We use the smallest possible number of cookies and local-storage keys. No third-party ad trackers, no cross-site identifiers, no session replay. Everything on this page can be turned off by clearing your browser storage or using private-mode — the app will continue to function, you will just have to log in again.
| name | type | purpose | duration |
|---|---|---|---|
| access_token | necessary | Short-lived JWT used to authenticate API requests. HttpOnly, Secure, SameSite=strict. | 15 min |
| refresh_token | necessary | HttpOnly refresh credential, scoped to /api/auth only. Rotated on every refresh. | 14 days |
| __cf_bm | necessary | Cloudflare bot-management cookie, set by our CDN for DDoS and abuse protection. | 30 min |
| cf_clearance | necessary | Cloudflare challenge-passed cookie, set once after a legitimate visitor clears a challenge. | up to 1 year |
Local-storage is not technically a cookie but is listed here for transparency. All keys are scoped to tradefloor.co origin and never transmitted to any third party.
| key | purpose |
|---|---|
| tf_hv | Deterministic hero-variant assignment for A/B landing experiments. |
| tf_experiments | Persisted experiment bucket for any active in-app A/B (e.g. onboarding-tour). |
| tf_journal_goal_{YYYY}_{MM} | Your per-month PnL goal in the journal. Opt-in, set by you. |
| tf_journal_playbook | Your trading rules in the Playbook tab. Your data, stored client-side. |
| tf_tag_presets_dismissed | Flag that you dismissed the preset-tag suggestions in the journal. |
We run a first-party, self-hosted product-analytics pipeline keyed by anonymous user id for core feature usage. That pipeline is documented in our privacy policy.
All standards-compliant browsers allow you to block cookies and clear local-storage from settings. For per-site control use the browser lock icon in the address bar. Disabling the necessary cookies will log you out — the product otherwise continues to work.
We revise this page whenever we change what we store. The "last revised" date at the top of this page is authoritative.
// questions · [email protected] · full privacy policy · /app/privacy