Cookies Policy
This page explains the cookies and similar technologies Building Status NYC uses, what each one does, and how you can control them.
A "cookie" here also means localStorage, sessionStorage, IndexedDB, and anything else the browser persists on your behalf for us. Pixels and tags from our analytics vendor are covered too.
Our cookie posture
- Essential cookies always run — the service cannot function without them. These are not gated on consent because they are "strictly necessary" under the ePrivacy Directive and are treated as a normal part of an authenticated web app.
- Analytics and marketing cookies are gated on your consent if you are in the EU, UK, or California. The cookie banner asks you to accept, reject, or customize before these load.
- Outside the EU, UK, and California, analytics runs by default on a legitimate-interest basis, and you can opt out in your cookie preferences at any time.
Essential cookies
These always run. Without them, sign-in, checkout, and security features do not work.
| Cookie / store | Purpose | Set by | Lifetime |
|---|---|---|---|
better-auth.session | Authenticated session token | Building Status NYC | Session + up to 30 days |
better-auth.csrf | CSRF protection for forms and API calls | Building Status NYC | Session |
theme | Your light/dark theme preference | Building Status NYC | 1 year |
bldg-consent-region | Which region your cookie banner reflects | Building Status NYC | 30 days |
bldg-consent | Your cookie-preferences choice | Building Status NYC (localStorage + cookie) | 180 days |
Stripe __stripe_mid, __stripe_sid | Fraud prevention during checkout | Stripe | 1 year / session |
Cloudflare __cf_bm (via Vercel edge) | Bot detection and DDoS mitigation | Cloudflare | 30 minutes |
Vercel __vcd | Edge routing / deployment protection (non-advertising) | Vercel | Session |
Analytics cookies (consent-gated in EU, UK, CA)
| Cookie / store | Purpose | Set by | Lifetime |
|---|---|---|---|
ph_* (PostHog) | Product analytics — event capture, funnels, feature flags | PostHog | 1 year |
Vercel Analytics _vercel_analytics | Aggregated page-view metrics | Vercel | Session |
| Vercel Speed Insights | Real User Monitoring (Core Web Vitals) | Vercel | Session |
If you reject these, we do not load PostHog or Vercel Analytics scripts for you, and we do not log event-level analytics.
Marketing cookies
We do not currently run marketing or advertising cookies, and we do not embed third-party ad SDKs. If that changes, we will update this page and the banner before any marketing cookie loads.
Payment cookies
Stripe sets cookies on checkout pages and on our billing pages to prevent payment fraud. These are treated as essential — the checkout does not work without them. We do not receive Stripe cookie data; it goes directly to Stripe.
Security cookies
Cloudflare (via Vercel edge) and our CSRF framework use short-lived cookies to detect bots, throttle abuse, and verify that form posts come from our own pages. These are essential.
Managing your cookies
In our app
- Cookie banner — appears the first time you visit if you are in the EU, UK, or California, or if you have not yet made a choice. Choose "Accept all", "Reject non-essential", or "Preferences".
- Preferences modal — open the preferences modal from the banner or from the footer ("Cookie preferences") at any time. Per-category toggles let you change your mind.
- Account settings — once signed in,
/dashboard/settings→ Privacy mirrors your choices and adds "Do Not Sell or Share My Personal Information" (we don't sell, but the toggle exists).
In your browser
All major browsers let you block or delete cookies:
Blocking essential cookies may break sign-in or checkout.
Global Privacy Control (GPC)
We honor the Global Privacy Control browser signal. If your browser sends Sec-GPC: 1, we treat that as an opt-out of "sale" or "sharing" for cross-context advertising (which we don't do) and as an opt-out of non-essential analytics in California.
Retention by category
| Category | Retention |
|---|---|
| Essential session / CSRF | Up to 30 days or until sign-out |
| Theme, UI preferences | 1 year |
| Consent choice | 180 days; re-prompt after that |
| Analytics cookies | 12 months at most; we pass cookie_expiration=1y to PostHog |
| Fraud / security (Stripe, Cloudflare) | Vendor-set; see their privacy pages |
Third parties
- Stripe — stripe.com/privacy
- Vercel — vercel.com/legal/privacy-policy
- PostHog — posthog.com/privacy
- Cloudflare — cloudflare.com/privacypolicy
Each of these operates under its own privacy policy. We enter into data-processing agreements with them.
Updates
We may update this policy to reflect new cookies or vendors. The version and effectiveDate at the top of this page are the source of truth. Material changes require a fresh consent prompt.