Cookie Policy
Last updated: 07 June 2026 (rev. 4)
This Cookie Policy explains the cookies and similar storage technologies Listybitsy uses on listybitsy.com (the “Service”). It supplements our Privacy Policy.
The short version
We set strictly necessary cookies from our own domain (Supabase Auth session). We also load PostHog as a client-side analytics script to capture page views and feature usage — PostHog stores a pseudonymous identifier in a browser cookie (ph_*) and in localStorage. We do not set advertising, retargeting, social-network, or fingerprinting cookies.
Our CDN (Cloudflare) loads a small performance-telemetry script (static.cloudflareinsights.com) on every page that does not set cookies and does not track individuals across sites. See “Third-party scripts” below.
What is a cookie?
A cookie is a small text file a website stores in your browser to remember information across requests. The same rules apply to similar storage technologies (e.g. localStorage, sessionStorage).
Cookies we set
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
sb-*-auth-token | Keeps you signed in (Supabase Auth session). Without it you would have to re-authenticate on every page load. | Strictly necessary | Up to 1 year, refreshed on use |
sb-*-auth-token-code-verifier | PKCE verifier used during the magic-link sign-in handshake. Cleared once sign-in completes. | Strictly necessary | Session |
ph_*_posthog | PostHog analytics — stores a pseudonymous distinct ID to count unique visitors and track feature usage across sessions. Not tied to your name or email unless you are signed in. | Analytics | 1 year |
Third-party scripts
| Script / origin | Purpose | Sets cookies? | How to opt out |
|---|---|---|---|
static.cloudflareinsights.com (Cloudflare Insights) | Aggregate page-load timing, Core Web Vitals, country-level visit counts. No individual tracking. | No first-party cookies for this script. Cloudflare may set a __cf_bm bot-management cookie at the network layer (strictly necessary). | Block static.cloudflareinsights.com in your browser, or use any standard ad/tracker blocker (uBlock Origin, Privacy Badger). The Service will continue to function. |
eu.i.posthog.com (PostHog EU Cloud) | Product analytics — page views, feature usage (listing creation, grading, publishing), and sign-up funnel. Data is processed in the EU (Frankfurt). No advertising or cross-site tracking. | Sets ph_*_posthog cookie (see “Cookies we set” above) and writes to localStorage. | Opt out via the Cookie Preferences link in the footer, or delete the ph_* cookie and the ph_* localStorage key via your browser developer tools. Blocking eu.i.posthog.com with uBlock Origin also works. |
Client-side & server-side analytics (PostHog)
We use PostHog EU Cloud (eu.i.posthog.com) for product analytics in two ways:
- Client-side: The
posthog-jslibrary loads in your browser and captures page views and feature interactions. It stores a pseudonymous distinct ID in aph_*cookie and inlocalStorage. If you are signed in, your Supabase user ID is associated with the events — your name or email is not sent to PostHog. - Server-side: When you publish a listing to Etsy or Shopify, or complete a subscription checkout, our server sends an event to PostHog. This is a server-to-server call; no additional cookies are set beyond those already set by the client-side library.
All PostHog data is stored in the EU (Frankfurt). You can request deletion of your analytics records by emailing [email protected].
Cookies set by third parties when you use specific features
| Third party | When | Purpose |
|---|---|---|
| Stripe | Only on the Stripe Checkout and Customer Portal pages we redirect you to | Fraud prevention and to maintain your checkout session. Stripe is the data controller for these cookies. See Stripe's cookie policy. |
| Cloudflare | On every page (CDN/security) | Cloudflare may set a strictly-necessary __cf_bm cookie for bot management. See Cloudflare's cookie policy. |
We do not control cookies set by Stripe or Cloudflare on their own infrastructure. If you visit those parties directly, additional cookies may apply under their policies.
What we don't use
- No Google Analytics, Plausible, Mixpanel, Amplitude, or similar third-party analytics platforms — only PostHog (EU-hosted, described above).
- No advertising or retargeting cookies.
- No social-network sharing widgets that set tracking cookies.
- No fingerprinting, device-graph, or cross-site behavioural profiling.
The telemetry we collect is: (1) aggregate, cookieless Cloudflare Insights performance data; (2) PostHog product analytics via a ph_* cookie and localStorage; and (3) server-side PostHog events for billing and publishing actions.
Managing consent (giving and withdrawing)
Under the EU ePrivacy Directive (Art. 5(3)) and the GDPR (Art. 7), users must be able to give and withdraw consent freely for any cookie or storage technology that is not strictly necessary.
- Strictly-necessary cookies (Supabase Auth, Cloudflare bot-management).These do not require consent under EU law because they are essential to deliver a service you have explicitly requested (signing in, security). You can block them via your browser's cookie settings, but blocking them will break sign-in.
- Cloudflare Insights performance script. This is loaded on every page. It does not set cookies, but to be transparent: if you do not want it loaded, you can:
- Use a privacy-respecting browser or extension (Brave, uBlock Origin, Privacy Badger) that blocks
cloudflareinsights.com. - Set your browser's “Global Privacy Control” signal — we honour GPC and treat it as an opt-out request for any non-essential telemetry.
- Email [email protected] with the subject line “Opt out of telemetry”; we will record your opt-out and confirm.
- Use a privacy-respecting browser or extension (Brave, uBlock Origin, Privacy Badger) that blocks
- Future non-essential cookies. If we ever add analytics, marketing, or any other non-essential cookie, we will (a) block them by default, (b) show a clear consent banner with “Accept” / “Reject all” / “Manage” buttons of equal prominence, (c) record your choice, and (d) honour withdrawal at any time via the same banner or via [email protected].
- California / US state “Do Not Sell or Share”.We do not sell or share personal information for cross-context behavioural advertising. There is therefore no sale or share to opt out of. If this changes we will publish a “Do Not Sell or Share My Personal Information” link on the homepage.
You can also clear all cookies from your browser at any time via the standard browser settings (e.g. Chrome → Settings → Privacy → Clear browsing data → Cookies and other site data).
Changes
We will update the “Last updated” date when we change this Cookie Policy. Material changes will be highlighted in-app or by email.
Contact
Questions: [email protected].