Skip to content
OmniPosto

Omni Posto

Cookies and local storage

This page lists the cookies, local browser storage, and similar technical processing used by Omni Posto. The global baseline is strict: no non-essential analytics or marketing tracker loads before explicit consent.

Last updatedJune 18, 2026

1. Applied principles

Strictly necessary cookies provide the requested service: session, security, OAuth, MFA, device binding, and cookie preference storage.

Functional storage restores drafts, tracks an active AI job, or speeds up media already requested by the signed-in user.

The analytics category covers non-essential product measurement, including first-party conversions when enabled; no advertising, retargeting, or heatmap provider is active today.

  • Rejecting non-essential storage is as direct as accepting analytics.
  • Withdrawal is available through Cookie preferences in the footer.
  • Global Privacy Control is honored for any future marketing, sale, or advertising share.

2. Preference cookie

The omniposto_consent_preferences cookie is non-sensitive, client-readable, and stores only the version, analytics/marketing choice, GPC signal, and timestamp.

Its maximum duration is 180 days. Withdrawal replaces the choice with analytics=false and marketing=false instead of storing a raw IP address or secret identifier.

3. Technical observability

Sentry is configured as technical observability only: sendDefaultPii=false, sanitization before send, and no replay or marketing-style session tracking in this implementation.

Any non-essential product measurement, including conversion events, must be guarded by hasConsent("analytics") and remain inactive while analytics=false.

4. Storage inventory

Technical names, purposes, retention, deletion paths, providers, regions, and consent basis.

sb-<project-ref>-auth-token*

cookie / essential

Requires consent: No
Purpose
Keep the signed-in session active and refresh Supabase Auth tokens.
Stored data
Opaque session tokens managed by Supabase SSR.
Retention
Controlled by the Supabase session; removed on sign-out or expiry.
Deletion
Sign-out, session expiry, or browser cleanup.
Provider
Supabase
Region
Browser and configured Supabase project region

oauth_csrf_<platform>

cookie / essential

Requires consent: No
Purpose
Verify OAuth callbacks and block CSRF attacks during social platform connections.
Stored data
Random CSRF token, httpOnly, with no social content.
Retention
10 minutes.
Deletion
Deleted on OAuth callback, expiry, or browser cleanup.
Provider
Omni Posto
Region
Browser and Railway application region

tiktok_auth_state, tiktok_auth_pending, auth_session_bridge

cookie / essential

Requires consent: No
Purpose
Complete TikTok sign-in and bind the provider callback to the right session.
Stored data
CSRF state, encrypted minimal TikTok identity, and redirect context.
Retention
10 minutes.
Deletion
Deleted when the TikTok flow completes, expires, or the browser is cleared.
Provider
Omni Posto / TikTok
Region
Browser, Railway application region, and TikTok

__omniposto_mfa_trust

cookie / essential

Requires consent: No
Purpose
Recognize an approved MFA device without storing the MFA secret in clear text.
Stored data
Version, device id, and random validator; the server stores hashes only.
Retention
30, 90, 180, or 365 days; the no-server-expiry option is cookie-limited to 400 days.
Deletion
MFA revocation, secured sign-out, expiry, device change, or browser cleanup.
Provider
Omni Posto / Supabase
Region
Browser and Supabase project region

__omniposto_device

cookie / essential

Requires consent: No
Purpose
Bind selected social platform connections to the device that authorized them.
Stored data
Random httpOnly secret; the server stores a per-user HMAC hash.
Retention
2 years, unless revoked or replaced.
Deletion
Binding revocation, replacement after revocation, or browser cleanup.
Provider
Omni Posto / Supabase
Region
Browser and Supabase project region

omniposto_consent_preferences

cookie / essential

Requires consent: No
Purpose
Remember rejection, withdrawal, or analytics consent without asking again on every page.
Stored data
Version, analytics/marketing booleans, GPC signal, and timestamp; no account data.
Retention
180 days.
Deletion
Withdrawal from the footer, a new choice, expiry, or browser cleanup.
Provider
Omni Posto
Region
Browser and Railway application region

publish-autosave:v2:<organizationId>:<userId>

localStorage / functional

Requires consent: No
Purpose
Restore a local publish-center draft after navigation, reload, or browser interruption.
Stored data
Draft content, selected platforms, selected media, schedule, and publishing attributes.
Retention
72 hours after the last update.
Deletion
Publication, discarded recovery, logical expiry, sign-out, or browser cleanup.
Provider
Omni Posto
Region
Browser only

omniposto:idea-generation-job:<organizationId>

localStorage / functional

Requires consent: No
Purpose
Find the active AI job and continue polling after a page reload.
Stored data
Active AI job id only.
Retention
Until completion, failure, cancellation, or job cleanup.
Deletion
Job completion, tracking dismissal, or browser cleanup.
Provider
Omni Posto
Region
Browser only

omniposto-media-cache / media_blobs

IndexedDB / functional

Requires consent: No
Purpose
Speed up previously requested media thumbnails and previews in the media library and Publish.
Stored data
Image/video preview blobs, MIME type, size, creation time, and last access time.
Retention
LRU limit: 150 MB or 400 entries by default.
Deletion
Media library clear action, sign-out, user switch, or LRU limit pressure.
Provider
Omni Posto
Region
Browser only

Sentry technical events

technicalTelemetry / essential

Requires consent: No
Purpose
Detect technical errors and protect service stability.
Stored data
Sanitized error events; sendDefaultPii=false; no replay enabled here.
Retention
According to the Sentry project configuration.
Deletion
According to Sentry tooling and policy; no Omni Posto marketing cookie.
Provider
Sentry
Region
Sentry processing region configured for the project

future analytics provider

futureTracker / analytics

Requires consent: Yes
Purpose
Future product measurement only after explicit consent.
Stored data
Currently inactive; provider not selected.
Retention
Not applicable until a provider is activated.
Deletion
Analytics withdrawal from the preference center before any future script loads.
Provider
None currently
Region
Inactive

5. Regional matrix

Omni Posto applies the strictest baseline everywhere, then adds applicable regional rights.

Europe / EEA / Belgium / France

Opt-in before any non-essential tracker, clear notice, and accessible rejection and withdrawal.

Americas

Opt-out rights for advertising sale/share and GPC honored for any future marketing.

Asia

Prior notice, purpose limitation, and withdrawal where processing relies on consent.

Africa

Transparency, minimization, security, and data-subject rights under applicable laws.

6. Official references