Cookies policy

What moss stores in your browser

Effective 15 May 2026.

moss uses the minimum number of cookies needed to keep you logged in and remember your theme. We do not run advertising or third-party tracking. The table below lists every cookie and browser-storage value that moss sets, what it is for, and how long it lasts.

1. What is a cookie

A cookie is a small piece of text a website asks your browser to keep, then sends back on later requests. A session cookie is removed when you close the browser. A persistent cookie has an expiry date and survives between visits until that date or until you delete it.

localStorage and sessionStorage are separate browser features. They are not sent back to the server with each request; they sit in your browser only and the page reads them with JavaScript. We use localStorage for small preferences like your theme. We list those values here too because they are stored on your device, even though they are not strictly cookies.

2. Cookies and browser storage we set

Every value moss writes to your browser, what it is for, and how long it lasts. The Sentry and Vercel rows describe what those providers do on the moss production deployment today.

Name	Type	Purpose	Duration	Strictly necessary?
moss_session	Cookie	Authentication session. HttpOnly, Secure in production, SameSite=Lax. Maps a random token to a server-side session row so we know who is logged in.	14 days from issue, server-side last activity touched on use	Yes
moss_passkey_challenge	Cookie	Short-lived WebAuthn challenge used during passkey registration and sign-in. HttpOnly, Secure in production, SameSite=Lax. Scoped to /api/auth/passkeys.	5 minutes	Yes (only set during a passkey flow)
moss-theme	localStorage	Remembers your theme preference: light, dark, or system.	Until you clear it	Yes
moss-sidebar	localStorage	Remembers whether the in-app sidebar is collapsed or expanded.	Until you clear it	Yes
moss:passkey-prompt-dismissed	localStorage	Remembers that you dismissed the in-app prompt to add a passkey.	Until you clear it	Yes
moss:passkey-enrolled	localStorage	Marks this device as one where you have already enrolled a passkey, so the login form can offer it first.	Until you clear it or sign out from this device	Yes
moss:work-map:<id>:preferences	localStorage	Per-work-map canvas preferences (for example, surface choice) so a map opens the way you left it.	Until you clear it	Yes
Sentry	Cookie	Sentry session replay is not enabled in moss. The Sentry SDK is initialised with traces only and uses an in-memory trace identifier per page load. No Sentry cookies are written to your browser by moss.	Not set	N/A
Vercel	Cookie	Vercel Web Analytics is not installed in moss. Vercel may set operational cookies for request routing and deployment protection (for example, on preview deployments), but no marketing or analytics cookies are set on the production deployment.	Operational only, session-scoped where set	N/A

3. Third parties

moss is built on a small set of subprocessors. The note next to each says whether, in practice, the provider sets cookies on your browser when you use moss.

Vercel. Hosting and edge delivery. May set operational cookies for request routing and deployment protection. No analytics or marketing cookies on the production deployment. Provider policy
Neon. Postgres database. Server-to-server only. Does not set cookies in your browser. Provider policy
Resend. Transactional email (login codes, account notices). No browser footprint. Provider policy
Sentry. Error tracking. Session replay is off in moss; the SDK uses an in-memory trace identifier per page load. Cookie behaviour depends on configuration, see the linked policy. Provider policy

4. How to control cookies

You decide what stays on your device. Most browsers let you block or delete cookies and clear site storage from their Settings menu.

Use your browser's settings to block or clear cookies and site storage for mossfold.com.
If you block the moss_session cookie, you will not be able to stay logged in.
Use the in-product theme switch to change the value stored under moss-theme. The switch lives in the footer and in the app sidebar.

5. Do Not Track and Global Privacy Control

We respect the Global Privacy Control header where your browser sends it, and we treat it as withdrawal of consent for any non-essential cookie. Because moss does not run non-essential cookies today, GPC currently has no observable effect on what we set. If that ever changes, GPC will be honoured before we set anything non-essential.

6. Changes

Material changes to this policy are announced in-product and by email to account owners at least 14 days before they take effect. Minor wording corrections may be made without notice, with the effective date at the top of this page updated.

7. Contact

For cookie questions, email privacy@mossfold.com.

Postal address: Overporten AS, Kongens gate 6, 0153 Oslo, Norway.

If you are integrating moss into a workspace where you need a stricter cookie configuration (for example, to comply with a specific EEA member state's guidance) email privacy@mossfold.com and we will work with you.