Cookie Policy
Last updated: 2026-06-21
This policy explains what cookies otut.io sets on its own domains, and how the Power Loader script sets first-party cookies on your own subdomain as part of the server-side tagging service.
1. Cookies set on otut.io
On the otut.io website itself we set only what is strictly necessary to keep you signed in:
- authjs.session-token — NextAuth session cookie. HttpOnly, Secure, SameSite=Lax. Expires when you sign out or after 8 hours of inactivity.
- __Secure-authjs.callback-url — Stores the post-login redirect target. Strictly necessary, cleared after login.
We do not set marketing, advertising, or third-party analytics cookies on otut.io.
2. Cookies set by the Power Loader
The Power Loader script runs on your own subdomain (e.g. t.yourbrand.com) — a domain you control. It sets first-party cookies that you own and that fall under your privacy policy, not ours. Typical names:
- _pbj_id — Persistent visitor identifier. 400-day expiry. HttpOnly (server-set via the sGTM endpoint) to bypass Safari ITP.
- _pbj_ses — Session identifier. 30-minute sliding expiry.
3. Cookies set by your GTM container
Any cookies set by tags inside your GTM container (GA4, Meta Pixel, etc.) are governed by the privacy policy of those vendors. otut.io does not control or inspect them.
4. Managing cookies
You can clear otut.io cookies from your browser at any time — this will sign you out. For cookies on your own subdomain, manage them from your own privacy / consent banner. For vendor cookies (GA4, Meta, etc.), use the opt-out tools published by those vendors.
5. Contact
Questions about cookies? Email privacy@otut.io.
Questions? Contact us.