Cookie Policy
This policy explains the small number of cookies Kromacat uses and why they are necessary.
1. What Is a Cookie?
A cookie is a small text file stored in your browser by a website. Cookies allow the site to recognise your browser across requests โ in our case, to keep you signed in between page loads.
2. Cookies We Use
Kromacat sets exactly three cookies, all managed by Supabase Auth:
| Cookie name | Purpose | Duration | Type |
|---|---|---|---|
sb-access-token | Your current authentication session token. Authorises API requests. | 1 hour (auto-refreshed) | Strictly necessary |
sb-refresh-token | Used to obtain a new access token when the current one expires, keeping you signed in. | 60 days | Strictly necessary |
sb-auth-token | Session identifier for server-side authentication checks. | Session (browser close) | Strictly necessary |
3. Cookies We Do Not Use
- Analytics cookies โ we do not set any analytics cookies. We do collect aggregated usage statistics through Vercel Web Analytics, but that service is entirely cookie-less. See ยง 4a below for details.
- Advertising cookies โ we do not serve ads or participate in ad networks.
- Third-party tracking pixels โ not present on any page.
- A/B testing or feature-flag cookies โ not currently used.
4a. Cookie-less Analytics (Vercel Web Analytics)
Kromacat uses Vercel Web Analytics to understand how the platform is used. This service collects no cookies and stores no IP addresses. It identifies visitors by a temporary hash derived from the incoming HTTP request; that hash is automatically discarded after 24 hours and cannot be used to track individuals across sessions or sites.
The following aggregated data points are recorded per page view:
| Data point | Example | How it is used |
|---|---|---|
| Event timestamp | 2026-06-02 14:30:00 | Traffic trend charts |
| Page URL & dynamic path | /grid, /[username] | Most-visited pages |
| Referrer | https://example.com/ | Traffic sources |
| Query parameters (filtered) | ?ref=twitter | Campaign tracking (sensitive params are redacted) |
| Country / region / city | Spain, Catalonia, Barcelona | Geographic breakdown โ derived from IP; IP not stored |
| OS & version | iOS 17 | Device compatibility |
| Browser & version | Safari 17 (WebKit) | Browser compatibility |
| Device type | Mobile | Responsive design decisions |
All data is aggregated and cannot identify or re-identify any individual. The legal basis is Art. 6(1)(f) GDPR โ legitimate interest in understanding and improving the platform, with minimal privacy impact. For full details see our Privacy Policy ยง8.
4b. Legal Basis for Authentication Cookies
Strictly necessary cookies do not require consent under the EU ePrivacy Directive (Directive 2002/58/EC, as amended) because they are essential to provide the service you have requested. Without them you cannot sign in to Kromacat.
We inform you about these cookies transparently so you can make an informed choice about whether to use the platform.
5. Managing Authentication Cookies
You can delete or block cookies at any time through your browser settings. Note that:
- Blocking
sb-access-tokenorsb-refresh-tokenwill sign you out. - You will be prompted to sign in again on each visit.
Browser guides for managing cookies:
6. Changes to This Policy
If we ever introduce cookies that are not strictly necessary (for example, advertising or persistent analytics cookies) we will update this policy, add a proper consent banner with accept/reject controls, and obtain your explicit consent before setting them.
Version 1.1 (2 June 2026): Added ยง4a to document the introduction of Vercel Web Analytics โ a cookie-less service. No consent banner is required because no cookies are set and no IP addresses are stored.