pahvalentines/documents/cookie-usage-summary.md

# Cookie Usage Summary for Legal Review

## What We Use

**This application uses localStorage (not HTTP cookies) for user tracking.**

| Property | Details |
|----------|---------|
| **Storage Mechanism** | Browser localStorage |
| **Storage Key** | `submission_data` |
| **Identifier Name** | `cookie_id` (misnomer - not a browser cookie) |

## Data Structure Stored

```json
{
  "cookie_id": "cookie_abc123xyz",
  "entries": [
    { "session_id": "clxyz123...", "timestamp": "2026-02-14T10:30:00Z" }
  ]
}
```

## Source Code Location

- **Frontend**: `assets/js/home.js` - `SessionManager` module (lines 6-77)
- **Backend**: `cookie_id` generated server-side using **Cuid2 algorithm** (per spec in `/documents/spec.md`)

## Generation Flow

1. User's first submission → backend generates `cookie_id` using Cuid2
2. Backend returns `cookie_id` in API response
3. Frontend stores in localStorage via `SessionManager.updateSession()`
4. Subsequent requests include this `cookie_id` in the JSON payload

## Purpose

**Rate limiting only** - prevents users from generating more than 10 songs per identifier.

## Legal Considerations

| Aspect | Status |
|--------|--------|
| HTTP Cookie | **No** - uses localStorage |
| Third-party tracking | **No** - first-party only |
| Cross-site tracking | **No** - same-origin only |
| Personal data in identifier | **No** - random Cuid2 string |
| Cross-device tracking | **No** - each browser/device gets unique ID |
| User can clear | **Yes** - clearing browser storage resets it |
| Persistence | Until user clears localStorage or uses different browser |
| Data sent to third parties | **No** - only to Pets at Home backend |

## Note

The identifier is named "cookie_id" in the codebase but is **not** an HTTP cookie (no `Set-Cookie` header, not sent automatically with requests). It's a localStorage value sent explicitly in form submission JSON payloads.