video, drm.pylon.video).

It is a companion to the Privacy Policy at /legal/privacy-policy. If there is a conflict between this document and the Privacy Policy, the Privacy Policy controls.

2. What "cookies" means here

For the purposes of this policy, "cookies" includes:

• HTTP cookies, small key-value pairs the browser stores per origin, sent on subsequent requests to that origin.
• Local storage entries, localStorage and sessionStorage values (key-value, scoped to origin, persistent or per-tab respectively).
• IndexedDB records, used to cache offline downloads of titles.
• Service-worker cache entries, used to cache assets for offline performance.

Where this policy refers to "cookies", it means any of these mechanisms unless the context narrows the term.

3. Categories we use (TCF v2.2 alignment)

Our consent state machine (packages/consent/src/types.ts) groups storage into four categories. The categories align with the IAB Transparency and Consent Framework v2.2 purposes scaffold so that a later integration with an IAB-registered CMP is mechanical (MNL-763).

3.1 Strictly necessary

Always on. Cannot be disabled because authentication, anti-forgery protection and basic playback depend on them. This category is not subject to consent under the EU ePrivacy Directive Article 5(3) or the equivalent Australian guidance.

• Better Auth session cookie (SameSite=Lax, scoped to .pylon.video).
• CSRF token (rotating anti-forgery token).
• Consent state itself (so we can remember that you said no).
• Locale preference for default UI language.

3.2 Functional

Off by default until the user opts in via the consent banner or the preferences drawer at /account/privacy.

• Theme (theme=dark|light, used by Tailwind v4 with the extendTailwindMerge shim per feedback_tailwind_merge_shim).
• Captions-on preference (mirrors profiles.captions_on).
• Last-watched playback position (used by Mux Player to resume).
• Locale override (where the user picks a language different from the detected default).

3.3 Analytics

Off by default until the user opts in. Hosted within our origin via a reverse proxy so no third-party cookies are issued by these tools.

• PostHog, anonymous product analytics. Reverse-proxied through api.pylon.video/i/* (ingestion) and api.pylon.video/e/* (decide / events). The PostHog host never receives a direct request from the browser. Cookie scope is first-party pylon.video.
• Sentry, error monitoring. Browser-side SDK is loaded only after analytics consent is granted. No advertising signals.

3.4 Marketing

Reserved category. No marketing cookies are set today. The category exists in the consent state machine so that any future addition is gated behind explicit consent rather than retro-fitted.

4. Per-cookie register

The pylon.newsletter.attribution cookie is reserved; it is set only when a user opts in to the newsletter and only when marketing-category consent is granted. It is in the register here for transparency.

5. Consent management, granular per-category opt-in

The first time a visitor reaches a non-trivial page, a consent banner is shown with three actions:

• Accept all, every category set to granted.
• Reject non-essential, all optional categories set to denied.
• Manage preferences, opens a drawer with per-category toggles (Necessary always on, Functional / Analytics / Marketing toggleable).

Until the user makes a choice, every optional category is treated as denied for runtime decisions (fail-closed). The banner remains visible until each non-necessary axis is explicitly granted or denied.

The chosen state is stored in localStorage under the key pylon.consent.v2. We do not sync the choice across devices; each browser remembers its own preference. We expose the state to API callers via the Sec-Pylon-Consent request header so that server-side gating (for example, the PostHog proxy) can fail closed even if the browser sends an analytics event before consent is granted.

6. Withdrawing consent

You may withdraw or change consent at any time, with no penalty:

• Open the preferences drawer at /account/privacy (authenticated).
• Visit /legal/cookie-policy and use the in-page consent manager.
• Click Cookie settings in the footer of any page.
• Use the Clear saved choice action to reset and see the banner again on next visit.

Withdrawal of consent does not affect the lawfulness of any processing carried out under consent before withdrawal.

For California residents, the Do Not Sell or Share My Personal Information route is at /legal/do-not-sell and is independent of the cookie banner. A user who exercises Do-Not-Sell stays opted out of cross-context behavioural sharing even if they later select "Accept all" in the cookie banner. This is enforced server-side via the users.do_not_sell flag on every analytics dispatch path (apps/api/src/routes/posthog-proxy.ts).

7. Region-specific provisions

7.1 European Union (ePrivacy Directive 2002/58/EC + GDPR)

We treat the storage and access of information on the user's device as subject to prior, specific, informed and freely-given consent for all categories other than strictly-necessary. The consent banner satisfies the prior-consent requirement for EU users; the category toggles satisfy the granularity requirement.

We do not pre-tick any optional category. We do not use cookie walls. We do not condition access to any service on consent to any optional category.

7.2 United Kingdom (PECR + UK GDPR)

The UK Privacy and Electronic Communications Regulations 2003 mirror the ePrivacy Directive in substance. The same treatment applies.

7.3 Australia (Privacy Act 1988 (Cth) + OAIC APPs)

The OAIC's Australian Privacy Principles guidelines expect transparent disclosure of the data we collect via cookies and a straightforward way to opt out of optional collection. This policy and the per-page consent manager satisfy that expectation. The Australian Privacy Principles are referenced in full in the Privacy Policy at /legal/privacy-policy.

7.4 California (CCPA / CPRA)

California residents have the right to opt out of the "sale" or "sharing" of personal information. PYLON does not "sell" personal information as that term is narrowly defined by the statute, but the broader CPRA "sharing" concept (cross-context behavioural advertising) is in scope for any category that delivers cross-site behavioural signals.

A California user can exercise the right via the Do Not Sell or Share My Personal Information link at /legal/do-not-sell. The choice is sticky: it overrides "Accept all" in the cookie banner.

7.5 Other jurisdictions

If you are in a jurisdiction with consent rules not listed above, the strictest applicable standard governs. Where you are unsure, treat the EU rules as the floor.

8. Browser-level controls

You can limit cookies independent of our banner via your browser:

• Chrome: Settings → Privacy and security → Cookies and other site data → Block third-party cookies (or block all).
• Safari: Settings → Privacy → Block all cookies, or Prevent cross-site tracking.
• Firefox: Preferences → Privacy & Security → Enhanced Tracking Protection → Strict.
• Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data.
• iOS Safari: Settings → Safari → Privacy & Security.
• Android Chrome: Chrome → Settings → Site settings → Cookies.

Disabling necessary cookies will break sign-in, playback resume, and the consent state itself; functional and analytics categories can be disabled without breaking the core service.

9. Third-party vendors

The following third parties touch user data on our service. None of them set their own cookies on pylon.video because we either route their traffic through our origin (PostHog) or their integration returns server-to-server (Stripe, Resend, Mux, SignatureAPI, Cloudflare).

• Stripe, payments. Loaded via js.stripe.com for Checkout/Portal redirect flows; Stripe.js may set first-party cookies on its own domain when the user lands there. Privacy: https://stripe.com/privacy.
• Mux, video delivery. Iframe player may set a first-party cookie on stream.mux.com to remember playback position if the user returns to the same film on the same browser. Privacy: https://www.mux.com/privacy.
• Resend, transactional email. Server-to-server; no browser cookies. Privacy: https://resend.com/legal/privacy-policy.
• SignatureAPI, e-signature flows for filmmaker contracts. Server-to-server; no browser cookies on pylon.video. Privacy: https://signatureapi.com/privacy.
• PostHog, analytics. Reverse-proxied; cookies are first-party pylon.video. Privacy: https://posthog.com/privacy.
• Sentry, error monitoring. Browser SDK; no cross-site signals. Privacy: https://sentry.io/privacy/.
• Cloudflare, hosting and edge. Cloudflare may set a __cf_bm bot-management cookie on first request. Privacy: https://www.cloudflare.com/privacypolicy/.

This vendor list is also surfaced in the Privacy Policy under the "Sub-processors" appendix (and in the Data Processing Addendum at /legal/data-processing-addendum).

10. Mobile applications

The PYLON mobile applications (iOS and Android, built on Expo SDK 54) do not use HTTP cookies in the browser sense. They use:

• The OS keychain / keystore for the session token.
• App-local storage for theme, captions and last-watched.
• IndexedDB-equivalent native storage for offline downloads.

The same per-category consent state machine applies; the same withdrawal route is available in Settings → Privacy.

11. Effective date and review

This policy takes effect on the Effective date in the frontmatter once approved. We review the policy at least every 12 months and on material changes to our cookie footprint or vendor list.

Any material change is announced via in-app notification and described in the version history below. Non-material edits (typos, broken links) are tracked in the underlying repository commit history.

12. Contact

• Privacy: [email protected]
• Cookie-specific questions: [email protected] (subject Cookie policy, [topic])
• Postal: Apostle Pty Ltd, [REGISTERED ADDRESS: TBD], Sydney NSW

Version history