What we mean by storage
Cookies are small values a website asks a browser to send with later requests. localStorage is a similar browser feature that keeps a value on the device but does not automatically send it with every request. Both can fall under device-storage rules, so this notice describes both rather than calling everything a cookie.
Storage used in the audited version
bytesized_waitlist_attribution (localStorage)
- Category
- Functional / first-party campaign attribution
- Purpose
- Preserves how the visitor reached early access through the requested registration journey.
- Data
- Allowlisted UTM/referral values, external referrer hostname, landing path, captured time, and version; no contact details, resume credential, advertising click ID, or cross-site identifier.
- Duration
- Persists until cleared through browser controls; the server record becomes authoritative after email save.
- When active
- Set on a visit to the ByteSized Careers root or early-access page, before a lead exists.
- Party
- First party; the authentication flow also communicates directly with GitHub.
bytesized_waitlist_resume (localStorage)
- Category
- Functional / requested flow
- Purpose
- Restores a saved early-access brief in the same browser.
- Data
- Opaque lead ID, raw random resume credential, saved-at time.
- Duration
- Browser copy persists until cleared; the server rejects the credential after 30 days.
- When active
- Set after the visitor submits name and email and asks the site to create a registration.
- Party
- First party; the authentication flow also communicates directly with GitHub.
__Secure-authjs.session-token (may be split into numbered cookies)
- Category
- Strictly necessary · admin only
- Purpose
- Maintains an authenticated, allowlisted administrator session.
- Data
- Encrypted/signed session token containing administrator account/session claims.
- Duration
- Up to 30 days of inactivity by the installed Auth.js default.
- When active
- Set only through the restricted admin sign-in flow.
- Party
- First party; the authentication flow also communicates directly with GitHub.
__Host-authjs.csrf-token and __Secure-authjs.callback-url
- Category
- Strictly necessary · admin only
- Purpose
- Protects sign-in requests and returns the administrator to the intended page.
- Data
- Security token and same-site callback location.
- Duration
- Session or flow duration.
- When active
- Set when the restricted admin authentication flow is used.
- Party
- First party; the authentication flow also communicates directly with GitHub.
__Secure-authjs.pkce.code_verifier, __Secure-authjs.state (and a nonce if required)
- Category
- Strictly necessary · admin only
- Purpose
- Prevents OAuth request forgery and binds the GitHub callback to the sign-in attempt.
- Data
- Short-lived, protected OAuth security values.
- Duration
- Generally 15 minutes for PKCE/state; removed or expired after the sign-in flow.
- When active
- Set only when an administrator starts GitHub sign-in.
- Party
- First party; the authentication flow also communicates directly with GitHub.
On localhost, Auth.js uses equivalent cookie names without the HTTPS-only prefixes. The site does not intentionally set the WebAuthn challenge cookie available in the library because WebAuthn is not configured.
Form answers—including an optional phone number and separate WhatsApp, SMS, or call choices—and validated first/last-touch attribution are saved in the server-side waitlist record described in the Privacy Notice. Those choices do not add another cookie or browser-storage item and do not activate tracking or phone communications.
Your controls
You can clear site data through browser settings. Choosing “Start over” after a saved registration is found also removes the resume record. Campaign attribution remains until cleared through browser settings so a later return does not silently become direct. Blocking localStorage may reduce attribution continuity and prevent resume convenience but should not prevent a new registration. Blocking the admin security cookies prevents restricted administrators from signing in.
Clearing the browser copy does not delete the server-side waitlist record. To request access, correction, or deletion, follow the process in the Privacy Notice.
No analytics or advertising storage
Repository inspection found no active analytics, advertising pixels, session replay, behavioural profiling, or cross-site ad measurement. If that changes, ByteSized Careers must update this notice and assess whether prior consent, equal Accept/Reject controls, and a persistent preference control are required in each target market.
Contact and changes
Storage questions may be sent to legal@bytesizedcareers.com. This notice should be reviewed when the public flow, admin authentication, providers, or browser technologies change.