TOYORNOT.com Legal
Cookie and Consent Policy
Last updated: June 6, 2026
1. How Consent Works
On first visit, optional categories are disabled by default. You can allow or deny optional processing and change your choice any time via "Cookie Settings" in the app footer.
2. Storage Used by This Site
| Name | Type | Purpose | Category | Duration |
|---|---|---|---|---|
toyornot-consent-v1 |
Local storage | Stores your consent preferences for optional analytics and sponsored content. | Necessary | Until changed or cleared in browser |
toyornot-daily-judgement-cap-v1 |
Local storage | Stores the current local-day guest judgement count so the app can enforce the 2-judgements-per-day guest limit. | Necessary | Until the next local day or storage is cleared |
toyornot-initial-crop-guide-seen-v1 |
Local storage | Stores whether the first-upload crop guide has already been shown so the app does not interrupt later uploads with the same instruction. | Necessary | Until storage is cleared |
toyornot-initial-lesson-intro-guide-seen-v1 |
Local storage | Stores whether the first-open Duolingo for Graffiti guide has already been dismissed so the app does not interrupt later lesson-map visits with the same instruction. | Necessary | Until storage is cleared |
toyornot-account-display-status-v1, toyornot-authenticated-account-tier-v1 |
Local storage | Stores the last known guest/free/premium display status and, for signed-in users, the user id tied to that tier so the app can avoid briefly showing stale account-tier UI while server entitlements refresh. | Necessary | Until updated or storage is cleared |
toyornot-guest-id-v1 |
Local storage | Stores a necessary browser guest identifier so anonymous result flows, abuse controls, and first-party retention-funnel measurement can recognize the same browser without retaining guest upload history. | Necessary | Until storage is cleared |
toyornot-retention-session-key-v1 |
Session storage | Stores the current scanner home-session identifier so necessary first-party retention-funnel events can be grouped into one session/pageview cohort and later return visits can be measured correctly. | Necessary | Until the browser tab or session ends |
toyornot-email-lifecycle-consent-pending-v1 |
Session storage | Temporarily stores the checked optional email-consent choice across the Google sign-in redirect so the app can attach consent to the authenticated Google account email. It does not store the email address. | Necessary for requested email opt-in | Until submitted, rejected, or the browser tab/session ends |
toyornot-experiment-exposures-v1 |
Session storage | Stores first-party experiment exposure de-duplication keys so eligible exposures are not sent repeatedly in the same browser session. | Necessary | Until the browser tab or session ends |
| First-party experiment event records | Server-side database records | Stores bounded exposure and outcome records for product experiments and measured rollouts, including experiment key, variant, stable subject key, route/source labels, UI locale, visitor country, and primitive metadata. Raw uploads, prompts, free-text feedback, emails, and unbounded payloads are not stored in these records. | Necessary | Until deleted from the application database |
| Share-bonus attempt and visit records | Server-side database records | Stores signed-in share-bonus attempts and shared-link visits, including user id, day key, share token, status, timestamps, landing path, referrer host, and user-agent string so bonus unlocks can be verified and abuse can be limited. | Necessary | Until deleted from the application database |
| Optional browser reminder records | Server-side database records and browser push subscriptions | Stores account or guest lesson reminder preferences separately from rating reminder preferences, including enabled state, local time zone, UI locale, limited day key, next scheduled timestamp, last-sent day key, push endpoint, cryptographic subscription keys, expiration time, user-agent string, and delivery success/failure metadata. Raw images, prompts, lesson uploads, filenames, feedback text, emails, and arbitrary payloads are not stored in reminder metadata. | Necessary for requested reminder delivery | Until disabled, expired, deleted, or no longer needed for operational records |
| Optional email lifecycle consent records | Server-side database records | Stores explicit opt-in preference and audit records for lifecycle emails, including signed-in Google account email, opt-in status, source, UI locale, legal-version identifiers, request id, user-agent string, and timestamps. | Necessary for requested email opt-in | Until withdrawn, deleted, or no longer needed for consent/legal records |
| Third-party analytics identifiers | Cookie/storage (provider-dependent) | Optional product analytics events, client-side error diagnostics, and session replay via PostHog when analytics is configured and you consent. | Analytics (optional) | Provider-defined |
| Affiliate optimizer event records | Server-side database records | Stores optional waiting-overlay affiliate offer selections, viewable impressions, click events, and hashed anonymous session identifiers so sponsored content can measure CTR and improve offer ranking after consent. | Sponsored content (optional) | Until deleted from the application database |
toyornot-analytics-visitor-id-v1, toyornot-analytics-first-seen-v1, toyornot-analytics-session-count-v1 |
Local storage | Stores an anonymous analytics identifier and return-visit counters so optional analytics can measure repeat usage after consent. | Analytics (optional) | Until consent is withdrawn or storage is cleared |
toyornot-analytics-session-id-v1, toyornot-analytics-session-index-v1, toyornot-analytics-rating-attempt-v1 |
Session storage | Stores the current anonymous analytics session and in-session attempt counters. | Analytics (optional) | Until the browser tab or session ends |
toyornot-resend-email-attribution-v1 |
Session storage | Stores allow-listed Resend email campaign and link-placement labels from tagged email links so optional analytics can attribute a consented session without storing recipient emails or unsubscribe tokens. | Analytics (optional) | Until the browser tab or session ends |
| Amazon affiliate destination cookies/storage | Cookie/storage (provider-dependent) | May be set by Amazon after you click an optional sponsored Amazon affiliate link for your visitor market. The in-app sponsored cards are static and do not load Amazon scripts before click-through. | Sponsored content (optional) | Provider-defined after click-through |
3. Optional Technologies
- Necessary first-party retention-funnel telemetry for scanner home sessions uses the browser guest identifier and session-scoped retention key above. This telemetry is separate from optional PostHog analytics and does not change the consent-banner behavior.
- Necessary first-party experiment telemetry uses the browser guest identifier or signed-in user id, depending on the experiment's assignment unit. Compatible experiment properties are mirrored to PostHog only through the existing consent-gated analytics path.
- Optional browser push reminders use browser notification permission. Lesson limit reminders are independent from rating limit reminders and can be enabled or disabled separately.
- Optional lifecycle email consent uses the Google account email returned after sign-in only when you check the email opt-in box. This is separate from cookie analytics consent and browser push reminder consent.
- Optional PostHog event capture, client-side exception diagnostics, and session replay are enabled only after you consent to analytics and sponsored content and only when the deployment is configured with PostHog keys.
- Optional static Amazon affiliate cards may be shown only after you consent to analytics and sponsored content. They do not load Amazon script on this site before you click through.
- Optional analytics storage is used only after that consent and supports anonymous visitor/session measurement.
4. Manage or Withdraw Consent
Use the in-app "Cookie Settings" control to update your preferences. Changes apply to future processing. You can also clear browser storage to remove saved preferences. Email lifecycle consent can be withdrawn through the unsubscribe mechanism in lifecycle emails when configured, or by contacting the operator.
5. Contact
Questions about cookies or consent: toyornot.com@gmail.com