Cookie Policy
Last updated: 27 April 2026 (rev. 2)
This Cookie Policy explains the cookies and similar storage technologies Listybitsy uses on listybitsy.com (the “Service”). It supplements our Privacy Policy.
The short version
We only set strictly necessary cookies from our own domain (Supabase Auth session). We do not set advertising, retargeting, social-network, or fingerprinting cookies, and we do not run any analytics product such as Google Analytics, Plausible, or Posthog.
Our CDN (Cloudflare) loads a small performance-telemetry script (static.cloudflareinsights.com) on every page that does not set cookies and does not track individuals across sites. See “Third-party scripts” below.
What is a cookie?
A cookie is a small text file a website stores in your browser to remember information across requests. The same rules apply to similar storage technologies (e.g. localStorage, sessionStorage).
Cookies we set
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
sb-*-auth-token | Keeps you signed in (Supabase Auth session). Without it you would have to re-authenticate on every page load. | Strictly necessary | Up to 1 year, refreshed on use |
sb-*-auth-token-code-verifier | PKCE verifier used during the magic-link sign-in handshake. Cleared once sign-in completes. | Strictly necessary | Session |
Third-party scripts
| Script / origin | Purpose | Sets cookies? | How to opt out |
|---|---|---|---|
static.cloudflareinsights.com (Cloudflare Insights) | Aggregate page-load timing, Core Web Vitals, country-level visit counts. No individual tracking. | No first-party cookies for this script. Cloudflare may set a __cf_bm bot-management cookie at the network layer (strictly necessary). | Block static.cloudflareinsights.com in your browser, or use any standard ad/tracker blocker (uBlock Origin, Privacy Badger). The Service will continue to function. We are working to make this configurable from the Service itself; see “Managing consent” below. |
Cookies set by third parties when you use specific features
| Third party | When | Purpose |
|---|---|---|
| Stripe | Only on the Stripe Checkout and Customer Portal pages we redirect you to | Fraud prevention and to maintain your checkout session. Stripe is the data controller for these cookies. See Stripe's cookie policy. |
| Cloudflare | On every page (CDN/security) | Cloudflare may set a strictly-necessary __cf_bm cookie for bot management. See Cloudflare's cookie policy. |
We do not control cookies set by Stripe or Cloudflare on their own infrastructure. If you visit those parties directly, additional cookies may apply under their policies.
What we don't use
- No Google Analytics, Plausible, Posthog, Mixpanel, Amplitude, or any other product-analytics service.
- No advertising or retargeting cookies.
- No social-network sharing widgets that set tracking cookies.
- No fingerprinting, device-graph, or cross-site behavioural profiling.
The only telemetry we receive is the aggregate, cookie-less Cloudflare Insights data described above. If we ever add analytics or other non-essential cookies, we will update this page and present a clear consent banner before any such cookie is set.
Managing consent (giving and withdrawing)
Under the EU ePrivacy Directive (Art. 5(3)) and the GDPR (Art. 7), users must be able to give and withdraw consent freely for any cookie or storage technology that is not strictly necessary.
- Strictly-necessary cookies (Supabase Auth, Cloudflare bot-management). These do not require consent under EU law because they are essential to deliver a service you have explicitly requested (signing in, security). You can block them via your browser's cookie settings, but blocking them will break sign-in.
- Cloudflare Insights performance script. This is loaded on every page. It does not set cookies, but to be transparent: if you do not want it loaded, you can:
- Use a privacy-respecting browser or extension (Brave, uBlock Origin, Privacy Badger) that blocks
cloudflareinsights.com. - Set your browser's “Global Privacy Control” signal — we honour GPC and treat it as an opt-out request for any non-essential telemetry.
- Email [email protected] with the subject line “Opt out of telemetry”; we will record your opt-out and confirm.
- Use a privacy-respecting browser or extension (Brave, uBlock Origin, Privacy Badger) that blocks
- Future non-essential cookies. If we ever add analytics, marketing, or any other non-essential cookie, we will (a) block them by default, (b) show a clear consent banner with “Accept” / “Reject all” / “Manage” buttons of equal prominence, (c) record your choice, and (d) honour withdrawal at any time via the same banner or via [email protected].
- California / US state “Do Not Sell or Share”. We do not sell or share personal information for cross-context behavioural advertising. There is therefore no sale or share to opt out of. If this changes we will publish a “Do Not Sell or Share My Personal Information” link on the homepage.
You can also clear all cookies from your browser at any time via the standard browser settings (e.g. Chrome → Settings → Privacy → Clear browsing data → Cookies and other site data).
Changes
We will update the “Last updated” date when we change this Cookie Policy. Material changes will be highlighted in-app or by email.
Contact
Questions: [email protected].