Cookie & Tracking Policy

Policy version: 2026-05-08

Manage your preferences

1. What This Policy Covers

Phantstore uses cookies, browser localStorage, IndexedDB, and similar technologies to operate the service, remember your preferences, and, only with your consent, analyze usage and monitor for software errors.

This page lists every category and every third-party processor we use. To change your choices at any time, visit /cookies/preferences.

2. Categories

Strictly Necessary (always active)

Required for authentication, security, and core navigation. Cannot be disabled. Lawful basis: contractual necessity (Art. 6(1)(b)).

  • sb-<ref>-auth-token - Supabase session cookie. HttpOnly, Secure, SameSite=Lax. Expires after 1 year of inactivity.
  • admin_access_token - Admin dashboard session. HttpOnly, Secure, SameSite=Lax. 24 hours.
  • language - Locale preference. Secure on HTTPS, SameSite=Lax. 1 year.
  • phantstore:consent:v1 (localStorage) - Stores your consent decision. Persists until you clear it or revoke.
  • phantstore:consent:sid (localStorage) - Anonymous correlation ID for the consent audit log.

Functional (always active)

Remembers UI state across reloads. No tracking. Lawful basis: contractual necessity.

  • chat:v2:state (sessionStorage), chat:v2:active-ids, chat:v2:minimized-ids - Chat window state.
  • global_user_cache, global_profile_cache - Cached opaque user ID and display name (no email or role).
  • safety_warning_seen, comments:viewMode - One-time prompt and view-mode flags.
  • CommunityGiveChatDB (IndexedDB) - Offline message cache. Cleared on sign-out; 30-day TTL on delivered messages.

Analytics (consent required)

Helps us understand which features are used. No personal data sale. Lawful basis: consent (ePrivacy Art. 5(3)).

  • Vercel Web Analytics - page views, country-level geo, anonymized device class. Processor: Vercel Inc. (US). Retention: 12 months.
  • Vercel Speed Insights - Core Web Vitals (LCP, INP, CLS). Processor: Vercel Inc. (US). Retention: 30 days raw, 12 months aggregated.

Error Monitoring (consent required)

Captures application errors and stack traces so we can fix bugs. No session recordings. Lawful basis: consent; we apply consent conservatively.

  • Sentry - error events, breadcrumbs with query strings stripped, opaque user ID only. Processor: Functional Software Inc. (US). Retention: 90 days.

Session Replay (explicit consent required)

Records masked, media-blocked interaction sessions when an error occurs to aid debugging. Requires Error Monitoring to be enabled. Lawful basis: explicit consent.

  • Sentry Replay - text masked, media blocked. 1% of sessions sampled randomly; 100% of sessions where an error occurs. Same processor and retention as above.

3. Other Data Processors

The following processors handle data necessary to operate the platform. Their use does not depend on the consent banner:

  • Supabase (Supabase Inc., US/EU regions) - primary database, authentication, realtime messaging, file storage. Lawful basis: contractual necessity. Data Processing Addendum in place.
  • Vercel (Vercel Inc., US) - application hosting, CDN, edge functions. Receives HTTP requests including IP addresses for routing and abuse prevention. Lawful basis: contractual necessity / legitimate interest.
  • Cloudflare Turnstile (Cloudflare Inc., US) - bot-protection challenge on the sign-in form. Device fingerprinting limited to anti-abuse. Lawful basis: legitimate interest.
  • OpenAI (OpenAI L.L.C., US) - automated content moderation of user-submitted item text. Item content is sent for classification; no persistent training. Lawful basis: legitimate interest (community safety).

4. Your Rights and Controls

Withdraw consent at any time at /cookies/preferences. Revocation is as easy as granting (GDPR Art. 7(3)). Authenticated users can also use Settings -> Privacy Preferences.

You may also exercise GDPR rights (access, rectification, erasure, portability, objection) by contacting us using the details below. See the Privacy Policy for full details.

5. Consent Audit Log

Every consent decision (initial choice, update, revocation) is appended to an immutable audit log to demonstrate compliance with GDPR Art. 7(1). The log records: a session correlator, the category choices, the policy version in effect, the banner version, and a salted hash of your IP and User-Agent. Raw values are never stored. Authenticated users may request their own records via the contact channel below.

6. Contact

Questions about cookies, tracking, or your data:

help@phantstore.com

help.phantstore@gmail.com