GoFindStuff

Legal

Cookie Policy

Last updated May 20, 2026 · Version 2026-05-20

Draft — pending attorney review. This page is a plain-language template. It does not constitute legal advice and has not yet been reviewed by counsel. Final wording will be replaced before public launch. Questions: legal@gofindstuff.com.

Summary

The GoFindStuff application sets the strictly-necessary cookies listed below to keep you signed in and to protect against cross-site request forgery. We do not currently load third-party analytics, advertising, or session-replay scripts. We will update this page and add a real consent prompt before any non-essential cookies are introduced.

What is a cookie?

A cookie is a small text file that a website stores on your device. Similar technologies (localStorage, sessionStorage, and first-party fingerprinting signals) work in comparable ways. This policy uses the word “cookies” to refer to all of these.

Cookies we set

Strictly necessary — set automatically when you sign in:

  • gofindstuff_token — short-lived (15 minute) JWT access token. HttpOnly, Secure (in production), SameSite=Lax, first-party. Cleared on sign-out.
  • gofindstuff_refresh — refresh token used to mint new access tokens for up to 7 days. HttpOnly, Secure (in production), SameSite=Lax, first-party. Cleared on sign-out.
  • gofindstuff_guest — anonymous identifier used for a guest session before sign-up, so a visitor can try the scan flow without an account. HttpOnly, Secure (in production), SameSite=Lax. Replaced by the auth cookies on sign-up.

We also store a single first-party value in browser localStorage (gofindstuff-cookie-consent) to remember that you have seen and answered the cookie prompt. You can reset it from Settings → Privacy.

Strictly necessary cookies do not require consent under GDPR or the ePrivacy Directive, and we cannot disable them without breaking authentication.

Cookies we do not (yet) set

  • We do not run third-party analytics (no Google Analytics, Plausible, PostHog, Mixpanel, Amplitude, etc.).
  • We do not run advertising or retargeting pixels.
  • We do not use session-replay or heatmap tools.
  • We do not embed third-party social-media trackers.

If that ever changes, we'll update this page, add a real consent banner with category-level controls, and block non-essential scripts until you opt in.

Your choices

You can clear cookies in your browser's settings at any time. Clearing the application's session cookies will sign you out. You can also re-open the cookie prompt from Settings → Privacy → Cookie settings.

Most browsers offer a “Do Not Track” signal and a Global Privacy Control (GPC) header. We honour these as opt-out signals to the extent required by applicable law.

Changes

We may update this policy when we add or remove cookies. Material changes will be reflected in the policy version at the top of the page.

Contact

Questions: privacy@gofindstuff.com.