Legal / Cookies Policy
Cookies Policy
The cookies and local storage we use, and how to control them.
Effective April 30, 2026
1. What cookies are
Cookies are small text files a website asks your browser to store. The browser sends them back the next time you visit, which lets the site recognise your session, remember preferences, or measure things. Some cookies expire when you close the browser ("session cookies"); others stay until they expire or you clear them ("persistent cookies"). The same idea covers similar technologies — localStorage, sessionStorage, IndexedDB. We refer to all of them as "cookies" for the rest of this page.
2. Cookies we use
We keep the cookie footprint as small as we can. Here is the full set, what each one does, and how long it lasts:
| Name | Purpose | Type | Duration |
|---|---|---|---|
phantom_session |
Keeps you signed in to the dashboard. Without it, you'd have to authenticate on every page load. | Strictly necessary | 2 hours of inactivity, or until sign-out |
XSRF-TOKEN |
Cross-site request forgery protection. Pairs with the session cookie to make sure form submissions are coming from the dashboard, not another site. | Strictly necessary | Same lifetime as the session |
active_server (server-side) |
Stored as part of the session, not a separate cookie — remembers which Discord server you're currently configuring on the dashboard. | Strictly necessary | Same lifetime as the session |
Strictly-necessary cookies don't require consent under the ePrivacy Directive — they're the ones the dashboard literally cannot function without. We don't run any analytics, advertising, or "social" cookies on the marketing site or the dashboard.
3. Local and session storage
The dashboard occasionally uses your browser's localStorage for client-side conveniences — for example, remembering whether you collapsed a sidebar group on the Tickets page or stashing a draft of a custom command before you save. None of this contains personal data; it's strictly UI state. Clearing your browser storage simply resets those preferences.
4. Third-party cookies
We use Discord's OAuth2 flow to sign you in. When you click "Sign in with Discord" you're redirected to discord.com; cookies set there are governed by Discord's own privacy policy, not ours. We don't load Discord widgets, social pixels, or any other third-party scripts that would set cookies on our domain.
Embedded fonts come from Google Fonts (CSS only — no cookie-setting JavaScript). If you'd rather not use Google Fonts, common privacy extensions can replace them with system fonts without breaking the site.
5. How to control cookies
Every modern browser lets you delete cookies, block them per site, or block them entirely. Doing any of those for the Phantom dashboard will sign you out and prevent you from signing back in until you re-enable at least the strictly-necessary cookies — they're not optional for an authenticated experience. Browser-specific instructions:
Signing out of the dashboard immediately invalidates the session cookie on our side, even if your browser continues to send it.
6. Changes to this policy
If we add or remove cookies, we'll update this page and the "Effective" date at the top. Material additions — for example, anything that would require consent — will get a clear in-product notice before the new cookie is set.
7. Contact
Cookie questions go to the Phantom support server.
Questions about this policy?
Reach us in the Phantom support server — open a ticket if it's a private matter (data request, safety report, takedown notice) so it goes straight to the team. Copyright takedowns follow the formal flow on the DMCA Policy page.