Cookie Policy
Last updated: 17 June 2026
This Cookie Policy explains how TalesNTokens uses cookies, localStorage, sessionStorage, and similar technologies. It should be read with the Privacy Policy, GDPR Data Rights Policy, and Security Policy.
Definitions
"Cookies" are small files stored on a user's device by a website.
"Local storage" and "session storage" are browser storage technologies used to store data on a user's device.
"Similar technologies" include SDK storage, pixels, tags, device identifiers, and browser storage.
"Essential storage" means storage needed to provide a service requested by the user, keep the service secure, or remember necessary session choices.
"Non-essential storage" means analytics, marketing, or preference storage that is not strictly necessary.
Scope
This policy applies to the TalesNTokens website, Nuxt app, sandbox, game rooms, marketplace, creator tools, WebSocket features, and bridge features.
Cookie Consent Requirements
Under UK PECR, EU ePrivacy rules, UK GDPR, and EU GDPR, TalesNTokens must:
- tell users what cookies and similar technologies are used;
- explain what each category does and why;
- obtain active, informed consent before setting non-essential analytics or marketing cookies;
- allow users to refuse non-essential cookies as easily as accepting them;
- avoid pre-ticked boxes or implied consent for non-essential cookies;
- let users withdraw or change consent at any time;
- keep records of consent choices;
- avoid loading Google Analytics, marketing pixels, or similar tags before valid consent where consent is required.
Essential cookies and storage may be used without consent where they are strictly necessary to provide a service requested by the user.
Cookie And Storage Inventory
| Category | Technology | Examples | Purpose | Consent required | Retention |
|---|---|---|---|---|---|
| Essential | Cookie | tnt_sandbox | Anonymous sandbox session, abuse prevention, session continuity | No | Up to 24 hours |
| Essential | localStorage | supabase.auth.token | Supabase authenticated session continuity | No, where strictly necessary for login | Supabase session duration or logout |
| Essential | sessionStorage | vtt-characters-{roomId} fallback | Temporary room continuity when local storage limits are reached | No, where needed for requested room use | Browser session |
| Essential | localStorage | pendingInviteCode, pendingUsername, auth-success | Invite-code and sign-in flow continuity | No, where needed for requested sign-in | Until sign-in flow completion or manual clearing |
| Functional | localStorage | theme, customThemeColor | Theme and colour preferences | Consent may be required unless treated as user-requested preference storage | Until changed or cleared |
| Functional | localStorage | tutorial flags and map-drawing preferences | Remember tool preferences and dismissed tutorials | Consent may be required unless user-requested | Until changed or cleared |
| Functional | localStorage | vtt-last-viewed-gameboard-*, vtt-gameboard-version-* | Restore room context and reduce sync conflicts | Consent may be required depending on implementation | Until room deletion or clearing |
| Functional | localStorage | vtt-chat-*, vtt-notes-*, vtt-characters-*, vtt-repository-*, map drafts | Local caches and offline/draft continuity | Consent may be required unless strictly necessary for requested feature | Until user clears, room deletion, or cache cleanup |
| Functional | localStorage | tnt-bridge-session:* | Bridge reconnection and session continuity | Consent may be required unless strictly necessary for bridge feature | Until bridge end or clearing |
| Analytics | Google Analytics cookies and gtag storage | _ga, _ga_* or equivalent | Usage analytics, page views, product improvement | Yes, before loading where required | Up to configured GA retention |
| Marketing | Marketing pixels, ad cookies, campaign cookies | None confirmed in current audit; reserved for future | Advertising, retargeting, campaign measurement | Yes, before loading | As disclosed when added |
Current Audit Notes
The platform currently includes Google Analytics script loading in production when analytics is enabled. A compliant consent-management layer must prevent analytics from loading until valid consent is recorded where required. This is a launch requirement in the Architecture Audit and Compliance Gap Analysis.
Essential Cookies
Essential cookies and storage are used for:
- authenticated sessions;
- sandbox sessions;
- security, rate limiting, and fraud prevention;
- checkout and marketplace fulfilment;
- room access and requested gameplay continuity;
- user-selected privacy or cookie consent preferences.
Users cannot disable essential storage through the cookie banner because the service may not work without it.
Functional Cookies
Functional storage remembers preferences and improves the experience, including theme preferences, map-builder drafts, tutorial states, bridge session state, local caches, and last-viewed gameboards. Users should be able to manage these in browser settings and, before launch, through an in-app privacy/settings control.
Analytics Cookies
Analytics storage helps TalesNTokens understand usage, diagnose product issues, and improve performance. Analytics must be off by default until consent is given where consent is required.
Marketing Cookies
Marketing cookies are not required for core platform use. If TalesNTokens adds marketing tracking, it must be disclosed here before use and must require opt-in consent where required.
User Obligations
Users should:
- make cookie choices honestly for their own device;
- avoid bypassing essential storage controls to abuse the Platform;
- understand that clearing storage may remove sessions, drafts, preferences, and local room caches;
- avoid using shared devices for sensitive rooms without clearing local storage.
Platform Obligations
TalesNTokens will:
- maintain a clear cookie/storage inventory;
- request consent before non-essential analytics or marketing storage where required;
- provide equal reject and accept choices for non-essential categories;
- provide a way to change consent;
- avoid using consent walls unless legally valid;
- update this policy when new trackers, SDKs, or storage categories are added.
Contact Procedures
Cookie and privacy questions: privacy@talesntokens.com
Users should include the browser, device, approximate time, affected page, and the storage key or cookie name if known.
Enforcement Procedures
If a cookie or tracking issue is reported, TalesNTokens will review implementation, disable unlawful storage where needed, update disclosures, delete unlawfully collected analytics where feasible, and notify affected users or regulators where required.
Appeals Process
Users may challenge a cookie or consent decision by contacting privacy@talesntokens.com. If unresolved, users may complain to the UK Information Commissioner's Office or their local EU data protection authority.