Cookie/Storage Notice
Version draft-task-4-placeholder. Last updated 2026-07-09. This draft describes cookies, local/session storage, embedded content, and similar storage/access technologies used by the private alpha.
| Technology | Category | Purpose | Default |
|---|---|---|---|
| Supabase auth cookies/session storage | Strictly necessary | Keep signed-in sessions working | On when auth is configured |
| Practice workspace browser state | Strictly necessary/local app state | Run the practice workspace and preserve unsaved screen state | On |
| YouTube IFrame API and iframe | Optional third-party content | Play saved YouTube practice resources | Loaded only when YouTube resource/player is used |
| YouTube metadata lookup | Optional third-party request | Fetch video/playlist titles when saving a YouTube resource | Triggered by saving a YouTube URL |
| Deezer API and cover images | Optional third-party search/content | Search catalog metadata and show selected artwork | Triggered by Deezer search/use |
| Uploaded file signed URLs | Strictly necessary account storage | Show private uploaded PDF/Guitar Pro files | On for uploaded resources |
| Next/font Google font assets | Static app asset | Serve app typography | Self-hosted by the production build; no browser request to Google Fonts is expected |
| Analytics | Optional analytics | Product improvement | Off for private alpha unless a later consent task enables it |
Third-Party Content
Loading YouTube or Deezer content may contact those providers and share request metadata such as IP address, browser/device information, and any provider cookies already present in the browser. You must explicitly allow these providers before any content or tracking from them is loaded.
What Is Off For Private Alpha
Analytics, payments, marketing email, AI provider sharing, support chat, and unreviewed third-party embeds are off unless a later reviewed task enables them with updated notices and controls.