Cookie Policy
Last updated: June 18, 2026
Every cookie and localStorage key aifeders.com sets, why each exists, and why there is no consent banner.
DRAFT — must be reviewed by a qualified lawyer before launch.
Plain-language summary
- We use only strictly necessary, first-party cookies — sign-in, security, and your saved preferences. Nothing else.
- Because every cookie is essential or a preference you chose, EU rules do not require a consent banner, so there isn't one.
- Our analytics tool, Plausible, is cookieless — it sets nothing on your device and cannot follow you across sites.
- There is no advertising, no ad cookies, and no cross-site tracking of any kind.
- You can clear cookies any time in your browser; the main effect is that you get signed out and your theme and language reset.
- If we ever want a non-essential cookie in the future, a proper consent screen ships before that cookie does.
Document status: Draft 1.0 (2026-06-12). The effective date is assigned when this document is published at aifeders.com/cookies on launch day. Contact: privacy@aifeders.com
1. The principle — essential-only, no banner
AI Feeders runs entirely on strictly necessary first-party cookies plus device-stored preferences you set yourself. Under the ePrivacy rules that drive Europe's cookie banners, consent is required for cookies that are not strictly necessary for a service the user requested — advertising, cross-site analytics, social trackers. We have none of those:
- Authentication and security cookies are strictly necessary to deliver the signed-in service you asked for.
- Locale and theme storage save a preference you explicitly chose.
- Analytics are handled by Plausible, which is cookieless by design — it stores nothing on your device.
So the Service launches with no cookie-consent banner, because there is nothing to consent to. This is a deliberate product decision, not an oversight, and Section 10 explains what would have to happen before that ever changes.
2. What these technologies are
Three different mechanisms appear in this policy; they behave differently and deserve different scrutiny:
- Cookies are small text records your browser stores and sends back to the site with every request. That automatic send-back is what makes them suitable for sign-in (the session cookie identifies you on each page load) — and what makes third-party tracking cookies a privacy problem on sites that use them. We set only the first-party cookies in Section 3.
- localStorage is data a page script saves in your browser. It is never transmitted automatically — it just sits on your device until a page on the same site reads it or you clear it. We use it purely for interface preferences (Section 4).
- sessionStorage is like localStorage but erased when the tab closes. The Service may use it for transient UI state within a single visit — for example remembering scroll position during navigation — and never for anything identifying.
"Strictly necessary" in this policy means: the Service feature you asked for cannot work without it. "Functional preference" means: it only stores a choice you explicitly made, and deleting it merely resets that choice.
3. Exact inventory — cookies
All cookies are first-party (set by aifeders.com) unless noted. None are used for advertising or shared with advertisers.
| Name | Type | Purpose | Attributes | Lifetime |
|---|---|---|---|---|
__Host-session | Strictly necessary | Keeps you signed in; identifies your session server-side | httpOnly; Secure; SameSite=Lax; Path=/ — the __Host- prefix locks it to this exact host over HTTPS | 30 days rolling; rotated on login; revocable per-session in Settings → Security |
__Host-csrf | Strictly necessary | Cross-site request forgery protection on state-changing forms, where applicable to the auth flow | Secure; SameSite=Lax; Path=/ | Session (deleted when the browser closes) |
NEXT_LOCALE | Functional preference | Remembers your chosen interface language (English or Urdu) so pages render in it immediately | Secure; SameSite=Lax | 1 year |
Turnstile challenge cookies (names prefixed cf_) | Strictly necessary | Set by Cloudflare Turnstile only while a CAPTCHA challenge runs on login, signup, password reset, or report forms; lets Cloudflare verify the challenge without tracking you across sites | Set by the Turnstile widget; scoped to the challenge | Minutes — the verification token itself expires after 300 seconds |
Notes:
- There is no advertising cookie, no social-media pixel, and no third-party analytics cookie anywhere on the Service.
- Turnstile is Cloudflare's privacy-preserving CAPTCHA; it does not build advertising profiles. It only activates on the handful of abuse-sensitive forms listed above.
- Signed-in state never depends on anything other than
__Host-session.
4. Exact inventory — localStorage keys
localStorage is data saved in your browser by our pages; it is never sent automatically with requests and never leaves your device unless a page reads it.
| Key | Purpose | Lifetime |
|---|---|---|
aif-theme | Your appearance choice: light, dark, or system | Until you clear site data or change the setting |
aif-locale-hint | Mirrors your language choice so the theme/language apply before the first server response | Until you clear site data |
aif-dismissed-announcements | IDs of announcement banners you closed, so they stay closed | Until you clear site data |
aif-shortcut-hints-seen | Remembers that you've seen the keyboard-shortcuts hint, so it isn't shown again | Until you clear site data |
No localStorage key contains personal data beyond these UI preferences. Skill drafts in the upload wizard are saved server-side to your account, not to localStorage.
5. Analytics without cookies
We measure traffic with Plausible, which is engineered to work without cookies and without persistent device identifiers:
- It sets no cookies and writes nothing to localStorage.
- It collects aggregate, anonymized page statistics — page URL, referrer, browser family, country-level location, device class.
- It cannot recognize you across different websites, and we cannot use it to identify an individual visitor.
- Because it is cookieless and non-tracking, it requires no consent banner.
Error monitoring (Sentry) likewise sets no cookies; it receives error reports as described in the Privacy Policy, Section 5.
6. Embedded videos and other third-party content
Some skill listings include a creator-supplied demo video hosted on YouTube or Vimeo. These embeds are click-to-play: the page shows only a static thumbnail served by us, and nothing loads from YouTube or Vimeo — and no cookie from them can be set — until you press play. Pressing play is your choice to load that provider's player, which then operates under its own privacy and cookie terms (we use the providers' privacy-enhanced embed modes where offered, such as youtube-nocookie.com). Videos uploaded directly as MP4 files are served from our own media domain with no third-party involvement and no cookies.
Uploaded skill files themselves are delivered from a separate media domain that sets no cookies at all — by design, so user files can never read or receive your session (see ../05-security/03-upload-content-security.md).
7. Do Not Track and Global Privacy Control
Browsers can send "Do Not Track" (DNT) and "Global Privacy Control" (GPC) signals. Our honest answer: there is nothing for these signals to switch off — we run no advertising, no cross-site tracking, and no sale or sharing of personal data. We treat GPC as a valid opt-out of sale/sharing as US state laws require, which changes nothing in practice; with or without these signals, you get the same essential-only behavior described in this policy.
8. How to clear cookies and site data
You are always free to clear everything we store on your device:
- Chrome / Edge: Settings → Privacy and security → Cookies and other site data → See all site data → search
aifeders.com→ Remove. - Firefox: Settings → Privacy & Security → Cookies and Site Data → Manage Data → search
aifeders.com→ Remove Selected. - Safari: Settings → Privacy → Manage Website Data → search
aifeeders→ Remove. - Any browser: signing out via Settings → Security → "Log out everywhere" invalidates every session server-side, which is stronger than deleting the cookie alone.
Clearing site data also wipes the localStorage preferences in Section 4.
9. What breaks without the essential cookies
If your browser blocks or deletes our cookies:
| Blocked item | Effect |
|---|---|
__Host-session | You cannot stay signed in — every page treats you as a guest; downloads, likes, collections, uploads, and settings are unavailable until you sign in again |
__Host-csrf | Forms that change account state (login, settings, uploads, reviews) fail their security check and are rejected |
NEXT_LOCALE | The interface language resets to the default (English) on each visit |
| Turnstile cookies | CAPTCHA challenges cannot complete, so the protected forms (login after repeated failures, signup, password reset, reports) will refuse to submit |
| localStorage keys | Theme reverts to system default; dismissed banners reappear; the shortcuts hint shows once more |
Browsing, searching, and reading skill pages as a guest work fine with all cookies blocked.
10. Future-changes clause — consent ships first
If we ever decide to add a non-essential cookie or similar technology — for example, marketing attribution or any third-party tracker:
- A consent UI ships first: a banner or settings screen with granular categories, where "reject all" is exactly as easy as "accept all", no pre-ticked boxes, and consent is withdrawable at any time.
- The non-essential cookie is never set before you opt in.
- This policy is updated with the new inventory, and registered users are notified per the change-notice rule in the Privacy Policy, Section 14 — at least 30 days in advance.
Until all three happen, you can rely on the inventory in Sections 3 and 4 being complete.
11. Quick answers
Why is there no cookie banner — is that legal? Yes. Consent banners are required for non-essential cookies (advertising, cross-site analytics, social trackers). Every cookie we set is strictly necessary for a feature you asked for, or stores a preference you chose; cookieless Plausible handles analytics. With nothing to consent to, a banner would be theater.
Do you track me across other websites? No. We set no third-party trackers, our cookies are first-party only, and Plausible cannot recognize you on other sites.
Does AI Feeders show ads? No. There is no advertising on the Service and no advertising cookie anywhere in the inventory above.
Can I use the site with all cookies blocked?
As a guest, yes — browsing, search, and skill pages work fully. Signing in requires the __Host-session cookie; there is no cookie-free way to maintain a session securely.
What's the single most private setup?
Block all cookies and browse as a guest, or allow only aifeders.com first-party cookies to sign in. Either way you get zero tracking, because there is none to begin with.
Will this inventory silently grow? No — that's the Section 10 promise. Any non-essential addition ships behind a consent screen, with 30 days' notice, and this page updated first.
12. Changes and contact
Updates to this policy are posted at aifeders.com/cookies with a new effective date; material changes follow the 30-day notice rule above. Questions: privacy@aifeders.com. For the bigger picture of what data we process and your rights over it, read the Privacy Policy.