Cookie Policy
Last updated: May 2026
1. What Are Cookies
Cookies are small text files stored on your device when you visit a website. Some websites also use related technologies — like localStorage or sessionStorage — to remember information between visits. This policy covers all such storage.
2. Our Approach — Cookieless Analytics, No Tracking Banner
TinyBear uses only strictly necessary cookies and storage. We do not use advertising, marketing or cross-site tracking cookies.
We do run product analytics, but only in a privacy-preserving form:
- Self-hosted on our own EU infrastructure — no third-party processor receives your visit data.
- Cookieless — no analytics cookies are set on your device. No persistent visitor profile.
- No personally identifying information — events do not include your email, name, your child's name, story content, or your IP address. Where we need to correlate a session for a signed-in user, we send a one-way HMAC of your account ID with a server-side secret; that value is not reversible to your account without the secret.
- No cross-site tracking, no advertising tags, no fingerprinting.
We use this only to understand which features work (e.g. "what % of visitors finish the signup", "do users come back to listen to a second episode"). We do not sell or share this data.
Under EU ePrivacy rules (and equivalent guidance in the UK and EEA), explicit consent is only required for non-essential storage. Because everything we set on your device is either essential to running the service you asked for, essential for security, or essential to a payment you initiated — and our analytics sets nothing on your device — we do not display a cookie consent banner.
If you would like to opt out of analytics anyway, set the Do Not Track signal in your browser; we honour navigator.doNotTrack === '1' and skip event collection entirely when it is set.
We do not "sell" or "share" personal information for cross-context behavioural advertising under California / US-state-privacy laws (see Privacy Policy §11).
3. First-Party Cookies and Storage (set on every page)
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
NEXT_LOCALE |
First-party cookie | Remembers your selected language so the site renders in the right locale | 1 year |
| Convex auth tokens | Browser localStorage |
Keeps you signed in and authenticates your requests | Until you sign out (tokens rotate periodically) |
admin-theme |
Browser localStorage (admin area only) |
Remembers your dark/light theme preference inside the admin panel | Until cleared |
password-reset-success |
Browser sessionStorage |
Briefly displays a success message after you reset your password | Cleared when you close the tab |
4. Third-Party Cookies — Per-Page, Strictly Necessary
These third parties may set short-lived cookies, but only on the specific page where their feature is invoked — never site-wide and never for tracking or analytics.
- Cloudflare Turnstile — on the contact form (
/contact) and the waitlist form, Turnstile sets short-lived security cookies (cf_chl_*,cf_clearance) to confirm you are not a bot. These are strictly necessary to keep those forms safe to operate. Governed by Cloudflare's Privacy Policy. - Stripe (activates when paid plans launch — not loaded today) — on the Stripe Checkout page only, Stripe sets cookies for payment-flow integrity and fraud prevention. These are strictly necessary to complete the payment you initiated. Governed by Stripe's Privacy Policy.
Neither Turnstile nor Stripe loads on the rest of the site.
5. What We Do Not Use
- No Google Analytics, Plausible, PostHog, Mixpanel, Hotjar or similar third-party analytics. (Our product analytics is self-hosted on our own EU infrastructure — see §2.)
- No advertising or remarketing cookies (no Meta Pixel, no Google Ads tags, no TikTok pixel).
- No cross-site tracking.
- No fingerprinting.
- No session replay or visitor recording.
6. Managing Cookies
You can control cookies through your browser settings. Disabling essential cookies and storage will prevent you from logging in to TinyBear or remembering your language. Most browsers also let you block third-party cookies, which would prevent the contact form's bot check (and, when active, Stripe Checkout) from working. Consult your browser's help documentation for instructions.
7. Changes to This Policy
We may update this Cookie Policy. For material changes — for example, adding a new cookie or changing the purpose of an existing one — we will give you at least 30 days' advance notice by email to the address on your account, in line with Section 15 of our Terms of Use. For minor editorial changes (typos, clarifications, formatting), we may update without notice; the "Last updated" date at the top will always reflect the current version.
8. Contact
MonkiLabs — contact form