Cookie & Local Storage Statement
Last updated: April 6, 2026
Beta Notice
You are using a pre-release (beta) version of Domu Match. This means features may change, data may be reset, and additional data collection (such as bug reports and session logs) may be done to help us improve the product. Our Privacy Policy covers data practices in detail; this statement focuses on cookies, local storage, and similar technologies.
This Cookie & Local Storage Statement explains how Domu Match (“we”, “us”) stores and reads information on your device - including HTTP cookies, browser local storage, session storage, and similar technologies - on domumatch.com and our web application. Dutch law and the EU ePrivacy rules apply to this kind of access, not only to traditional “cookies”. Non-essential technologies are only activated after you give consent through our cookie banner or preference centre.
Data controller
The controller responsible for personal data in connection with cookies and similar technologies (within the meaning of the GDPR and Dutch law) is DMS Enterprise (eenmanszaak), trading under the name Domu Match (handelsnaam), registered in the Netherlands, Chamber of Commerce (KVK) number 97573337. This identification matches our Privacy Policy.
Privacy contact: domumatch@gmail.com
What are cookies and similar technologies?
Cookies are small text files placed on your device when you visit a website. Your browser sends them back on later requests so the site can recognise your browser or session.
We also use similar technologies that are not HTTP cookies but work alongside them: for example browser localStorage and sessionStorage. Under EU guidance these are often treated like cookies when they store or access information on your device, so we describe them here as well.
Technologies can be first-party (set by Domu Match on our domain) or third-party (set by a service provider on their domain, for example during embedded identity verification).
How we group choices in the preference centre
Our cookie banner and Cookie Preference Centre use the same categories: Essential (always on), Analytics, Error tracking, Session replay, and Marketing. Only Essential is active without your opt-in. You can Accept all, Reject all, or Customize. Reject all is shown with equal prominence to Accept all, in line with Dutch DPA guidance.
Category A - Strictly necessary cookies, local storage & platform integrity
These entries are required to operate a secure logged-in service (authentication, session integrity, CSRF protection) and to deliver the site through our hosting provider. Under the ePrivacy framework they fall under the strictly necessary exemption because they are needed to provide the service you actively request - not for optional analytics or marketing.
| Name / pattern | Where it lives | Provider | Purpose | Duration |
|---|---|---|---|---|
| Supabase Auth session (typically sb-<project-ref>-auth-token and related sb-* keys) | localStorage | Supabase (processor) / Domu Match | Primary browser persistence for your Supabase Auth session: keeps you signed in and lets the client refresh tokens. The Supabase browser client typically stores these values in localStorage alongside any HTTP-cookie synchronisation used for server-side session checks. | Until you sign out or clear site data for our origin; Supabase may refresh tokens while the session is active. |
| Supabase Auth session (sb-* pattern, may be chunked across multiple names) | HTTP cookie | Supabase (processor) / Domu Match | Synchronised session data for server-side rendering, middleware, and protected routes (for example so the server can validate your session on each request). Exact names depend on your Supabase project reference. | Session-based; refreshed while you use the site. Cleared when you sign out or remove cookies / site data. |
| csrf-token | HTTP cookie | Domu Match | HTTP-only CSRF token for authenticated users. Protects POST/PUT/PATCH/DELETE requests to our APIs from cross-site request forgery. | Up to 24 hours (rotated by our application) |
| Vercel platform identifiers (names vary; set by our host) | HTTP cookie / edge mechanism (as determined by Vercel) | Vercel Inc. (processor) / Domu Match | Strictly necessary hosting and edge operations: for example request routing, TLS delivery, and proportionate abuse or denial-of-service mitigation on Vercel’s network. This is separate from optional Vercel Web Analytics and Speed Insights (those load only after Analytics consent - see below). | Per Vercel’s platform behaviour; typically short-lived or session-oriented technical tokens. |
Cloudflare / bot widgets
We do not load Cloudflare Turnstile or other Cloudflare challenge widgets in our application code. If we add them later, we will update this statement and assign them to the correct legal category (strictly necessary vs consent-based) before activation.
SURFconext and other university SSO (not live today)
Domu Match does not currently offer SURFconext or other institution-specific single sign-on in production.
Technically, the stack can support future university SSO in two ways: (1) Supabase Auth can be linked to an external OIDC/OAuth identity provider (for example a national or institutional IdP); after login you would still use the same Supabase session persistence described in Category A (local storage and/or HTTP cookies). (2) The repository contains optional, feature-flagged placeholder code for a SAML-style SURFconext integration (environment variables such as ENABLE_SURFCONEXT in env.example) - this is not connected to the live sign-in experience and would need a full implementation and security review before use.
If we launch SURFconext or similar SSO, we will update this Cookie & Local Storage Statement to list any additional first- or third-party cookies, storage keys, or domains involved.
Strictly necessary third parties during ID verification
When you go through mandatory identity verification we embed or redirect to Persona (withpersona.com). Persona may set and read its own cookies and similar storage on Persona-controlled domains to operate fraud prevention, device signals, and the verification UI. We do not control those technologies.
For details, see Persona’s own legal and privacy documentation. We only receive verification outcomes and related attributes in line with our Privacy Policy.
Category B - Essential local and session storage (first-party)
The following keys are used in your browser for core functionality. They are treated as strictly necessary for the service and are not tied to optional analytics or marketing in our application code.
| Key | Storage type | Purpose | Duration |
|---|---|---|---|
| locale | localStorage | Remembers your selected interface language (English or Dutch). | Until you change language or clear site data |
| theme | localStorage | Remembers your light/dark/system appearance preference. | Until you change theme or clear site data |
| domu_consent_preferences | localStorage | Stores your cookie choices and policy version so we do not ask on every visit. | Until you update preferences or clear site data |
| domu_anonymous_session_id | localStorage | Anonymous identifier used when saving consent to our database before you create an account. Only a one-way hash of this value is stored server-side. | Until you clear site data |
| verification-email | sessionStorage | Temporarily remembers the email address during email verification and sign-in flows. | Until you close the browser tab |
Optional categories (require consent)
The technologies below load or run only if you opt in through the matching toggle in our preference centre (or Accept all). If you reject or withdraw consent, we stop using them in the browser to the extent technically possible without breaking the core service.
Analytics
Helps us understand aggregate usage (traffic, performance, and product funnels) so we can improve Domu Match.
- Vercel Web Analytics and Vercel Speed Insights (Vercel Inc.) load only when Analytics consent is on and are not globally disabled via NEXT_PUBLIC_DISABLE_ANALYTICS.
- Our own first-party “user journey” events (for example page views) are sent to Domu Match servers and stored in our database. The client uses localStorage keys domu_session_id and domu_session_start to group events into a browser session (30-minute inactivity timeout). When Analytics consent is off, this client-side journey tracking is not initialized.
- For each journey event we store a truncated client IP address (for IPv4, the last octet is replaced with 0; for IPv6, only a short prefix is kept) together with coarse location fields our host may supply (for example country/region/city). This reduces identifiability while still allowing aggregate geographic reporting.
| Technology | Provider | Purpose | Notes |
|---|---|---|---|
| Vercel Web Analytics & Speed Insights | Vercel Inc. | Privacy-friendly, aggregate web analytics and Core Web Vitals style performance metrics for our deployment. | See Vercel’s privacy policy. Loaded only after Analytics consent. |
| First-party journey / page events | Domu Match | Product analytics such as page_view and server-side business events linked to onboarding and matching flows. | Uses localStorage session keys above; data is stored in our Supabase-backed database (user_journey_events and related tables). |
Error tracking
Client-side error monitoring through Sentry (Functional Software Inc.). When enabled, Sentry may collect error payloads, performance traces, and technical context needed to diagnose bugs. We strip cookies and sensitive headers from events in our SDK configuration where possible.
- The browser Sentry SDK initializes only when Error tracking consent is granted and NEXT_PUBLIC_SENTRY_DSN is configured.
- Separately, Sentry on our servers and edge runtime may record unhandled errors and performance data to keep the service secure and available. We rely on our legitimate interests (and, where applicable, our contract with you) for that processing - not on advertising or profiling. It is not used for behavioural marketing. Sub-processors and details are listed in our Privacy Policy.
Session replay
Sentry Session Replay may record short clips of how the interface is used to debug complex issues. Replay is attached only when Session replay consent is on; sampling rates are configured in our Sentry client setup.
- Replay can capture on-screen text you type or see. Only enable this if you are comfortable with that risk, or leave it off.
- Requires Error tracking consent path to be meaningful in our current client bundle (Sentry initializes only with Error tracking consent).
Marketing
We provide a Marketing toggle so we can turn on measurement or advertising tags in a consent-aware way in the future.
- We have confirmed that we do not load third-party advertising or remarketing pixels (such as Meta Pixel, Google Ads tags, or similar) in our production application code.
- If we add marketing technologies later, we will update this statement and map them to the Marketing category before activation.
Proof of consent and preference changes
When you save choices, we write domu_consent_preferences in localStorage and send a record to our API (/api/privacy/consent). For logged-in users we store rows in the user_consents table; for anonymous visitors we store a SHA-256 hash of domu_anonymous_session_id instead of the raw id.
We may store a truncated client IP address (same rules as for analytics journey events) and the user agent sent by your browser with that request to demonstrate compliance if ever questioned by a regulator. We do not use that data for advertising.
Other local storage for product features
Some product areas use localStorage for purely functional UX that is not used for cross-site advertising - for example caching dismissed tips or chat UI state on your device. These are not used to track you across other companies’ sites. If you clear site data, that state resets.
Cookie banner and consent logic
On your first visit, if we have no saved preferences, you will see a banner with Accept all, Reject all, and Customize.
Until you make a choice, we do not load optional Analytics (including Vercel Analytics), optional client-side error tracking/replay (Sentry in the browser), or first-party journey tracking that depends on Analytics consent.
After you save a choice, a small Cookie settings control appears so you can reopen the preference centre at any time.
- Non-essential toggles default to off; we do not use pre-ticked boxes for optional categories.
- If you choose Customize on your first visit (before any choice is saved), the preference centre opens with Analytics, Error tracking, Session replay, and Marketing all switched off until you actively enable them - matching GDPR / AP expectations.
- Reject all is as easy as Accept all (no dark patterns or forced scrolling).
- Saving preferences may reload the page so technologies align with your choice.
How to manage or delete cookies and storage
You can change optional categories in our Cookie Preference Centre at any time via Cookie settings, or clear all data for our site in your browser.
On Domu Match
- Click the Cookie settings button (lower-left on screen once you have saved a choice) to reopen the Cookie Preference Centre.
- Use Customize to switch Analytics, Error tracking, Session replay, or Marketing on or off, then Save preferences.
- Withdrawing consent updates our records and stops loading the related optional technologies on your device after reload where applicable.
In your browser
You can delete or block cookies and site data through your browser settings. Official help pages:
Key processors and further reading
Privacy and cookie information from core infrastructure providers:
Retention (summary)
Indicative periods - see our Privacy Policy for full retention schedules:
- Supabase authentication data in localStorage and HTTP cookies follows Supabase session settings and is cleared when you sign out or remove site data / cookies.
- csrf-token is rotated on our application schedule (up to roughly 24 hours).
- Consent records in user_consents are kept for as long as needed to demonstrate compliance with telecom and privacy law.
- Analytics and journey data in our database are retained only for product improvement and security, then deleted or aggregated according to internal policies described in the Privacy Policy.
Compliance approach (Netherlands / EU)
We aim to meet the standard of freely given, specific, informed, and unambiguous consent for any optional storage and access that requires it.
This statement is for transparency and is not legal advice. If you need certainty for your organisation, consult qualified counsel.
Questions
If something here does not match what you see in your browser or you want to exercise GDPR rights, contact us and we will help.
Email: domumatch@gmail.com