Legal & Policies

Review our terms and compliance documents

Cookie Policy

LiningPro technical storage inventory

Maintained alongside application source (lib/admin-user-capabilities-storage-ledger.ts). Entries cover the principal HTTP cookies plus localStorage and sessionStorage keys used in deployed code. It lists the primary keys and may not enumerate every transient, admin-only, or third-party-hosted entry managed outside this repository; temporary differences can occur during updates.

Persisted identifiers and identifiers written to visitor browsers with purpose and lifespan columns
Name / patternMechanismLifespanPurposeCategoryAudienceNoticeSource (engineering)
admin_session

ADMIN_COOKIE (lib/admin-auth.ts)

HTTP cookie12 hoursSigned admin JWT, scope-limited to admin email; required for `requireAdmin()` checks in admin routes.Attributes: httpOnly; secure (prod); sameSite=lax; path=/; maxAge=43200Security / authAdministrationAdmin-only pathwaylib/admin-auth.ts (`setAdminCookie`)
advertiser_sessionHTTP cookie7 days (rolling on auto-login)Authenticated advertiser session JWT. Required for advertiser dashboard, inquiries, and billing.Attributes: httpOnly; secure (prod); sameSite=lax; path=/; maxAge=604800Set only after the advertiser terms checkbox is accepted and persisted server-side.Strictly necessaryAdvertisersServer-persisted checkbox before writeapp/api/advertiser/login/route.ts; app/api/advertiser/auto-login/route.ts
contractor_sessionHTTP cookie7 days (rolling on auto-login)Authenticated contractor session JWT. Required for contractor dashboard, inbox, billing, and tools.Attributes: httpOnly; secure (prod); sameSite=lax; path=/; maxAge=604800Set only after the contractor terms checkbox (DisclaimerBlock audience: contractor) is accepted and persisted server-side.Strictly necessaryContractorsServer-persisted checkbox before writeapp/api/contractor/login/route.ts; app/api/contractor/auto-login/route.ts
lp_consent_posture

POSTURE_COOKIE (lib/consent-posture.ts)

HTTP cookie1 hour (re-resolved on later navigations)Geo-resolved consent posture (`opt_in` | `opt_out`) set by the edge proxy so the client applies the correct default set before first paint. Consent-preference storage.Attributes: sameSite=lax; path=/; secure (prod); not httpOnly (read by consent boot script); maxAge=3600Coarse country/region only; no precise location is stored. Selects the client default posture; never gates API, auth, or lead routing.Strictly necessaryAdministration; Advertisers; Contractors; Homeowner intake & tracker; Visitors / directoryStrictly necessary (exempt from consent)proxy.ts (resolveConsentPosture from Vercel edge geo)
lp_gpcHTTP cookie1 hourRecords that the request carried the recognized Global Privacy Control signal (Sec-GPC: 1). Server-side awareness hint; the client also detects navigator.globalPrivacyControl.Attributes: sameSite=lax; path=/; secure (prod); not httpOnly; maxAge=3600Only set when the browser sends Sec-GPC: 1. Forces the optional advertising / third-party dimension off; never disables operational analytics or necessary functions.Strictly necessaryAdministration; Advertisers; Contractors; Homeowner intake & tracker; Visitors / directoryStrictly necessary (exempt from consent)proxy.ts (reads Sec-GPC header)
sb-* (Supabase auth/refresh)HTTP cookiePer Supabase Auth config (refresh/access split)Supabase-managed authentication and refresh tokens for SSR session continuity.Attributes: httpOnly + secure attributes set by `@supabase/ssr` per environmentTouches every audience because the SSR helper hydrates per request. Values only persist on authenticated users.Strictly necessaryAdministration; Advertisers; Contractors; Visitors / directoryStrictly necessary (exempt from consent)lib/supabase/server.ts; lib/supabase/middleware.ts
sewer_lead_token

LEAD_TOKEN_COOKIE (lib/app-context.tsx)

HTTP cookie7 days (rolling)Stores the homeowner lead access token set in the browser so quote requests resume after reload (track view, continuation links). Written from client JavaScript, not HttpOnly.Attributes: path=/; SameSite=Lax; ~7-day Expires via document.cookieCleared when the user clears the active request or submits a new intake per app logic; not readable by SSR first-party middleware as HttpOnly=false.Strictly necessaryHomeowner intake & tracker; Visitors / directoryStrictly necessary (exempt from consent)lib/app-context.tsx (`setTokenCookie` / `clearTokenCookie`)
sidebar_state

SIDEBAR_COOKIE_NAME / SIDEBAR_COOKIE_MAX_AGE (components/ui/sidebar.tsx)

HTTP cookie7 daysRemembers collapsed vs expanded sidebar layout for dashboards using the sidebar shell component (non-HttpOnly UI preference cookie).Attributes: path=/; max-age=604800 (~7 days)Functional / preferenceAdministration; Advertisers; ContractorsNo prior notice todaycomponents/ui/sidebar.tsx (`SidebarProvider` setOpen persistence)
liningpro_admin_session

ADMIN_SESSION_KEY

localStorageUntil the admin signs out or clears site dataClient-side mirror of admin login state so the admin shell can render without an extra round-trip.The HTTP-only `admin_session` cookie remains the source of truth. This flag is informational for the SPA only.Functional / preferenceAdministrationAdmin-only pathwaycomponents/admin-login-dialog.tsx (line 17); lib/app-context.tsx (line 143); components/footer.tsx
liningpro_invite_pending

INVITE_STORAGE_KEY (lib/app-context.tsx:85)

localStorage30 daysPersist contractor invite payload across page refreshes / login so the user is not bounced out of the invite acceptance flow.Written when an admin-issued invite link is opened. Cleared on success or after expiry.Functional / preferenceContractors; Visitors / directoryNo prior notice todaylib/app-context.tsx (line 99)
liningpro_talk_sidebar_seen_v1

STORAGE_KEY (lib/talk/sidebar-seen.ts:8)

localStorageUntil cleared by the userTracks which Contractor Talk categories / topics the contractor has already viewed so the sidebar can hide "new" pips.Functional / preferenceContractorsNo prior notice todaylib/talk/sidebar-seen.ts (line 50)
liningpro-theme

THEME_STORAGE_KEY (components/theme-provider.tsx:16)

localStorageUntil cleared by the userStores the user-selected light / dark / system theme so the preference survives reloads.Generally accepted as functional / preference under EDPB guidance (minimal data, no profiling).Functional / preferenceAdministration; Advertisers; Contractors; Homeowner intake & tracker; Visitors / directoryNo prior notice todaycomponents/theme-provider.tsx (line 91)
lp_accessibility_prefs_v1

ACCESSIBILITY_PREFS_KEY (lib/accessibility-preferences.ts)

localStorageUntil cleared by userVisitor-controlled accessibility tool preferences (text scale, high contrast, enhanced focus, underline links, reduce motion). Applied via data attributes on documentElement.Opened from the Accessibility tools floating button on public pages. Not shown in admin console or embed routes.Functional / preferenceAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryVisitor-initiated on-page toollib/accessibility-preferences.ts (`writeAccessibilityPreferences`)
lp_admin_contractor_seen

SEEN_KEY (components/admin-analytics-left-panel.tsx:16)

localStorageUntil cleared by the adminAdmin-only "last viewed" timestamp map for contractor analytics rows so the admin can see which contractors they have already reviewed.Functional / preferenceAdministrationAdmin-only pathwaycomponents/admin-analytics-left-panel.tsx (line 25)
lp_analytics_anon_id

ANON_ID_KEY (lib/analytics-tracker.ts:10)

localStoragePersistent until the user clears site dataStable random UUID identifying the device for first-party operational analytics joins (page views, session continuity).First-party operational analytics. In opt_out regions it is written by default and stops on operational opt-out; in opt_in regions (California, EU, EEA, UK, unknown geo) it is not written until the visitor Accepts. Opting out does not delete records already collected.First-party operational analyticsAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryFirst-party operational analytics (default-on in opt-out regions; opt-out available)lib/analytics-tracker.ts (`getAnonymousId`)
lp_analytics_consent_v2

privacyConsentKeys.optionalTracking (lib/privacy-consent.ts)

localStorageUntil cleared by userOptional advertising / third-party tracking decision (`granted` | `denied`). Gates the Vercel Analytics mount and any future advertising pixels. Off unless granted; GPC forces off.Written when the visitor clicks Accept or Reject on the cookie banner or changes the optional advertising / third-party toggle in Manage Choices. Legacy `lp_analytics_opt_out_v1 === true` reads as denied.Functional / preferenceAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryBrowser-only modal acknowledgementlib/privacy-consent.ts (`acceptOptionalCookies` / `rejectOptionalCookies` / `setOptionalTracking`)
lp_analytics_opt_out_v1

privacyConsentKeys.analyticsOptOut (lib/privacy-consent.ts)

localStorageUntil cleared by userLegacy opt-out flag. Read as optional advertising / third-party tracking denied.Retained for back-compat migration. Set true on Reject; treated as optional-tracking denied.Functional / preferenceAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryBrowser-only modal acknowledgementlib/privacy-consent.ts
lp_analytics_session_expiry

SESSION_EXPIRY_KEY (lib/analytics-tracker.ts:12)

localStorage30-minute sliding window of activityTracks the end of the operational analytics session so the next event after 30m of idle generates a new session id.Written when first-party operational analytics is active (`hasOperationalAnalyticsConsent()`): default-on in opt_out regions, after Accept in opt_in regions.First-party operational analyticsAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryFirst-party operational analytics (default-on in opt-out regions; opt-out available)lib/analytics-tracker.ts
lp_consent_recorded_at_v1

privacyConsentKeys.consentRecordedAt (lib/privacy-consent.ts)

localStorageUntil clearedISO timestamp of the last banner / preference-change event for UX display and audits.Functional / preferenceAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryBrowser-only modal acknowledgementlib/privacy-consent.ts
lp_consent_subject_idlocalStorageUntil cleared by userPseudonymous id that correlates a browser’s consent decisions in the audit ledger (disclaimer_acceptances) before analytics starts.Created when a consent decision is logged, so the compliance trail can group repeated Accept/Reject/GPC events from the same browser.Functional / preferenceAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryBrowser-only modal acknowledgementlib/log-legal-consent-client.ts (`getOrCreateConsentSubjectId`)
lp_contractor_platform_disclaimer_ack_v1

CONTRACTOR_PLATFORM_DISCLAIMER_STORAGE_KEY (lib/contractor-platform-disclaimer.ts:5)

localStorageUntil the contractor clears site dataOptional UX cache after the contractor dismisses the dashboard platform-features modal; eligibility remains governed by platform_features_disclaimer_* plus disclaimer_acceptances rows.Server audit: POST /api/contractor/acknowledge-platform-disclaimer → contractor_platform_features ledger rows (see docs/ADMIN_LEGAL_PRIVACY_COMPLIANCE.md). If site data is cleared, the modal may reappear until server-side generation still matches.Functional / preferenceContractorsBrowser-only modal acknowledgementlib/contractor-platform-disclaimer.ts (line 22)
lp_cookie_notice_dismissed_v1

privacyConsentKeys.cookieNoticeDismissed (lib/privacy-consent.ts)

localStorageUntil clearedRemembers that the informational cookie/analytics banner was dismissed so it is not reshown every visit.Dismissal is not persisted server-side; clearing storage may reshow the banner.Functional / preferenceAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryNo prior notice todaylib/privacy-consent.ts; components/cookie-notice-banner.tsx
lp_embedded_content_v1

privacyConsentKeys.embeddedContent (lib/privacy-consent.ts)

localStorageUntil cleared by userEmbedded third-party content decision (`granted` | `denied`). Gates third-party map tiles. Off unless granted.Written when the visitor accepts optional cookies or toggles embedded third-party content in Manage Choices. Governs the MapLibre / OpenFreeMap tile load in components/directory-map-view.tsx.Functional / preferenceAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryBrowser-only modal acknowledgementlib/privacy-consent.ts (`setEmbeddedContent` / `acceptOptionalCookies` / `rejectOptionalCookies`)
lp_operational_analytics_v1

privacyConsentKeys.operationalAnalytics (lib/privacy-consent.ts)

localStorageUntil cleared by userFirst-party operational analytics decision (`granted` | `denied`). When unset, the geo posture decides: on in opt_out regions, off in opt_in regions until Accept.Set when the visitor toggles first-party operational analytics in Manage Choices, or when Accept/Reject is pressed in an opt_in region. Opting out stops new operational analytics from this browser; it does not delete records already collected.Functional / preferenceAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryBrowser-only modal acknowledgementlib/privacy-consent.ts (`setOperationalAnalytics` / `acceptOptionalCookies` / `rejectOptionalCookies`)
auto_nav_shown_<leadId>sessionStorageBrowser tab sessionPer-request gate so mobile lead tracker UX auto-opens the assignments pane exactly once during the lifecycle of `currentLead`.Dynamic suffix is the homeowner lead UUID/identifier from state, not enumerated ahead of creation.Functional / preferenceHomeowner intake & tracker; Visitors / directoryNo prior notice todaycomponents/lead-tracker.tsx (sessionStorage prefix `auto_nav_shown_${currentLead.id}`)
liningpro_pending_reviewsessionStorageBrowser tab sessionBridging flag from SSR profile wrapper → client SPA so reviewer UI can open reliably when `?review=true` lands on contractor profile routes.Functional / preferenceVisitors / directoryNo prior notice todaycomponents/contractor-profile-wrapper.tsx (set); components/contractor-profile.tsx (consumes/remove)
lp_admin_pending_deep_link

ADMIN_PENDING_DEEP_LINK_KEY (lib/admin-url-params.ts)

sessionStorageBrowser tab sessionCaches admin URL-derived payload before auth completes so the shell can hydrate the correct dashboard section/listing row after MFA sign-in.Structured JSON serialized as a string payload.Security / authAdministrationAdmin-only pathwaylib/app-context.tsx; components/admin-login-dialog.tsx
lp_analytics_session_id

SESSION_ID_KEY (lib/analytics-tracker.ts:11)

sessionStorageTab session (cleared when the tab closes)Per-tab session identifier so first-party operational analytics can group page views.Written when first-party operational analytics is active (`hasOperationalAnalyticsConsent()`): default-on in opt_out regions, after Accept in opt_in regions.First-party operational analyticsAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryFirst-party operational analytics (default-on in opt-out regions; opt-out available)lib/analytics-tracker.ts (`setSessionId`)
lp_cleaner_signup_strip_dismissed_v1

CLEANER_SIGNUP_STRIP_DISMISSED_SESSION_KEY (lib/cleaner-signup-strip-persistence.ts)

sessionStorageBrowser tab session until return to `/cleaner`Remembers “I’m not interested” on the cleaner signup return strip; cleared when the visitor returns to `/cleaner`.Functional / preferenceVisitors / directoryNo prior notice todaycomponents/cleaner-return-to-signup-bar.tsx
lp_gpc_audit_loggedsessionStorageBrowser tab sessionOne-shot guard so the GPC opt-out audit event is recorded once per session, not on every page render.Functional / preferenceAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryNo prior notice todaycomponents/app-shell.tsx (GPC audit effect)
lp_pending_contractor_classified_nav

LP_PENDING_CONTRACTOR_CLASSIFIED_NAV (lib/app-context.tsx)

sessionStorageBrowser tab sessionSignals that an equipment-classifieds user tapped inquiries on mobile before auth so the SPA can open contractor classified inquiries once after session restore on `/`.Functional / preferenceContractors; Visitors / directoryNo prior notice todaycomponents/mobile-nav.tsx; lib/app-context.tsx (consumption helper)
lp_session_sourcesessionStorageTab sessionKeeps normalized traffic source attribution on the operational analytics session_join payload for session_init events.Written when first-party operational analytics is active (`hasOperationalAnalyticsConsent()`): default-on in opt_out regions, after Accept in opt_in regions.First-party operational analyticsAdvertisers; Contractors; Homeowner intake & tracker; Visitors / directoryFirst-party operational analytics (default-on in opt-out regions; opt-out available)lib/analytics-tracker.ts (`initAnalyticsSession`)
lp_session_visited_cleaner_campaign_v1

CLEANER_CAMPAIGN_VISITED_SESSION_KEY (lib/cleaner-signup-strip-persistence.ts)

sessionStorageBrowser tab sessionSet when the visitor opens the `/cleaner` contractor signup campaign so a compact header strip can offer return navigation after they leave.Functional / preferenceVisitors / directoryNo prior notice todayhooks/use-cleaner-return-to-signup-strip.ts
sewer_lead_cleared

LEAD_CLEARED_KEY (lib/app-context.tsx)

sessionStorageBrowser tab sessionOne-shot marker so navigating home after intentionally clearing an active residential lead does not immediately pull the old token cookie back onto the resumed session shell.Functional / preferenceHomeowner intake & tracker; Visitors / directoryNo prior notice todaylib/app-context.tsx (hydration bootstrap + CLEAR_LEAD path)