Cookie Policy
Last updated April 2026
What are cookies?
Cookies are small text files stored by your browser when you visit a website. They're commonly used to keep users logged in, remember preferences, or track behaviour across sessions.
Cookies Wishlist uses
Wishlist uses a small number of strictly-essential cookies — for authentication, CSRF protection, and so anonymous gift-givers can undo their own reservations on shared wishlists. No tracking, analytics, advertising, or third-party cookies are used at any point.
| Name | Purpose | Lifetime | When set |
|---|---|---|---|
| wishlist.session-token | Keeps you logged in between page loads. | 30 days | On sign-in |
| wishlist.csrf-token | Protects sign-in / sign-out forms against cross-site request forgery. | Session | On any auth page |
| wishlist.callback-url | Remembers where you were heading when sign-in was required, so you land back there afterwards. | Session | On any auth page |
| wishlist-reserver | An opaque random value so the same browser can later undo its own reservations on a shared wishlist. Only a SHA-256 hash of this value is stored server-side. | 1 year | On first reserve action |
All cookies are HttpOnly (not accessible to JavaScript), SameSite=Lax (protected against cross-site request forgery), and in production are also Secure (only sent over HTTPS).
localStorage (not a cookie)
Wishlist also stores one small value in your browser's localStorage: the version number you last saw the changelog for. This controls the pulsing “new” dot next to the version in the footer. It's not a cookie, never leaves your device, and is not used to identify or track you.
Cookies we do not use
- Analytics cookies (Google Analytics, Plausible, Mixpanel, etc.)
- Advertising or retargeting cookies
- Social media tracking pixels
- Third-party cookies of any kind
Do I need to consent?
Under GDPR, essential cookies that are strictly necessary to provide a service you have requested do not require prior consent. Every cookie listed above falls into that category — they are required for sign-in, security, or for an action you took (clicking “I'll get this” on a shared wishlist) — so no cookie consent banner is shown.
How to control cookies
You can delete or block cookies at any time through your browser settings. Note that deleting the session cookie will log you out of Wishlist; blocking it will prevent you from logging in. Deleting the reserver cookie will mean you can no longer undo reservations you made earlier from the same browser.
Logging out via the “Sign out” button also clears the session cookie.
Changes to this policy
If we ever add additional cookies we will update this page and the “last updated” date at the top before doing so.
© 2026 NoobVenture