What this is
This page explains every cookie, local-storage key, session-storage entry, and URL parameter Dripp uses across trydripp.com and the Dripp iOS app. It's the companion to our privacy policy — the privacy policy says what data we handle and why; this page says exactly where that data lives on your device.
We treat “cookies” loosely here: the EU ePrivacy directive, the UK PECR, and the California CCPA all apply the same consent rules to cookies, local storage, session storage, IndexedDB, pixel tags, and SDK-side identifiers. So do we.
The categories
Strictly necessary
These cookies are required for Dripp to function. Turning them off would break sign-in, language preference, CSRF protection, or your consent choice itself. They are exempt from consent under the ePrivacy directive Article 5(3).
- Supabase auth session for signed-in users (access + refresh tokens, set as HTTP-only cookies).
- A CSRF token issued by our route handlers.
- The locale cookie (
NEXT_LOCALE) that remembers whether you prefer English, Romanian, German, French, Italian, or Simplified Chinese. - The record of your consent choice itself.
Analytics
PostHog distinct-id cookie plus local-storage entries that record page views, funnel steps, and (outside the EU and UK) session replays. In the EU and UK these are off by default until you accept analytics in the cookie banner. Inside the iOS app, the equivalent flag is the app-tracking-transparency status, stored as a PostHog super-property.
Marketing / attribution
AppsFlyer OneLink parameters attached to the App Store badge on our landing pages. They let us attribute paid-channel installs to the right campaign. On the web they live as URL query params only — no cookies are written by AppsFlyer on trydripp.com. In the EU and UK these parameters are stripped before the redirect unless you accept marketing cookies.
Detailed inventory
First-party (Dripp)
| Vendor | Purpose | Data | Jurisdiction |
|---|---|---|---|
| NEXT_LOCALE | Remember your chosen language across visits. | Locale tag (e.g. en, ro, zh-Hans). No identifier. | EU (Vercel Frankfurt edge). |
| sb-access-token | Authenticate signed-in users to Supabase. | Short-lived JWT. HTTP-only, Secure, SameSite=Lax. | EU (Supabase Frankfurt project). |
| sb-refresh-token | Refresh the access token without re-login. | Rotating refresh token. HTTP-only, Secure. | EU (Supabase Frankfurt project). |
| dripp_consent_v1 | Record your cookie-consent choice. | Versioned JSON: analytics / marketing booleans + timestamp. | EU (first-party, on your device). |
Third parties
| Vendor | Purpose | Data | Jurisdiction |
|---|---|---|---|
| PostHog | Product analytics, funnels, opt-in session replay (non-EU only). | ph_* cookies + localStorage: anonymous distinct_id, page events, feature flags. | EU (PostHog Cloud EU, Frankfurt). |
| Sentry | Crash and error reporting for the website. | sessionStorage breadcrumbs only. No cookies. No session replay in the EU. | EU (Sentry EU region). |
| Vercel Analytics | Aggregate, privacy-friendly page-view counts. | No cookies. Coarse device/region derived from request headers; no cross-site identifiers. Disabled on legal pages. | United States (Vercel Inc.); EU edge network. |
| AppsFlyer OneLink | Attribute paid-channel installs to campaigns. | URL query parameters on outbound App Store links. No cookies written on trydripp.com. | EU on redirect; AppsFlyer is HQ Israel, EU sub-processor. |
| Cookiebot | Consent management platform — banner, log, audit. | CookieConsent cookie: your accept / reject choice and version. | EU (Cookiebot, Denmark). |
A full description of each vendor — including legal basis, retention, and international transfer mechanism — lives in the privacy policy.
How to change your choices
On the web, in the EU and UK — we use Cookiebot as our consent management platform. You can re-open the banner at any time from the “Cookie settings” link in the footer of every page. Changing your choice takes effect immediately and is recorded against the version of this policy you saw.
On the web, elsewhere — analytics and attribution are enabled by default with a legitimate-interest legal basis. You can still opt out through your browser's “Do Not Track” or Global Privacy Control signal (see §05), or by blocking cookies for trydripp.com in your browser's settings.
In the iOS app — opt-outs live in two places:
- Settings → Privacy → Analytics — turns off PostHog event collection at the SDK level.
- Settings → Privacy → Attribution — turns off AppsFlyer install attribution and clears any cached attribution identifiers.
The very first time you launch Dripp, iOS shows you the App Tracking Transparency prompt. Declining there has the same effect as switching Attribution off in the app's own settings.
Do Not Track and Global Privacy Control
Global Privacy Control (GPC) — when a browser sends the Sec-GPC: 1 header, we treat it as a valid “do not sell or share my personal information” signal under the California Consumer Privacy Act (CCPA) as amended by the CPRA. Concretely: marketing and attribution cookies are switched off for that visit, and the choice is remembered for the device.
Do Not Track (DNT) — the W3C tracking-preference working group stopped maintaining DNT in 2019, and no major browser still ships it as a meaningful signal. We do not take specific action on the DNT: 1 header. If you want analytics off, use the consent banner or GPC.
Mobile app — not technically cookies
For completeness, here is everything the Dripp iOS app keeps on your device that an EU regulator would treat the way they treat a cookie:
- Supabase JWT — stored in the iOS Keychain, protected by the device's Secure Enclave. Refreshed transparently; cleared on sign-out.
- Install identifier — a non-rotating UUID generated on first launch and kept in app preferences. It never leaves the app without consent and is reset if you reinstall.
- Locale — mirrors
NEXT_LOCALE. - Consent flags — your analytics and attribution choices, plus the App Tracking Transparency status iOS reports back to us.
The iOS app does not use HTTP cookies. Network calls to the Dripp backend use bearer tokens read out of the Keychain, never cookies.
Children
Dripp is rated 17+ on the App Store and our Terms require users to be 18 or older. The iOS app starts in an age-gated state on first launch; until you confirm you're 18+ the app does not initialize PostHog, does not write the attribution identifier, and does not load any third-party SDK. On the web, the consent banner does not appear for users we have reason to believe are minors, and analytics and marketing remain off.
If you believe a minor has used Dripp, write to privacy@trydripp.com and we will delete the account and associated storage within 72 hours.
Updates
The “Version” stamp at the top of this page changes whenever the SDK inventory changes — a new vendor, a vendor removed, a purpose changed. In the EU and UK, a version bump that affects a consent category re-opens the Cookiebot banner the next time you visit, so you can review the change before it takes effect.
Editorial changes (typos, clarifying sentences, layout) do not bump the version — we only do that when the underlying tech changes.
Contact
Questions about anything on this page — what a vendor does, why a cookie exists, how to opt out on a device we haven't covered — go to privacy@trydripp.com. For the broader picture of how Dripp handles data, see the privacy policy. To access, export, or delete the data we hold about you, use the DSAR page — that's the fastest route and it triggers the deletion flow automatically.