QuickListing

Legal

Cookie Policy

What this page covers

QuickListing uses a small number of cookies and equivalent browser-storage entries (localStorage, sessionStorage). This page lists every one of them, who set it, what it does, and how long it lives. There are no third-party advertising cookies, no cross-site tracking, and no “people who like X also like Y”-style profiling.

This Cookie Policy is part of, and should be read alongside, our Privacy Policy.

1. Strictly necessary

These keep you signed in and route requests correctly. Turning them off would break sign-in, generation, and saved settings.

  • sb-<project-ref>-auth-token — Supabase authentication cookie. Holds the encrypted session so the server can recognize you across requests.
    Set by: Supabase. Lifetime: 1 hour (refresh token rotates automatically). HttpOnly, Secure, SameSite=Lax.
  • sb-<project-ref>-auth-token-code-verifier — PKCE verifier used during the magic-link / OTP exchange. Cleared as soon as the exchange completes.
    Set by: Supabase. Lifetime: ~5 minutes. HttpOnly.
  • x-ql-trace-id response header (not strictly a cookie, but worth listing) — a per-request correlation id we attach to every API response. Used purely so support can match a client error to the matching server log.

2. Functional storage

These remember small UI preferences so the page renders correctly on first paint. They live in localStorage, not cookies, so they are never sent to our servers — they exist purely on your device.

  • ql_header_state_v1 — caches your email and admin status so the site header doesn't flash a “loading” state when you switch back to a tab.
    Set by: QuickListing. Lifetime: until sign-out or you clear site data.

3. Billing checkout

When you click Buy on the Plans page, our merchant of record (Paddle) opens its checkout overlay. Paddle sets its own cookies during that overlay session.

  • paddlejs-* (various) — Paddle's own checkout-session cookies. Used to keep the card form, 3-D Secure step, and post-payment receipt all tied to one session.
    Set by: Paddle.com. Lifetime: typically the duration of the checkout overlay. See Paddle's cookie notice for the full inventory.

4. Product telemetry

We use PostHog (product analytics) and Sentry (error tracking) to understand how the site is used and what breaks. Both are configured to minimise data collection: no full session replay, no third-party advertising signals.

  • ph_*_posthog — PostHog distinct-id and session-id used to count unique sessions and funnel steps. Tied to your Supabase user id once you sign in.
    Set by: PostHog. Lifetime: up to 1 year, refreshed on activity.
  • Sentry does not set persistent cookies. It uses an in-memory request id correlated to our trace header to attach the right user/replay context to errors.

5. Etsy connection

When you connect an Etsy shop, the OAuth handshake briefly uses Etsy's own cookies on etsy.com — those cookies are governed by Etsy's cookie policy. On our side we store only the encrypted access + refresh tokens (in our database, not in your browser).

6. Choices

You can clear any cookie or localStorage entry at any time from your browser's site-data settings. Clearing the Supabase auth cookie signs you out; clearing ql_header_state_v1 only adds a brief “loading” flicker on next visit.

Because the strictly-necessary cookies are required for the service to work, signing in implies consent to those. You can decline them by not signing in, in which case the public pages (landing, legal) still render normally.

7. Changes to this policy

We update this page when cookies or storage entries change. Cookie additions or removals are not separately emailed; the Privacy Policy covers the broader notification rules.

8. Contact

Cookie or storage question? Email support@quicklisting.app. Operator details are listed in the Terms of Service.