Cookie Policy.

01 / Introduction

Introduction.

02 / What Cookies Are

What cookies are.

A cookie is a small text file placed on your device when you visit a website. Cookies let the site remember information about your visit: authentication state, language preferences, analytics events, and similar functional data. Similar technologies include local storage, session storage, pixels, and server-side identifiers. This Policy applies to all of them.

Cookies are either first-party (set by 21cbi.io directly) or third-party (set by a service we use, such as our authentication provider). We identify the specific third parties involved in Section 5.

03 / Cookies We Use

Cookies we use.

We group the cookies we set into three categories. Each is listed with its purpose and the approximate retention period.

3.1 Necessary cookies

These cookies are required for the Website to function. Disabling them will break account sign-in, the advisory dashboard, and certain form submissions.

• Authentication session: keeps you signed in between page loads. Set by our authentication provider (Clerk). Expires on sign-out or after an idle timeout.
• CSRF token: protects form submissions against cross-site request forgery. Session-scoped.
• Cookie consent state: records that you have seen (and, where applicable, accepted or declined) this Cookie Policy. Retained for 12 months.
• Load balancing and bot management: routes your session to a consistent server instance and protects the edge from automated abuse. Session-scoped; Cloudflare may set a short-lived first-party __cf_bm cookie for bot management.

3.2 Analytics (cookie-less by default)

Our primary analytics provider is Plausible Analytics, which is cookie-less by design. Plausible counts page views, sessions, and device types in aggregate without setting any cookie on your browser and without storing any identifier that could be linked back to you. The intent is to improve the Website, not to build a profile of you.

• Plausible page-view analytics: no cookies set. Aggregate counts retained for up to 14 months on Plausible’s EU-hosted infrastructure.
• Performance telemetry (Core Web Vitals): records page-load and Core Web Vitals metrics aggregated through our own analytics endpoint. No third-party advertising or fingerprinting identifier is set; any first-party cookie used for sampling continuity is short-lived and retained for up to 30 days.

3.3 Functionality cookies

These cookies remember preferences that make the Website more useful to you on return visits.

• Tool-state storage: saves in-progress PPQ answers, Cost Calculator inputs, and US Exit Tool inputs locally so you can pick up where you left off. Stored in local storage on your device; not transmitted to our servers unless you submit.
• Display preferences: remembers your currency unit toggle (USD, BTC, sats) and any sidebar state.

04 / Cookies We Do Not Use

Cookies we do not use.

Stating the absence as clearly as the presence. We do not run:

• Advertising or retargeting cookies.
• Cross-site tracking pixels (Facebook Pixel, TikTok Pixel, LinkedIn Insight Tag, and similar).
• Device fingerprinting or probabilistic identification.
• Session recording or mouse-movement heatmaps.
• Data brokers or data-enrichment services keyed to cookie identifiers.

We do not sell, rent, or license cookie data to third parties. We do not use cookies to infer your identity across services outside the Bitcitizen ecosystem.

05 / Third-Party Services

Third-party services.

A limited set of third-party services may set cookies on pages where their functionality is present. Each is listed with the role it serves and a link to its own privacy policy.

• Clerk: authentication and account management. Sets necessary cookies for sign-in, session management, and security. Policy: clerk.com/privacy.
• Cloudflare: edge delivery, DDoS protection, and TLS termination in front of the application. May set short-lived first-party cookies for bot management (__cf_bm) and edge routing. Policy: cloudflare.com/privacypolicy.
• BTCPay Server: self-hosted Bitcoin payment processor for invoice settlement. No advertising or tracking cookies. Project: btcpayserver.org.
• Stripe: fiat credit-card and bank-transfer processing when those rails are used. Cookies, where set, are payment-fraud-prevention cookies controlled by Stripe. Policy: stripe.com/privacy.

We do not embed social media widgets that set cookies on load. External links to X, Instagram, and Nostr open in a new tab and are governed by those platforms’ own policies.

06 / Managing Cookies

Managing cookies.

You control cookies in three ways, in order of precision:

1. Browser settings. Every major browser lets you view, block, and delete cookies on a per-site basis. Blocking necessary cookies on 21cbi.io will break sign-in and dashboard features. Blocking analytics and functionality cookies will not.
2. Private or incognito browsing. Cookies set in a private window are deleted when the window closes.
3. Operating-system level tools. Platforms like Brave, Firefox Focus, and Safari’s Intelligent Tracking Prevention will block third-party cookies and limit cross-site identifiers by default. We tested the Website against these configurations and it functions correctly.

Guidance from the major browser vendors:

• Chrome
• Firefox
• Safari
• Edge
• Brave

07 / Do Not Track and Global Privacy Control

Do Not Track and Global Privacy Control.

We respect the Global Privacy Control (GPC) signal. When your browser sends a GPC header, we treat it as a request to limit non-essential cookies and data sharing under applicable privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, the “CCPA/CPRA”) and its analogues. We do not currently serve targeted advertising, so there is nothing to opt out of on that front; the GPC signal still suppresses optional analytics where supported.

The legacy “Do Not Track” (DNT) browser signal is not a binding legal standard and is honored inconsistently across the industry. We do not set any advertising or cross-site tracking cookies regardless of DNT state.

08 / Changes to This Policy

Changes to this policy.

We update this Cookie Policy when the cookies we use change, when a third-party service is added or removed, or when applicable law changes. Material updates are reflected in the “Effective” date at the top of this page. Significant changes will also be announced in the footer or via a site-wide notice for a reasonable period.

Historical versions of this Policy are retained internally and made available to regulators on request.

09 / Contact

Contact.

Questions about this Cookie Policy or the cookies we use can be directed to:

• Email: [email protected]
• Encrypted messaging: on request, via the contact form.
• Entity: Bitcitizen LLC.

For broader privacy questions, see our Privacy Policy. For the terms governing use of the Website and Services, see our Terms of Service.