COOKIE POLICY
Last updated: May 1, 2026
Strictly necessary: one session cookie (always on). Optional: PostHog analytics cookies (consent required). No advertising. No behavioural profiling.
FindMeComics sets a strictly necessary session cookie to keep you signed in, and β with your consent β analytics cookies via PostHog to understand how the site is used. We do not use advertising cookies, tracking pixels, or behavioural profiling of any kind.
WHAT IS A COOKIE?
A cookie is a small text file that a website stores in your browser. Your browser sends it back to the server on every subsequent request so the server can recognise you. Cookies cannot execute code and do not by themselves identify you by name β they store an identifier that the server maps to your account.
THE COOKIES WE SET
We set up to three cookies, all from NextAuth.js (our open-source authentication library). All three are strictly necessary β they are technically required for authentication to work and are exempt from consent requirements under the ePrivacy Directive Art. 5(3) and UK PECR Reg. 6(4).
| Cookie name | Purpose | Contents | Expires | Flags |
|---|---|---|---|---|
| __Secure-next-auth .session-token(dev: next-auth.session-token) | Session token. Keeps you signed in across page loads and browser restarts until you sign out or your session expires. | An encrypted JWT containing your session ID, username, and role flags (e.g. ageVerified, isAdmin). No email or password is stored in the cookie. | 30 days (or sign-out) | HttpOnly Secure SameSite=Lax |
| __Host-next-auth .csrf-token(dev: next-auth.csrf-token) | CSRF protection. Prevents cross-site request forgery attacks on sign-in and sign-out forms. Required for security. | A random token paired with a hash. Contains no personal data. | Browser session | SameSite=Lax (not HttpOnly β must be readable by the sign-in form) |
| __Secure-next-auth .callback-url(dev: next-auth.callback-url) | OAuth redirect. Temporarily stores the page you were trying to reach so you are redirected there after signing in via Google. Set only during an active sign-in flow and cleared immediately after. | The URL you were visiting before sign-in. No personal data. | Browser session (cleared post-login) | Secure SameSite=Lax |
ANALYTICS COOKIES (CONSENT REQUIRED)
If you click Accept Analytics on the banner shown at your first visit, we load PostHog β an open-source product analytics tool. PostHog sets a cookie and uses localStorage to associate your page views and explicit interactions with a pseudonymous device ID.
We collect only named, explicit events β page views, listing created, checkout completed, wantlist item added, and similar product actions. PostHog's autocapture (which would automatically record every click and form-field value) is disabled. No form input content is ever captured. IP addresses are excluded from all event properties.
No email address, name, or IP address is transmitted to PostHog. If you are signed in, your pseudonymous FMC account ID (an internal identifier β not your email or username) is also passed to PostHog so that events across sessions can be linked to a single account rather than treated as separate anonymous visitors. If you are not signed in, only the device ID is used.
| Name / storage | Purpose | Expires |
|---|---|---|
| ph_key_posthog (localStorage) | Stores the anonymous device ID and pending event queue used by PostHog to associate page views and interactions across sessions. | Persistent (localStorage) |
| ph_key_posthog (cookie) | Fallback cookie mirror of the localStorage entry for browsers that block localStorage in third-party contexts. | 1 year |
Data is sent to PostHog's US servers (us.i.posthog.com). PostHog acts as a data processor under a Data Processing Agreement β that includes EU Standard Contractual Clauses. You can withdraw consent at any time by clearing your browser's site data for findmecomics.com β PostHog will not load on your next visit until you accept again.
WHAT WE DO NOT SET
- Advertising or tracking cookies β we do not run retargeting, interest-based advertising, or behavioural profiling.
- Social / third-party cookies β no social media pixels, no embedded widgets that set their own cookies. The only external service that may set a cookie during sign-in is Google, via our OAuth integration β see below.
- A/B test or personalisation cookies β we do not run cookie-based experiments.
GOOGLE SIGN-IN (OAUTH)
If you choose to sign in with Google, your browser will interact with Google's servers during the OAuth handshake. Google may set its own cookies on accounts.google.com as part of that process. Those cookies are governed entirely by Google's Privacy Policy β β FindMeComics does not control, read, or benefit from them. After the handshake completes, only our session-token cookie (above) is active.
Google Sign-In is entirely optional. You can register and sign in with an email address and password instead, in which case no interaction with Google's servers occurs at all.
THE CONSENT BANNER
On your first visit we show a banner with two options: Accept Analytics (loads PostHog) and Essential Only (session cookie only, PostHog never loads). Your choice is stored in localStorage and respected on every subsequent visit. The session cookie is set regardless of your choice β it is strictly necessary for authentication and falls under the ePrivacy Directive Art. 5(3) / PECR Reg. 6(4) exemption.
MANAGING OR DELETING COOKIES
You can delete or block cookies at any time through your browser settings. If you delete the session cookie you will be signed out. If you block all cookies, sign-in will not work β the session cookie is technically required.
Browser cookie settings guides: Chrome β Β· Firefox β Β· Safari β Β· Edge β
CHANGES TO THIS POLICY
If we add new non-strictly-necessary cookies we will update this page, update the βLast updatedβ date, and implement a proper consent mechanism before setting them.
QUESTIONS
Email privacy@findmecomics.com. See also our full Privacy Policy and Privacy Policy Β§ 12 (Cookies).