1. Cookies we set
Functional only. No advertising trackers, no pixel tags, no behavioural cookies for retargeting.
| Name | Purpose | Lifetime |
|---|---|---|
sb-*-auth-token | Supabase Auth session — required for /dashboard and /saved to work. | Until sign-out |
theme | Remembers your light/dark mode choice. Stored in localStorage, technically not a cookie — listed for transparency. | Persistent (clear via DevTools) |
2. What we don't set
- No advertising analytics (Google Analytics, Facebook Pixel, etc.).
- No behavioural retargeting trackers.
- No third-party iframes that would set their own cookies.
3. Third-party services
Web analytics run through Plausible — it is cookieless by design (hashes IP, doesn't persist). Event analytics use PostHog, which writes a distinct_id cookie + localStorage entry (disable via browser settings if you prefer).
Cloudflare Turnstile, when enabled on a form, sets a short-lived token that expires after verification.
4. How to clear them
Any modern browser lets you delete cookies for a specific site under Settings → Privacy. On mobile: Browser Settings → Advanced → Clear site data.