Platform Policy
Cookie Policy
- Effective date
- April 17, 2026
- Last updated
- April 17, 2026
Summary
Cookie inventory
| Name | Category | Purpose | Lifetime |
|---|---|---|---|
| fm_session | Strictly necessary | HTTP-only, SameSite=Lax session cookie backing the server-owned single sign-on session. Its value is an opaque server identifier that resolves to the session record in our server-side session store. | Session; rotated on sign-in |
| fm_csrf | Strictly necessary | CSRF token paired with the session cookie to authorize state-changing server functions. Rotated on every request. | Session |
Analytics, advertising, social
We do not set analytics, advertising, retargeting, or social-widget cookies on customer surfaces. Product analytics — where we measure them — run server-side against request traces in our observability store and do not require browser-side cookies to be useful.
Controls
Because we set only strictly necessary cookies, there is no consent banner to dismiss. You can clear Forge Metal cookies from your browser at any time; doing so will end the session and require re-authentication on the next request.
Changes to this policy
Material changes take effect 30 days after they are announced by email to the administrators on each affected organization. The effective date at the top of this page is the date the current version took effect. Prior versions of all policies live at /policy/changelog, and every change is recorded there in commit-addressable form.
Policy identifier: cookies.
Contact
Questions and requests under this policy go to privacy@anveio.com. Security reports go to security@anveio.com and take precedence over routine policy correspondence. GDPR data-protection correspondence may be directed to dpo@anveio.com; abuse reports to abuse@anveio.com.