Fine print
Cookie Policy.
What Lane Air sets, why, and how to turn it off.
Effective: · Last updated:
Lane Air is a product of Lumi5 Labs Pte. Ltd. This is the Lane Air-specific cookie disclosure — what we actually set, not a generic boilerplate. The short version: session cookies to keep you signed in, a bot-detection cookie on the landing page, and (optionally) anonymous product analytics. No ad cookies, no third-party marketing tags.
1. What's a cookie, briefly
A cookie is a small text file your browser stores after a site asks it to. Lane Air uses cookies for one job: state that has to survive a page refresh — your sign-in, the result of an anti-bot check, the anonymous identifier for product analytics. We also use a little browser storage (sessionStorage) that isn't a cookie but works the same way for you — listed below for completeness.
2. The cookies and storage Lane Air sets
These are everything the Lane Air stack writes to your browser. Nothing else.
| Name | What it does | Type | Expires |
|---|---|---|---|
next-auth.session-token | Keeps you signed in after Auth0 returns. | Essential | 30 days · refreshed on each visit |
next-auth.csrf-token | CSRF guard for the sign-in flow. | Essential | Session |
next-auth.callback-url | Remembers where to send you after sign-in. | Essential | Session |
cf_turnstile_* | Cloudflare Turnstile's bot signal on the paste form. Set only on the landing page. | Essential · anti-abuse | Short — minutes |
airRunToken:<runId> | sessionStorage entry that gates the run's SSE stream so only the browser that started the run can read it. Not a cookie. | Essential · storage | When you close the tab |
ph_phc_*_posthog | Anonymous identifier for first-party PostHog product analytics. Loaded only when you don't send a Do-Not-Track header. | Analytics · optional | 365 days |
3. What Lane Air does NOT set
For the avoidance of doubt, none of the following are running on this site:
- Google Analytics, GA4, or Tag Manager
- Facebook Pixel, X Pixel, LinkedIn Insight Tag
- Programmatic ad cookies (DoubleClick, AdSense, Criteo, etc.)
- Cross-site retargeting / behavioural ad pixels
- Third-party session-replay tools (FullStory, Hotjar recordings, etc.)
If you connect a social account (LinkedIn / X / Meta / Bluesky), those platforms set cookies on their own pages during OAuth. We don't control or store them.
4. Turning things off
4.1 Your browser
Every modern browser lets you block or clear cookies. Block the next-auth.session-token cookie and you won't be able to sign in; everything else is optional and the product keeps working without it.
4.2 Do Not Track
If your browser sends a DNT: 1 header, we skip loading PostHog entirely. No analytics cookie is set and no events are sent.
4.3 Disconnect connected platforms
Visit /account and click Disconnect next to any connected social. The encrypted token is purged immediately and we'll stop touching that platform's cookies.
5. Updates
If we add or remove a cookie, the table in §2 changes and the "Last updated" date at the top moves with it. Material changes (new analytics tool, new sub-processor) trigger an email to active subscribers at least 30 days before they take effect.
6. Contact
Questions about cookies, or want a list of exactly what your browser holds right now?
- Email: accounts@luminarylane.app