Cookies and Browser Storage

This page describes the cookies and browser storage currently evidenced in the product. It should be read alongside the Privacy Policy, which explains how Check-a-Train handles personal data more generally.

Check-a-Train uses Supabase Auth for account sign-up, sign-in, session refresh, and account security.

Supabase Auth session cookies are used to:

• keep signed-in users signed in;
• refresh account sessions securely;
• protect account-only pages and account data;
• support security checks around authentication.

These cookies are treated as strictly necessary because account features cannot work reliably without them. Production cookies are configured to use secure settings where the app controls them.

When enabled, Check-a-Train uses Cloudflare Turnstile on sign-in and contact surfaces to help distinguish real users from automated abuse.

Turnstile may use cookies or similar browser/device challenge technology controlled by Cloudflare. Check-a-Train sends the challenge token, IP address where available, user-agent, and challenge metadata needed to verify the check.

Turnstile is used for security and abuse prevention. It is not used by Check-a-Train for advertising or marketing tracking.

Check-a-Train currently uses browser localStorage for convenience features on the device and browser you are using.

Current localStorage use:

• Recent searches. Remembers recent origin, destination, date, time, and search-window choices on the home/search page so you can repeat a recent search more easily.
• Status-banner dismissal. Remembers that you dismissed a service-status banner so the same banner does not keep reappearing after dismissal.

This browser storage is not used for advertising, cross-site tracking, or third-party marketing. You can clear it through your browser settings. Clearing local storage may remove recent-search history and status-banner dismissal state on that device.

The current repository evidence does not show Check-a-Train using:

• marketing cookies;
• advertising trackers;
• Google Analytics;
• Meta Pixel;
• third-party advertising cookies;
• heatmapping tools;
• session replay tools;
• app-written first-party non-auth cookies outside Supabase session management.

If this changes, the cookie and storage position must be reviewed before launch or release.

This audit does not currently recommend adding a cookie consent banner or consent-management tool because no non-essential browser cookies, advertising trackers, or marketing analytics tags were found in the repository evidence.

Consent tooling must be revisited before introducing non-essential cookies or browser technologies, including analytics, advertising, marketing tags, heatmaps, session replay, or similar tracking technology.

Cookies and browser storage may involve these providers or technologies:

• Supabase. Account authentication, session cookies, and session refresh.
• Cloudflare Turnstile. Abuse-prevention challenge technology when enabled on sign-in and contact forms.
• Browser localStorage. Recent-search convenience data and status-banner dismissal state.

Each third-party provider may operate under its own terms and privacy policy. The Privacy Policy includes more detail on service providers and personal-data handling.

This page reflects the current repository evidence:

• Supabase Auth session cookies are used for sign-in, session refresh, and account security.
• Cloudflare Turnstile challenge technology may be used when enabled.
• Browser localStorage is used for recent searches and status-banner dismissal.
• There is no current evidence of marketing cookies, advertising trackers, Google Analytics, Meta Pixel, or equivalent browser analytics.
• Consent tooling is not currently added and must be revisited if non-essential browser technologies are introduced.

Product Owner and legal review should confirm whether any additional cookie, consent, controller, provider, retention, or regional-transfer wording is required before launch reliance.