Cookie Policy.

A cookie is a small text file — usually under a kilobyte — that a website asks your browser to store on your device. The next time you visit, the browser sends the file back, and the site uses it to recognise you. There's nothing inherently sinister about this; the web is essentially stateless, and cookies are the simplest mechanism we have to keep track of who's logged in between page loads.

Where it gets controversial is when sites set cookies that follow you around the internet — building a behavioural profile from every site that loads a particular ad network's tracking pixel. We don't do that on Kingmaker. The cookies we set are either functional (they make the site work for you) or analytics (they tell us aggregate facts like 'how many people visited the homepage today').

We also use a few similar technologies — local storage, session storage, and one fingerprint check from our fraud-prevention provider — that aren't strictly cookies but serve overlapping purposes. They're covered by this policy under the same rules.

On your first visit a banner appears at the bottom of the screen asking which cookie categories you're comfortable with. The strictly-necessary category is on by default and cannot be turned off; everything else starts off and you can toggle it on. Your choices are stored in a cookie called km_consent which lasts 12 months — after that, we ask again.

You can change your mind at any time. The cookie preferences link in the footer reopens the banner, lets you toggle categories, and saves the new preferences. Disabling a category retroactively also deletes any cookies in that category that have already been set during the current session.

We honour the Global Privacy Control header where browsers send it. If your browser has GPC enabled, we treat it as an automatic opt-out from analytics and performance cookies, and the banner reflects that choice.

When you load a Kingmaker page, your browser doesn't only talk to our servers. It also fetches things from a small number of third parties — fonts from Google, fraud protection from Cloudflare, analytics from Google Analytics 4, error logging from Sentry. Each of those third parties may set its own cookies on your device, separately from ours.

We've listed every third party that sets a cookie below. We've also disabled or restricted the more aggressive features of these services — for example, Google Analytics is configured with IP anonymisation enabled and ad-personalisation features turned off, so it cannot build a behavioural profile of you across other sites that use Google services.

The third parties we use are:

Two browser-level mechanisms exist for telling websites you don't want to be tracked: Do Not Track (DNT), which has been around since 2009, and Global Privacy Control (GPC), which is newer and gaining regulatory traction.

We honour Global Privacy Control. If your browser sends a Sec-GPC: 1 header, we treat that as a binding opt-out from analytics and performance cookies, equivalent to you toggling those categories off in the cookie banner. The opt-out persists across sessions and you don't need to do anything else.

Do Not Track is a different story. The DNT spec was effectively abandoned by browser vendors and most websites stopped honouring it years ago because it had no legal teeth and no consistent meaning. We don't honour DNT specifically — but if you've enabled DNT, your browser almost certainly also sends GPC, which we do honour.

A few cookie-related practices are worth flagging explicitly because they often show up in policies as one-line afterthoughts:

Cookie lifetime is set per cookie. Some are 'session cookies' that disappear the moment you close the browser; others are 'persistent cookies' with explicit expiry dates ranging from 30 minutes (fraud tokens) to 24 months (Google Analytics client ID).

The full inventory below shows the lifetime of every cookie we set. If you want to clear all of them immediately, every modern browser supports clearing cookies for a specific website — instructions for the major browsers are in the Browser Controls section near the bottom of this page.

Local storage and session storage entries do not have built-in expiry dates. We delete them when they're no longer needed (typically when you log out), and they're cleared by the same browser-level controls that clear cookies.

Cookie practices evolve as browsers, regulators, and platforms change what's possible. We update this page when we add a new category, change a third-party provider, or change the lifetime of an existing cookie. The 'last updated' and 'effective from' dates at the top tell you the current version.

Material changes — adding a new category of cookies, or changing the consent flow — are communicated to registered users by email at least 14 days before they take effect, and the cookie banner is automatically reopened on your next visit so you can review your preferences against the new categories. Smaller changes (clarifications, typo fixes) are made silently.