Cookie Policy

Last updated: 2026-05-23 — Version 3

We use cookies (and similar technologies) sparingly. Here’s what.

Session

  • bona_session — the authentication session cookie. Set when you sign in by clicking a magic link sent to your email, cleared when you log out. HttpOnly, SameSite=Lax. Required for the site to remember you between page loads.

Analytics

bona uses PostHog (a product-analytics service) on every page of bona.works. PostHog is loaded as a first-party script through k.bona.works, our reverse proxy — no third-party origins are contacted directly. The cookies below are set by PostHog when its in-browser script runs.

  • ph_<project>_posthog — PostHog’s distinct-id, device-id, and session-id storage. Set by the in-page script (not by the server), so it is NOT HttpOnly. SameSite=Lax. Secure on HTTPS. Max-Age: 1 year. Contains opaque identifiers only — no email, no IP, no user-agent.
  • ph_<project>_posthog (localStorage, not a cookie) — same payload as the cookie plus the active session-replay metadata. Local to your browser; not sent on every request.
  • ph_<project>_posthog_session_replay (localStorage, not a cookie) — present only while a session replay is being recorded. Holds the replay-buffer pointers, cleared when the session ends.
  • bona_sid_anon — bona’s server-side anonymous identifier for kit pages (bona.works/kit/…). A random 128-bit token HMAC-signed with a server secret; no personal data, no IP, no user-agent. Used by bona’s server to count unique kit views and CTA clicks. When this cookie is present on a /kit/… page, the in-page PostHog script bootstraps with the same identifier so the same person isn’t counted twice across the two paths. Scoped to Path=/kit, HttpOnly, SameSite=Lax. Max-Age: 1 year.

How to opt out

  • All analytics: clear or block ph_* cookies (and the bona_sid_anon cookie on /kit/… pages) via your browser’s site-settings. Blocking either does not affect your ability to view any kit page or use any bona feature.
  • Do Not Track: we honor the DNT signal — when DNT is on, no ph_* cookies are set and no PostHog events are sent.
  • Operator analytics: you can toggle "analytics tracking" off in your account settings. (Coming soon.)
  • Browser cookie blocking: the site will work, but you’ll have to log in more often.

← Back to bona