Cookie Policy

1. What Cookies Are

Cookies are small text files that a website asks your browser to store on your device. The next time you visit, your browser sends those files back, so the site knows things like “this is the same person who signed in five minutes ago” or “they prefer dark mode.” We also use closely related browser-storage technologies (localStorage, sessionStorage) for the same kinds of purposes; for the rest of this policy, “cookies” is shorthand for cookies and these similar technologies together.

We use cookies for two reasons: to keep you signed in (strictly necessary) and to understand how the Service is being used so we can improve it (analytics and session replay). We do not use cookies for advertising or for cross-site tracking, and we do not run an ad business.

This Cookie Policy explains what each cookie does, how long it lasts, and how to opt out of the optional ones. It supplements our Privacy Policy.

2. Strictly Necessary Cookies

Strictly necessary cookies are required for the Service to work. You cannot opt out of them — if you do, the Service breaks (you cannot stay signed in, sign-in cannot be protected against forgery, etc.).

2.1 Authentication and session (Clerk)

We use Clerk to handle sign-in and session management. Clerk sets and reads a small number of cookies on our domain to:

• hold your authenticated session (a short-lived signed token that identifies your current sign-in);
• provide CSRF (cross-site request forgery) protection so requests to our APIs cannot be forged from other sites;
• coordinate single sign-on flows across our marketing site and our app subdomain.

These cookies expire when your session expires (typically a short rolling window, refreshed as you continue to use the Service) or when you sign out. They contain only opaque identifiers and signed cryptographic material — no profile data or content. For more detail on the specific cookie names and expiry behavior, see Clerk’s public documentation.

3. Analytics Cookies

3.1 PostHog

We use PostHog as our product-analytics provider. PostHog helps us understand which features get used, where users get stuck, and which screens trigger errors. PostHog stores its data using a combination of localStorage and a single first-party cookie named:

• ph_<project_api_key>_posthog— first-party, 365-day expiry, set on the same domain as the Service.

That cookie holds the PostHog distinct ID for your browser. Before you sign in, the distinct ID is anonymous — a random identifier generated by PostHog with no link back to you. After you sign in, PostHog associates the distinct ID with your internal HangTime user ID (a UUID we generate; it is not your email, phone number, or Clerk ID). PostHog does not receive your phone number, your password, your SMS codes, or the contents of your messages.

What PostHog captures, in plain terms:

• page views — which URLs you visit on the Service and the referring URL;
• event clicks — clicks on buttons and links we have explicitly instrumented (joining a group, RSVPing to an event, posting a comment);
• feature-flag exposures — which experimental flags were on for you, so we can measure their effect;
• basic device and browser information — browser version, screen size, language, coarse geolocation derived from IP.

4. Session Replay

PostHog also provides “session replay,” which records a privacy-aware reconstruction of your session in the browser so we can play it back later and see where the UI confused you or where a bug appeared. Session replay is the highest-data-volume capture we run, and we treat it carefully.

What is captured:

• mouse movement, clicks, scroll position, viewport size, navigation between pages;
• DOM mutations (changes to the page) for the elements that are not masked.

What is masked:

• every form input with type="tel"— phone numbers are always masked, in every flow;
• every element marked with the data-ph-mask attribute or the masking selector our application applies to known-sensitive fields;
• message bodies, photo previews, and other private content surfaces where masking has been applied.

Masked content is replaced with a generic placeholder before the recording leaves your browser; PostHog never receives the actual text or media. We continue to add masking to surfaces as we identify them.

If you disable analytics using the in-app toggle described in Section 5, session replay is disabled along with it — not just the identification, but the recording itself.

5. How to Opt Out

You have three independent ways to opt out of analytics and session replay. Any one of them disables both. They take effect immediately for future captures; previously captured data is not retroactively deleted by an opt-out (it is, however, deleted when you delete your account — see our Privacy Policy, Section 7).

5.1 Browser Do Not Track / Global Privacy Control

We initialize PostHog with respect_dnt: true. If your browser sends the Do Not Track header or the Global Privacy Controlsignal, PostHog does not initialize at all on our pages, and no analytics or replay data is captured. Most modern browsers (Firefox, Brave, Safari) support one or both signals natively; check your browser’s Privacy settings to enable them.

5.2 In-app analytics toggle

Inside the app, navigate to Settings → Notificationsand find the Analytics & session replaytoggle. Turning it off calls PostHog’s opt_out_capturing() method, which stops all PostHog activity for your account on every device you sign in from. The opt-out is forward-only — it does not delete prior captures — and it persists across sessions until you turn it back on.

5.3 Browser cookie controls

You can also block or delete the ph_*_posthogcookie directly through your browser’s privacy or cookie settings. If you delete the cookie without setting one of the other opt-outs above, PostHog will simply generate a new anonymous distinct ID on your next visit, so the in-app toggle or DNT/GPC is the more durable option.

Strictly necessary cookies (Section 2) cannot be opted out of without breaking sign-in. If you block them, the Service will not work for you.

6. Third-Party Processors

The cookies described above are set in connection with the following third-party processors:

• Clerk— authentication and session management. Sets the strictly-necessary auth and session cookies described in Section 2.
• PostHog— product analytics and session replay. Sets the analytics cookie and uses localStorage as described in Sections 3 and 4.

Both processors operate on our behalf under a written data-processing agreement and may not use your data for their own purposes. The full list of HangTime sub-processors is in our Privacy Policy, Section 6.

7. Changes to This Policy

We may update this Cookie Policy from time to time. If we make a material change — for example, adding a new analytics provider or a new category of cookie — we will notify you at least 30 days before the change takes effect, by email to the address on your account and via an in-app notice. Non-material changes (typo fixes, clarifications, expiry-window updates from a sub-processor) take effect when posted, and we will update the “Last updated” date at the top of this page.

8. Contact

Questions about this Cookie Policy? Email legal@gohangtime.com.