// LAST UPDATED 17 May 2026
Cookies & Tracking
This notice describes the small set of first-party cookies and local storage RetroMarket uses. Australia does not have a GDPR-equivalent consent regime, and because we only use cookies for authentication plus a handful of UI conveniences we do not show a consent banner. See the Privacy Policy for the broader picture of how we handle personal information.
Note: This is not legal advice. Paralegal review is pending post-launch.
1. What we use
The full inventory of cookies, local storage keys, and server-side preference rows used by RetroMarket:
| Surface | Storage type | Purpose | Set by |
|---|---|---|---|
| Session token | Cookie (httpOnly) | Authentication | @convex-dev/auth |
| Refresh token | Cookie (httpOnly) | Authentication | @convex-dev/auth |
| Theme preferences | Convex users table (server-side) | Persist theme picker selection | convex/users.ts:updateThemePreferences |
tosAcceptedAt / tosVersion | Convex users table | TermsGate acceptance state | convex/users.ts:acceptTerms |
| Recently-viewed listings | localStorage | Surface a “recently viewed” rail on the homepage | components/listings/view-tracker.tsx |
| PWA install-prompt dismissal | localStorage | Avoid re-showing the “install this app” banner after you dismiss it | components/pwa/install-prompt.tsx |
| Stripe iframe (checkout / portal) | Cookies on stripe.com origin | Payment fraud prevention | Stripe.js |
| Cloudflare Turnstile | Cookies on Cloudflare domain | CAPTCHA challenge | Turnstile widget |
2. No third-party advertising trackers
RetroMarket does not run Google Analytics, Meta Pixel, TikTok Pixel, cross-site advertising cookies, fingerprinting scripts, or any other third-party tracker designed to follow you between sites. We do not sell or share personal information with advertising networks.
3. Telemetry
We use Vercel Speed Insightsto measure Core Web Vitals so we can keep page-load behaviour responsive. According to Vercel's documentation, Speed Insights collects anonymised performance metrics and does not set cookies. The intake endpoint (vitals.vercel-insights.com) is listed in our Content Security Policy and visible in your browser developer tools.
- No user identifier is sent.
- IP addresses are not persisted by Speed Insights.
- You can disable Speed Insights by blocking that endpoint in your browser or extension settings.
4. Disabling
You can disable cookies and clear local storage at the browser level. Disabling the session/refresh-token cookies will sign you out and prevent sign-in until they are re-enabled. Disabling localStorage will hide the “recently viewed” rail and may cause the PWA install prompt to re-appear after dismissal.
Browser-level controls live in:
- Chrome / Edge — Settings → Privacy & security → Cookies and other site data.
- Firefox — Settings → Privacy & Security → Cookies and Site Data.
- Safari — Settings → Privacy → Manage Website Data.