Grail Atlas — Cookies
Last updated: 2026-05-22
What this is
The companion to the Privacy page, narrowed to the specific thing browsers call "cookies." Same stance: passion project, no ads, no third-party trackers, minimum collection.
Two categories — that's it
| Category | Purpose | Consent |
|---|---|---|
| Essential | Sign-in sessions, CSRF protection, and remembering your cookie-banner choice. The site cannot function without these. | Always on |
| Analytics (cookieless) | Aggregate page counts + Core Web Vitals via Vercel. No cookie is set; nothing identifying lands on your device. | On by default; ask to turn off |
There is no advertising category. There are no third-party trackers. The site doesn't load Google Tag Manager, Meta Pixel, TikTok Pixel, or any equivalent.
Your choices
On your first visit the site shows a small consent banner with two buttons: Essential only and Allow analytics. There's no third "Customize" button because there's nothing more granular to customize — the only non-essential category is the cookieless Vercel analytics, which is itself binary. You can change your mind anytime from the "Cookie settings" link in the footer. Declining analytics doesn't reduce access to anything on the site. Until you choose, only essential cookies run.
Cookies actually set
This is the live inventory. If the site sets a cookie that isn't on this list, that's a bug — email me at privacy@grailatlas.com.
| Name | Set by | Why | Lifetime |
|---|---|---|---|
__Host-csrf | Grail Atlas | HMAC double-submit CSRF token; protects mutating API routes. __Host- prefix, Secure, SameSite=Strict. | 1 hour |
sb-<project>-auth-token (and .0, .1 chunks) | Supabase Auth | Server-readable session token. Required if you're signed in (saved searches, Grail List). | Until logout (~7 days inactive) |
sb-<project>-auth-token-code-verifier | Supabase Auth | PKCE verifier used during the email-link callback. | 5 minutes |
gw-consent | Grail Atlas | Records your cookie-banner choice so it doesn't re-prompt every visit. First-party, Path=/, SameSite=Lax, Secure over HTTPS. | 24 months |
Per-saved-search RSS feeds at /feeds/saved-search/[id]?token= use a query-string token, not a cookie. The token never appears in browser cookie storage; treat that URL like a bookmark.
Cookieless analytics — Vercel
The site uses Vercel Web Analytics and Vercel Speed Insights to count page views and measure Core Web Vitals. Both are cookieless — no cookie, no local-storage entry, no third-party identifier on your device. They aren't in the inventory above because there's nothing to inventory; this section exists so the full picture lives on one page.
How the cookieless count works: each page view sends a small event to Vercel. Vercel derives a short-lived visitor identifier from a hash of the request (User-Agent + truncated IP + a daily-rotated seed). The identifier is discarded after 24 hours and never stored long-term. The raw IP is not stored; it contributes only to the hash and to a country-level geolocation lookup at ingest. No profile is built across sessions and no cross-site tracking is possible. Vercel's privacy doc for this layer is at vercel.com/docs/analytics/privacy-policy.
Because no cookie is set, there's no per-visitor toggle the way a GA4-style banner provides — the request goes out the moment a page loads. The trade-off is intentional: cookieless analytics produces lower-fidelity data about you (no cross-session re-identification, no cross-site tracking, no persistent identifier) and the unavoidability of the aggregated count is the price of not setting a cookie. If you'd rather not be counted at all, email me — I can turn the analytics off entirely on my end.
Do Not Track
Browsers' "Do Not Track" signal isn't standardized, but if your browser sends one Grail Atlas treats it as a decision to decline non-essential cookies.
Changes
Material changes re-trigger the consent banner. The "Last updated" date at the top of this page also changes.
Reach me
Privacy / cookie questions: privacy@grailatlas.com