We use the minimum cookies needed to make Flock work. No third-party trackers, no Facebook Pixel, no Google Tag Manager, no behavioral ad targeting.
What is a cookie?
A cookie is a small text file your browser stores so a website can remember you between visits. Some are required (auth); some are optional (analytics).
Cookies we use
| Name | Purpose | Type | Lifespan | Optional? |
|---|---|---|---|---|
sb-access-token | Supabase session — keeps you signed in | Essential | 1 hour rolling | No |
sb-refresh-token | Supabase refresh — silent re-auth | Essential | 30 days | No |
flock-city | Remembers which city you're browsing | Functional | 1 year | No (essential UX) |
flock-theme | Remembers light/dark/system mode | Functional | 1 year | No (essential UX) |
flock-anon-id | First-party analytics tied to session, not identity | Analytics | 30 days | Yes — opt-out via banner |
flock-experiment-bucket | A/B test consistency (deterministic bucketing) | Analytics | 90 days | Yes — opt-out via banner |
flock-consent-v1 | Records your cookie consent decisions | Essential | 1 year | No |
Third-party cookies
- Stripe — sets cookies on the Stripe-hosted checkout page (fraud prevention). Not on flock.city directly.
- None else. No Google Analytics, no Facebook Pixel, no Hotjar, no LinkedIn Insight Tag.
How to control them
- In-app: Cookie banner on first visit lets you accept or reject analytics cookies. Re-open from /preferences.
- Browser: Every modern browser supports clearing cookies + per-site blocking. We respect
Do Not TrackandGlobal Privacy Controlheaders. - Mobile (Capacitor wraps): Same controls; iOS App Tracking Transparency applies.
Server-side analytics fallback
Even if you reject all cookies, server-side request logs are kept (per Privacy Policy §2 telemetry). These contain IP (truncated to /24), user-agent, and request path — retained 30 days hot / 90 days cold for security + uptime monitoring.
Changes
Cookie additions or scope changes require a new banner consent prompt. See /changelog.