Legal

Cookie Policy

Last updated: April 16, 2026

HitScanTCG uses a minimal set of cookies that are necessary to run the Service. We do not use advertising cookies, cross-site tracking, or third-party analytics pixels. This page describes every cookie we set and how you can control them.

1. What Cookies Are

Cookies are small text files stored on your device by your web browser. They let a website remember information about you between visits — for example, that you are logged in. We use only the minimum cookies needed to make HitScanTCG work; we do not use cookies for advertising or for tracking you across other websites.

2. Cookies We Use

HitScanTCG cookies, purpose, expiration, and necessity
Cookie Purpose Expires Category
htcg_access Authenticated session — short-lived JWT access token. HttpOnly, Secure, SameSite=Strict. 15 minutes Strictly necessary
htcg_refresh Authenticated session — long-lived refresh token. HttpOnly, Secure, SameSite=Strict. 7 days (free tier), 30 days (Pro) Strictly necessary
htcg_device Device binding for refresh-token rotation and theft detection. HttpOnly, Secure. 7 days Strictly necessary
htcg_role Cached account role (viewer or streamer), used by the UI to route users to the correct dashboard without a round-trip. 7 days Strictly necessary
htcg_display Cached display name for topbar rendering without a round-trip. 7 days Functional
htcg_avatar Cached avatar URL for topbar rendering without a round-trip. 7 days Functional
htcg_cookie_consent Records your cookie banner dismissal or preferences. 1 year Strictly necessary

2.1 Cookie categories explained

  • Strictly necessary. Required for the Service to function. Disabling these cookies will break authentication, checkout, and account features. Under most privacy laws (GDPR, CCPA, and equivalent) these cookies do not require user consent.
  • Functional. Used to personalize and improve the user experience without tracking. These cookies can be deleted without breaking core functionality; the UI will fetch the underlying data on the next request.
  • Privacy-respecting analytics. We use Vercel Web Analytics (cookieless — uses no client-side identifiers) and PostHog (sets a first-party distinct_id cookie / localStorage entry for funnel and conversion analytics). PostHog is configured with person_profiles: identified_only, autocapture disabled, and session recording disabled by default. We use Sentry for error monitoring; Sentry may set a session-replay cookie only when an error occurs, with PII scrubbing enabled. None of these vendors share data with advertising networks.

3. Cookies We Do Not Use

  • Advertising cookies. We do not run advertising and do not share data with advertising networks.
  • Cross-site tracking cookies. We do not embed tracking pixels from Facebook, Google Ads, LinkedIn, TikTok, or any other advertising platform.
  • High-fanout analytics platforms. We do not use Google Analytics, Mixpanel, Segment, Amplitude, or similar high-fanout analytics suites.
  • Always-on session replay. We do not continuously record your session. Sentry session replay activates only when an error occurs, and PostHog session recording is disabled.
  • Fingerprinting. We do not use browser fingerprinting or device fingerprinting for identification.

4. Third-Party Cookies

Some pages embed third-party services that set their own cookies. These are limited to:

  • Stripe (during checkout only) — Stripe.js sets cookies on the checkout page to prevent fraud and support Apple Pay / Google Pay. See Stripe’s cookie policy.
  • Cloudflare — our CDN sets a __cf_bm cookie for bot management and DDoS protection. See Cloudflare’s cookie policy.

5. How to Control Cookies

You can control cookies in several ways:

  • Browser settings. All modern browsers let you view, block, or delete cookies on a per-site basis. Check your browser’s privacy settings.
  • Account logout. Logging out clears the htcg_access, htcg_refresh, htcg_device, and display-cache cookies associated with your session.
  • Account deletion. Deleting your account via your account settings or by emailing privacy@hitscantcg.com removes the account record these cookies refer to.
  • Browser extensions. Privacy-focused extensions (uBlock Origin, Privacy Badger) do not interfere with our required cookies.

Note: blocking strictly necessary cookies prevents you from using HitScanTCG.

6. Do Not Track

Because we do not track you across sites or use cross-context behavioral advertising, our behavior is the same whether or not your browser sends a "Do Not Track" signal or a Global Privacy Control signal.

7. Updates

If we change the cookies we use, we will update this page and (where the change is material and requires consent) prompt users for consent before enabling the new cookie.

8. Contact

  • Questions about cookies and privacy: privacy@hitscantcg.com