This page explains which cookies and local storage entries LexiMint uses, why, and how you can control them. You are always in charge.
Last updated 2026
These cookies are required for LexiMint to function. They keep you logged in and protect against cross-site request forgery. They cannot be turned off and are never used for advertising.
Keeps you logged in. Set when you sign in and cleared when you sign out or after 30 days. In production, prefixed as __Secure-authjs.session-token.
A security token that prevents malicious websites from submitting requests on your behalf. In production, prefixed as __Secure-authjs.csrf-token.
Temporarily stores the page you were visiting before sign-in, so you are redirected back after authentication.
Your cookie consent choices are stored in browser local storage (not as a cookie). This entry is never sent to our servers. It is read client-side to determine which optional services to initialize.
A JSON object in localStorage storing your analytics and error monitoring preferences. Contains no personal data.
If you consent, we use PostHog to understand how players discover and use LexiMint, for example which features are most used or where players get stuck. PostHog is only loaded after you grant consent. No advertising data is collected and no data is sold.
First-party cookie storing a unique anonymous session identifier and feature flag data.
PostHog also stores session data in browser localStorage for persistence across tabs. This data is never sent to third parties.
Sentry captures anonymous crash reports to maintain application stability. This runs under GDPR legitimate interest (Art. 6(1)(f)). By default, no personally identifiable information is collected: emails are stripped, IP addresses are discarded. Sentry does not set persistent tracking cookies. If you additionally grant error monitoring consent, your anonymous user ID (never email) is attached to help diagnose user-specific issues.
No cookies or persistent tracking data set.
A privacy-preserving CAPTCHA alternative that verifies form submissions come from real humans. Turnstile runs silently, without visual puzzles. Cloudflare may set short-lived tokens during the verification challenge.
Short-lived token set by Cloudflare during bot verification. Automatically expires after the challenge window.
When you start a purchase (FOIL pack, LexiPass, Founder bundle), Stripe Checkout is loaded and may set its own cookies on stripe.com (third-party context) for fraud prevention and to maintain the checkout session. These cookies are set only during an active checkout flow and are governed by Stripe's privacy policy. LexiMint does not store your payment card details on its own servers.
Stripe-managed identifiers used for fraud detection and session continuity during checkout. Set by stripe.com, not by LexiMint.