ByteSized Careers

ByteSized Careers · Early access

Early Access Storage Notice

The current public experience has no advertising storage. It keeps a small first-party campaign-attribution record and, after registration begins, a resume record; restricted admin authentication uses security cookies.

Effective 17 July 2026 · Last updated 17 July 2026

What we mean by storage

Cookies are small values a website asks a browser to send with later requests. localStorage is a similar browser feature that keeps a value on the device but does not automatically send it with every request. Both can fall under device-storage rules, so this notice describes both rather than calling everything a cookie.

Storage used in the audited version

bytesized_waitlist_attribution (localStorage)

Category
Functional / first-party campaign attribution
Purpose
Preserves how the visitor reached early access through the requested registration journey.
Data
Allowlisted UTM/referral values, external referrer hostname, landing path, captured time, and version; no contact details, resume credential, advertising click ID, or cross-site identifier.
Duration
Persists until cleared through browser controls; the server record becomes authoritative after email save.
When active
Set on a visit to the ByteSized Careers root or early-access page, before a lead exists.
Party
First party; the authentication flow also communicates directly with GitHub.

bytesized_waitlist_resume (localStorage)

Category
Functional / requested flow
Purpose
Restores a saved early-access brief in the same browser.
Data
Opaque lead ID, raw random resume credential, saved-at time.
Duration
Browser copy persists until cleared; the server rejects the credential after 30 days.
When active
Set after the visitor submits name and email and asks the site to create a registration.
Party
First party; the authentication flow also communicates directly with GitHub.

__Secure-authjs.session-token (may be split into numbered cookies)

Category
Strictly necessary · admin only
Purpose
Maintains an authenticated, allowlisted administrator session.
Data
Encrypted/signed session token containing administrator account/session claims.
Duration
Up to 30 days of inactivity by the installed Auth.js default.
When active
Set only through the restricted admin sign-in flow.
Party
First party; the authentication flow also communicates directly with GitHub.

__Host-authjs.csrf-token and __Secure-authjs.callback-url

Category
Strictly necessary · admin only
Purpose
Protects sign-in requests and returns the administrator to the intended page.
Data
Security token and same-site callback location.
Duration
Session or flow duration.
When active
Set when the restricted admin authentication flow is used.
Party
First party; the authentication flow also communicates directly with GitHub.

__Secure-authjs.pkce.code_verifier, __Secure-authjs.state (and a nonce if required)

Category
Strictly necessary · admin only
Purpose
Prevents OAuth request forgery and binds the GitHub callback to the sign-in attempt.
Data
Short-lived, protected OAuth security values.
Duration
Generally 15 minutes for PKCE/state; removed or expired after the sign-in flow.
When active
Set only when an administrator starts GitHub sign-in.
Party
First party; the authentication flow also communicates directly with GitHub.

On localhost, Auth.js uses equivalent cookie names without the HTTPS-only prefixes. The site does not intentionally set the WebAuthn challenge cookie available in the library because WebAuthn is not configured.

Form answers—including an optional phone number and separate WhatsApp, SMS, or call choices—and validated first/last-touch attribution are saved in the server-side waitlist record described in the Privacy Notice. Those choices do not add another cookie or browser-storage item and do not activate tracking or phone communications.

Your controls

You can clear site data through browser settings. Choosing “Start over” after a saved registration is found also removes the resume record. Campaign attribution remains until cleared through browser settings so a later return does not silently become direct. Blocking localStorage may reduce attribution continuity and prevent resume convenience but should not prevent a new registration. Blocking the admin security cookies prevents restricted administrators from signing in.

Clearing the browser copy does not delete the server-side waitlist record. To request access, correction, or deletion, follow the process in the Privacy Notice.

No analytics or advertising storage

Repository inspection found no active analytics, advertising pixels, session replay, behavioural profiling, or cross-site ad measurement. If that changes, ByteSized Careers must update this notice and assess whether prior consent, equal Accept/Reject controls, and a persistent preference control are required in each target market.

Contact and changes

Storage questions may be sent to legal@bytesizedcareers.com. This notice should be reviewed when the public flow, admin authentication, providers, or browser technologies change.