Cookie Policy
Last updated: 4 June 2026 · Effective: 4 June 2026
The short version
VSpark does not use tracking cookies. We do not run Google Analytics, advertising pixels, or any third-party tracker that follows you between sites. The browser storage we do set is strictly necessary to make the Service work, and it stays on your device.
This page explains what VSpark stores in your browser, why, and how to clear it. It supplements our Privacy Policy, which is the master document on how we handle your data.
1. What "cookies" means here
The word "cookies" is shorthand on most sites for any client-side storage: traditional HTTP cookies, localStorage, sessionStorage, and IndexedDB. We use the term in that broad sense below. Where it matters, we say which mechanism we mean.
2. Storage VSpark itself sets
All of the following are first-party (set by vspark.gg), use no tracking IDs, and never leave your device unless you sign in (in which case the auth session is sent to our server to identify you on subsequent requests).
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
sb-<ref>-auth-token |
localStorage | Supabase authentication session. Keeps you signed in across page loads and tabs. Required for every authenticated page. | Until you sign out. Supabase uses a sliding refresh window, so active sessions can persist for several weeks. |
vsp_referral and vsp_referral_ts |
localStorage | Holds a referral code captured from a ?ref= URL until you complete sign-up, so we can credit the friend who referred you. The _ts companion records the capture time so we can expire it after 24 hours. |
24 hours, then cleared |
vsp-motion |
localStorage | Your motion preference (auto, full, or reduce). Lets us honour reduced-motion choices on top of the OS-level prefers-reduced-motion setting. |
Until you change it or clear your browser storage |
vsp-seen-achievements:<your id> |
localStorage | List of achievement IDs you have already been shown a toast for, so we don't re-toast the same achievement on every page load. | Until you delete your account or clear your browser storage |
vsp-profile-just-saved |
localStorage | Transient flag set when you save a profile change so the next page can show a brief "Saved" confirmation. Cleared on read. | A few seconds (cleared on next page load) |
vsp_eg_* (session) |
sessionStorage | Tracks pages visited and session start time during the current browser tab session, to power two hidden achievements ("the explorer" and "touch grass"). Cleared automatically when you close the tab. | Current tab session only |
vspark_trusted_hosts |
localStorage | Remembers which external sites you ticked "Don't ask again" for in the chat external-link warning, so we don't pop the warning every time. | Until you clear your browser storage |
vspark_chat_notify_pref |
localStorage | Your in-app preference for browser push notifications about new chat messages. | Until you change it or clear your browser storage |
vspark_ios_install_dismissed |
localStorage | Records that you dismissed the iOS "Add to Home Screen" install prompt, so we don't keep showing it. | Until you clear your browser storage |
We do not set any traditional HTTP cookies for our own purposes. Cloudflare, our hosting provider, may set short-lived security cookies (such as __cf_bm) to differentiate humans from bots during abuse-protection challenges; these are described in section 4.
3. Analytics
VSpark uses Cloudflare Web Analytics for aggregate pageview counts. It is the cookieless successor to Google Analytics that Cloudflare built specifically for this case. It:
- Sets no cookies and no client-side identifiers
- Does not track you across sites
- Collects only aggregated, anonymised metrics (pageviews, referrer, country, device class, browser family)
- Does not collect IP addresses in a way that retains them
Because there is no tracking and no personal data, no consent banner is required under UK GDPR, EU GDPR (PECR / ePrivacy), or Australian privacy law. For the broader data-handling commitments around analytics and what we do not do with your data, see our Privacy Policy.
4. Storage set by third parties
A handful of services we depend on may set their own storage when you interact with them through VSpark. We do not control these and their behaviour is governed by their own policies.
| Service | When it sets storage | What it does |
|---|---|---|
| Twitch | While you are signing in via Twitch OAuth on twitch.tv. | Twitch's own sign-in session and abuse protection. Once you return to VSpark, you are no longer interacting with Twitch's storage. See Twitch Privacy Notice. |
| While you are signing in via Google OAuth on accounts.google.com (used for YouTube). | Google's own sign-in session and account state. See Google Cookie Policy. | |
| Cloudflare | Throughout your visit, when bot-protection is engaged. | Short-lived cookies such as __cf_bm (30-minute bot management cookie). Sets no advertising identifier. See Cloudflare Cookie Policy. |
| Klipy | When a GIF embedded from static.klipy.com or media.klipy.com is loaded in a chat. |
Standard browser caching of the GIF file. We proxy the search API server-side so your IP is not exposed to Klipy on search; only the GIF download itself goes direct to their CDN. See Klipy Privacy Policy. |
| Supabase | Throughout your authenticated session. | The authentication token described in section 2 is issued by Supabase Auth. Supabase itself does not set browser cookies on vspark.gg. See Supabase Privacy. |
5. How to clear or block VSpark storage
All of the storage above can be cleared at any time from your browser:
- Chrome / Edge: Settings → Privacy and security → Clear browsing data → tick "Cookies and other site data" → choose
vspark.ggfrom "Sites". - Firefox: Settings → Privacy & Security → Cookies and Site Data → Manage Data → search
vspark.gg→ Remove Selected. - Safari: Settings → Privacy → Manage Website Data → search
vspark.gg→ Remove. - iOS Safari: Settings app → Safari → Advanced → Website Data → Edit → delete
vspark.gg.
Signing out of VSpark also clears the Supabase auth token from localStorage. Clearing all of the storage above is harmless: you will be signed out, the iOS install prompt may reappear once, and any external link warning preferences will reset.
You can also block storage entirely via your browser's "block all cookies" or "strict tracking protection" mode. VSpark will still load, but you will not be able to sign in (no auth session can persist) and the in-chat link warning will pop on every external host every time.
6. Changes to this policy
If we add, remove, or change what we store, we will update the table in section 2 and the "Last updated" date at the top of this page. For material changes we will give notice the same way we do for the Terms of Service (see Terms §15).
7. Contact
Questions about what's in your browser: hello@vspark.gg.