Cookies.
What we store on your device. Spoiler: almost nothing.
Last updated · May 28, 2026
The short version: we use one essential auth cookie. Our analytics is first-party and opt-in — nothing is measured until you accept. No advertising, no third-party trackers, no cross-site cookies, and we never store your raw IP address.
What is a cookie?
A cookie is a small text file stored on your device by a website. Cookies are often used to keep you logged in, remember preferences, or track behavior across sites.
Under the EU ePrivacy Directive and § 25 TTDSG, non-essential cookies require your explicit consent before being placed. Essential cookies do not.
Cookies we use
Essential — no consent required
- sb-access-token / sb-refresh-token — Supabase Auth session. HttpOnly, Secure, SameSite=Lax. Expires when you log out or after 7 days of inactivity.
- pinning-consent — remembers your cookie preferences. 12 months.
Functional — only with consent
- pinning-theme — saves your light/dark preference (default: dark). We currently store this in localStorage, not a cookie.
Analytics — first-party, opt-in
We run our own first-party analytics pixel — no third-party analytics provider. It stays switched off until you accept it in the consent banner (§ 25 TTDSG / ePrivacy: opt-in). When enabled, it records anonymous page views and clicks so we can improve the product.
- pnng_consent (localStorage) — your analytics choice. Essential to honor your decision; stored until you change or clear it.
- pnng_sid (sessionStorage) — a random per-session id, only set after you accept. Cleared when you close the tab.
- Country & unique counts — derived server-side from edge headers and a daily, salted one-way hash. We do not store your raw IP, and the hash rotates every day, so it can't track you across days or sites.
Email open tracking
Transactional emails (e.g. dose reminders) may contain a 1×1 pixel so we can see whether a message was opened and ensure delivery is working. You can disable remote images in your email client to block it.
Marketing
We don't use marketing or advertising cookies. We have no advertising partners.
Third-party services
Some pages load resources from third parties:
- Stripe — only on /pricing checkout and account billing pages, for fraud prevention
- Google Fonts — fonts loaded from Vercel CDN (self-hosted), no requests to Google
Managing your preferences
Change or withdraw your analytics consent at any time — it takes effect immediately:
Current: not set
You can also clear cookies and site data from your browser. Doing so will log you out and reset preferences.
Contact
Questions: privacy@pinning.info