name: Cookie & Tracking Notice slug: cookies version: 1.0.0 effective_date: [EFFECTIVE_DATE] last_updated: 2026-05-09
Cookie & Tracking Notice
Plain-English Summary
We use a small set of first-party cookies and local-storage entries to keep you logged in, remember your language and display preferences, and make pages load faster. We do not use third-party advertising or analytics trackers — no Meta Pixel, no Google Analytics, no Mixpanel, no Segment, no Hotjar, no TikTok Pixel, nothing of the sort. EU/UK/EEA/Swiss visitors see a consent banner on first visit. California residents (and residents of other U.S. states with comparable laws) have a "Do Not Sell or Share My Personal Information" link, and we honor the Global Privacy Control (GPC) signal as a valid opt-out.
This Notice supplements the ShareFree Privacy Policy and the Terms of Service.
1. What This Notice Covers
This Notice explains how ShareFree, Inc. ("ShareFree," "we," "us," "our") uses cookies and similar technologies on the ShareFree website at sharefree.org and any subdomains (the "Site"), and the equivalent local-storage technologies used by our iOS and Android mobile applications (together, the "Service").
The technologies covered by this Notice include:
- HTTP cookies — small text files placed in your browser by a website you visit.
- Local storage and session storage — browser key-value stores used to cache application data on your device.
- IndexedDB — a browser-side database used for larger client-side caches.
- Mobile storage — the AsyncStorage API on iOS and Android, which is the mobile equivalent of browser local storage.
- Push notification tokens — device identifiers issued by Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) when you enable push notifications.
- Server-side identifiers — values we set in our own database (for example, your account ID and session record) that are not "cookies" in the technical sense but perform similar functions.
If you only read one section, read §2 (what we use) and §4 (your choices).
2. Categories We Use
We follow the four-category model that has become the de facto standard under the EU ePrivacy Directive, the UK PECR, and most U.S. state privacy laws: strictly necessary, functional, analytics, and advertising.
2.1 Strictly Necessary
These technologies are required for the Service to function. They keep you logged in, route your requests to the correct backend, and prevent cross-site request forgery. You cannot disable these via the in-app cookie controls because the Service will not work without them. You can still block them in your browser, but doing so will prevent you from logging in or using authenticated features.
| Name | Type | Set by | Purpose | Retention |
|---|---|---|---|---|
sb-<project-ref>-access-token | First-party HTTP cookie | ShareFree (via Supabase Auth) | Stores your authenticated session JWT. Required to log in and access account-protected pages. | Session lifetime (typically 1 hour, refreshed automatically) |
sb-<project-ref>-refresh-token | First-party HTTP cookie | ShareFree (via Supabase Auth) | Stores the refresh token used to keep you signed in across visits. | Up to 30 days, rolling |
| CSRF / anti-forgery tokens | First-party HTTP cookie | ShareFree | Protects authenticated form submissions from cross-site request forgery. | Session |
| Edge / load-balancer affinity (when applicable) | First-party HTTP cookie | ShareFree (via our CDN/edge provider, acting as a subprocessor) | Routes requests to a consistent server for the duration of your session. | Session |
2.2 Functional
These technologies remember choices you have made and pre-load data so pages render faster. Disabling them will not break the Service, but it will degrade the experience — for example, you will see your interface reset to defaults on each visit and pages will load more slowly.
| Name | Type | Set by | Purpose | Retention |
|---|---|---|---|---|
user_profile | First-party HTTP cookie | ShareFree | Caches your display name, avatar, primary community, and language preference for fast page renders. Does not contain auth credentials. | 24 hours |
i18nextLng | First-party localStorage | ShareFree | Remembers your selected language so the Service loads in your preferred language on return visits. | Until you clear browser storage |
sharefree:categories | First-party localStorage | ShareFree | Caches the listing-category taxonomy. | 24 hours (TTL) |
sharefree:ad-config | First-party localStorage | ShareFree | Caches in-house ad placement configuration. | 1 hour (TTL) |
sharefree:my-communities | First-party localStorage | ShareFree | Caches the list of communities you belong to for fast feed switching. | 10 minutes (TTL) |
| Theme / display preferences (e.g., color theme, density) | First-party localStorage | ShareFree | Remembers UI preferences. | Until cleared |
2.3 Analytics
We collect a minimal set of first-party, server-side usage events — feed views, listing views, search queries, and similar interactions — to operate, secure, and improve the Service. These events are stored in our own database under the safeguards described in our Privacy Policy and are used only by ShareFree.
We do not use third-party analytics SDKs such as Google Analytics, Google Tag Manager, Mixpanel, Segment, Amplitude, Hotjar, FullStory, Heap, PostHog (cloud), Microsoft Clarity, or any equivalent.
Because our analytics are server-side and first-party, they do not require setting analytics cookies in your browser. If we ever introduce a third-party analytics tool that uses cookies or similar identifiers, we will update this Notice and — where required by law — request your consent before activating it.
| Name | Type | Set by | Purpose | Retention |
|---|---|---|---|---|
| First-party event log | Server-side record (no client cookie) | ShareFree | Aggregate usage analysis, abuse and fraud detection, capacity planning, product improvement. | 12 months, then aggregated or deleted |
2.4 Advertising
ShareFree runs in-house advertising only. Ads are placed by ShareFree on behalf of community members and businesses, and they are targeted server-side based on the community you are viewing and the listing category you are browsing — not on a profile of your behavior across the open web.
We do not use third-party advertising cookies, pixels, tags, or trackers. We do not deploy the Meta/Facebook Pixel, the Google Ads conversion tag, the TikTok Pixel, the LinkedIn Insight Tag, the Microsoft UET tag, the X (Twitter) Pixel, or any equivalent technology. We do not participate in real-time bidding or any cross-context behavioral advertising program.
Because ads are matched server-side using only the community and category context of the page you are looking at, we do not "sell" your personal information and we do not "share" it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (as amended by the CPRA) and comparable state laws. The "Do Not Sell or Share" link in §4.2 is provided for forward compatibility and to honor opt-out signals.
If this ever changes — for example, if we introduce a third-party ad network — we will update this Notice and (where required) seek your consent before activating any third-party advertising technology.
3. Who Sets Cookies
All technologies described in §2 are first-party. They are set either directly by ShareFree or by service providers acting on our behalf under written data-processing agreements ("DPAs"):
- Supabase — provides our authentication and database infrastructure. The
sb-*-access-tokenandsb-*-refresh-tokencookies are issued by Supabase Auth on our domain. Supabase acts as our processor. - CDN / edge provider — provides global caching and TLS termination. Any session-affinity cookie is issued on our domain. The provider acts as our processor.
We do not permit third-party advertising networks, third-party analytics vendors, or social-media tracking pixels to set cookies on the Service today.
4. Your Choices
4.1 EU / UK / EEA / Switzerland — Cookie Banner
If you visit the Site from the European Economic Area, the United Kingdom, or Switzerland, the cookie banner shown on your first visit lets you:
- Accept all non-strictly-necessary cookies and similar technologies;
- Reject all non-strictly-necessary cookies (only strictly-necessary technologies will be set); or
- Customize your choices by category.
Strictly-necessary technologies (§2.1) are always loaded because the Service cannot function without them — this is permitted under Article 5(3) of the ePrivacy Directive and PECR Regulation 6(4).
You can change your preferences at any time at Settings → Privacy → Cookie Preferences in the web app. Withdrawing consent is as easy as giving it.
4.2 California and Other U.S. State Privacy Laws
This section addresses opt-out and consumer-choice rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"), the Texas Data Privacy and Security Act ("TDPSA"), and similar state laws.
- "Do Not Sell or Share My Personal Information." A persistent link with that title is available in the Site footer and at /privacy/do-not-sell. Although we do not currently sell personal information and do not share it for cross-context behavioral advertising as those terms are defined by the CPRA, the link is preserved so that opt-outs are recorded against your account for forward compatibility.
- Global Privacy Control (GPC). We honor the GPC browser signal as a valid CCPA/CPRA opt-out of sale and sharing. If your browser sends GPC, we will treat it as an opt-out for the device or browser sending the signal and (where you are logged in) for your account.
- Targeted advertising / profiling. Because we do not engage in cross-context behavioral advertising or profiling that produces legal or similarly significant effects, no separate opt-out is required under VCDPA, CPA, CTDPA, UCPA, or TDPSA. The "Do Not Sell or Share" link covers all comparable state opt-outs.
- Sensitive personal information. We do not use sensitive personal information (as defined under the CPRA) for purposes that would trigger a right to limit its use.
For other consumer rights — access, deletion, correction, portability, appeal — see the Privacy Policy.
4.3 Other Regions
If you are outside the EEA/UK/Switzerland and the United States, you may use your browser controls (§5) and your mobile-OS controls (§6) to block or delete cookies and clear app storage at any time. Note that disabling strictly-necessary cookies will prevent you from logging in.
5. How to Disable Cookies in Your Browser
You can review and delete cookies through your browser settings. Each browser also lets you block cookies, block third-party cookies, or block specific sites. The current paths are:
- Google Chrome (desktop): Settings → Privacy and security → Cookies and other site data
- Apple Safari (macOS): Safari → Settings → Privacy → Manage Website Data
- Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data
- Microsoft Edge: Settings → Cookies and site permissions → Cookies and site data
- Apple Safari (iOS / iPadOS): Settings app → Safari → Block All Cookies (and "Clear History and Website Data")
- Google Chrome (Android): Chrome menu → Settings → Site settings → Cookies
- Brave / Arc / Vivaldi / Opera: see the privacy or shields section of each browser's settings.
You can also clear local storage, session storage, and IndexedDB through the same browser controls. Doing so will sign you out and reset your in-app preferences.
6. Mobile App
The ShareFree mobile applications for iOS and Android do not use HTTP cookies in the way websites do. Instead, they use AsyncStorage, a key-value store provided by the operating system, to keep equivalent data on your device. The same four categories from §2 apply:
- Strictly necessary: authentication tokens used to keep you signed in.
- Functional: language preference, theme preference, and TTL-based caches for categories, ad configuration, and your community list.
- Analytics: first-party, server-side event logging only — no third-party analytics SDKs are bundled in the apps.
- Advertising: none — no third-party advertising SDKs are bundled in the apps.
You can clear all app storage at any time through the operating system:
- iOS / iPadOS: Settings → General → iPhone Storage → ShareFree → Offload App or Delete App. (iOS does not expose per-app storage clearing without removing the app.)
- Android: Settings → Apps → ShareFree → Storage → Clear Storage / Clear Cache.
- You may also delete and reinstall the app to reset all on-device storage.
Push notification tokens. When you grant push-notification permission, the operating system issues a device-specific token (an APNs token on iOS, an FCM token on Android), which we store on your profile so we can send you the notifications you have asked to receive. You can revoke push permission at any time in OS Settings → Notifications → ShareFree (iOS) or Settings → Apps → ShareFree → Notifications (Android). Revoking permission invalidates the token; we delete it from your profile when you turn off push in app settings or delete your account.
Mobile advertising identifiers (IDFA / GAID). We do not request the iOS App Tracking Transparency permission and we do not collect the IDFA or the Google Advertising ID. We do not use SKAdNetwork or Privacy Sandbox APIs.
7. Do Not Track (DNT)
The "Do Not Track" HTTP header was an early browser proposal that never reached industry consensus and is no longer maintained as a standard. Because there is no agreed-upon meaning for DNT, we do not respond to it separately.
We do honor the Global Privacy Control (GPC) signal as a CCPA/CPRA opt-out of sale and sharing — see §4.2. Where state or federal law specifies a particular browser signal as a valid opt-out, our position will follow that law.
8. Changes to This Notice
We may update this Notice from time to time to reflect changes to the technologies we use, to our service providers, or to applicable law. The version number and last_updated date at the top of this Notice indicate the current version. Material changes — for example, introducing a new category of cookies or a new third-party SDK — will be flagged in-app, via email to registered users, or via a refreshed banner that asks for your consent where required.
Older versions of this Notice are archived and available on request to privacy@sharefree.org.
Contact
Questions about this Notice or our use of cookies and similar technologies can be sent to:
ShareFree, Inc. — Attn: Privacy Team Email: privacy@sharefree.org
For broader privacy questions, please review the Privacy Policy. For terms governing your use of the Service, see the Terms of Service.