This page explains which cookies and local storage entries LexiMint uses, why, and how you can control them. You are always in charge.
Last updated 2026
These cookies are required for LexiMint to function. They keep you logged in and protect against cross-site request forgery. They cannot be turned off and are never used for advertising.
Keeps you logged in. Set when you sign in and cleared when you sign out or after 30 days. In production, prefixed as __Secure-authjs.session-token.
A security token that prevents malicious websites from submitting requests on your behalf. In production, prefixed as __Secure-authjs.csrf-token.
Temporarily stores the page you were visiting before sign-in, so you are redirected back after authentication.
Your cookie consent choices are stored in browser local storage (not as a cookie). If you are signed in, the same preference is mirrored to your account so it follows you across devices. It determines which optional services initialize.
A JSON object in localStorage storing your analytics, ad measurement and error monitoring preferences. Contains no personal data.
If you consent, we use PostHog to understand how players discover and use LexiMint, for example which features are most used or where players get stuck. PostHog is only loaded after you grant consent. No advertising data is collected and no data is sold.
First-party cookie storing a unique anonymous session identifier and feature flag data.
PostHog also stores session data in browser localStorage for persistence across tabs. This data is never sent to third parties.
If you consent, we load the Google Ads tag to understand whether paid Google traffic reaches LexiMint and how those visits perform at a basic level. The tag is only loaded after marketing consent. We do not sell your data.
Google Ads conversion measurement identifiers set after marketing consent.
Sentry captures anonymous crash reports to maintain application stability. This runs under GDPR legitimate interest (Art. 6(1)(f)). By default, no personally identifiable information is collected: emails are stripped, IP addresses are discarded. Sentry does not set persistent tracking cookies. If you additionally grant error monitoring consent, your anonymous user ID (never email) is attached to help diagnose user-specific issues.
No cookies or persistent tracking data set.
A privacy-preserving CAPTCHA alternative that verifies form submissions come from real humans. Turnstile runs silently, without visual puzzles. Cloudflare may set short-lived tokens during the verification challenge.
Short-lived token set by Cloudflare during bot verification. Automatically expires after the challenge window.
When you start a purchase (FOIL pack, LexiPass, Founder bundle), Stripe Checkout is loaded and may set its own cookies on stripe.com (third-party context) for fraud prevention and to maintain the checkout session. These cookies are set only during an active checkout flow and are governed by Stripe's privacy policy. LexiMint does not store your payment card details on its own servers.
Stripe-managed identifiers used for fraud detection and session continuity during checkout. Set by stripe.com, not by LexiMint.