Skip to main content

← Back to Finto

Cookies & Tracking

Last updated:

Finto runs in two places: the public website at www.finto.fun and the authenticated app at app.finto.fun. They have different storage and tracking footprints, so this page breaks them out separately. We do not use Google Analytics, Google Tag Manager, the Meta Pixel, LinkedIn Insight, Hotjar, or any cross-site advertising tracker on either site.

1. Public website (www.finto.fun)

Cookies

www.finto.fun does not set any cookies of its own. Our hosting provider (Vercel) may set short-lived technical cookies if you trigger their built-in protections — for example a challenge cookie during a DDoS event. Those are strictly necessary, set without your input, and we have no ongoing access to them.

Local storage

The public site itself does not write anything to your browser’s localStorage. The site follows your operating system’s light-or-dark preference automatically; there is no in-page theme toggle and no theme key. On your next visit we proactively delete the legacy finto-theme key from earlier versions if it is still present.

Analytics on the public site

We use Vercel Web Analytics and Vercel Speed Insights. They are Vercel’s first-party tools:

  • Vercel sets no cookies and stores no fingerprint of your device or browser.
  • No identifier is shared with any third party, and no profile is built across sites.
  • What gets collected: the URL you visited, a coarse country code, the type of device and browser family, and Core Web Vitals timings (load time, layout stability, input responsiveness).

We also use PostHog (US) for cookieless product analytics, to understand how this page performs and why visitors do or don’t continue to the app:

  • No cookies and no local storage — PostHog runs in memory only, so nothing persists after you close the tab, and there is no session recording.
  • What gets collected: anonymous page views, which buttons/links are clicked, how far the page is scrolled, page-load performance, the device/browser family, the referring site, and any campaign tags in the URL (e.g. utm_source). No name, email, phone, or other direct personal data.
  • It honours your browser’s Do-Not-Track / Global Privacy Control signal, and builds no cross-site advertising profile.

TikTok Pixel (conditional)

When ad measurement is turned on at build time, the public site loads the TikTok Pixel (the “Finto Website Pixel”) so we can measure how our TikTok ads perform. The pixel is gated on a build-time environment variable; when that variable is unset, none of the TikTok script is emitted and the page renders as if the pixel did not exist. When the pixel is loaded, the only event we send is the standard SubmitForm event after a confirmed waitlist signup, with no parameters — no email, no phone, no name, no other direct personal data. The TikTok Pixel script is provided by TikTok and may set or read its own browser identifiers under TikTok’s own policies. For details on what TikTok does with that data, see TikTok’s privacy materials.

Third parties on the public site

The third parties involved in serving this page are Vercel (hosting, edge network, Web Analytics, Speed Insights), Google Fonts (the Inter and Inter Tight typefaces), and, when the TikTok Pixel is enabled, TikTok (the script described above). We do not load the Meta Pixel, Google Ads, LinkedIn Insight, Hotjar, chat widgets, or social embeds. Google Fonts and TikTok may log basic request metadata under their own policies; we do not receive that data.

2. Authenticated app (app.finto.fun)

Authentication state

Once you sign in, Firebase Authentication manages your session. Depending on the persistence mode supported by your browser, your sign-in state may be kept in IndexedDB and/or localStorage by the Firebase Auth SDK. These keys are necessary for staying signed in across page reloads. Signing out clears them.

Local storage

The app writes a small number of named keys to your browser’s localStorage for non-essential UX state. As of the date at the top of this page, the only such key is:

  • finto.onboardingTourSeen — a flag remembering that you have completed the 3-step onboarding tour, so we don’t show it again on next sign-in.

You can clear this key from your browser settings at any time; the only consequence is that the tour will be shown again on your next sign-in.

Session storage

The app writes one key to your browser’s sessionStorage (cleared when you close the tab):

  • finto:invite_funnel_session_id — a UUID minted once per tab to correlate the four events of the invite-funnel that happen before you sign in (link viewed, signup started, auth completed, join completed). It is not used for advertising and not shared across tabs or sessions.

Analytics in the app

The authenticated app does not load Vercel Web Analytics, Vercel Speed Insights, the TikTok Pixel, Google Analytics, Google Tag Manager, the Meta Pixel, LinkedIn Insight, Hotjar, or any other cross-site tracker. Server-side, our backend functions log technical events (success, denied, rate-limited) for debugging. Where logs would otherwise contain a full email address, we log only the email domain.

Third-party identity providers

Sign-in is handled by Firebase Authentication. If you choose Google Sign-In or (on iOS) Sign in with Apple, Google or Apple receive the standard OAuth exchange under their own privacy policies; once the exchange completes, the rest of your session is held in Firebase Auth as described above.

3. What may change at launch

As features ship, we may add:

  • A small number of named, first-party analytics events (such as “prediction submitted”), still without personal data.
  • Additional UX-state keys for in-app preferences (these will be added to the lists above when they ship).

If we ever add anything that requires consent under EU or UK ePrivacy rules, we will publish a clear consent banner before doing so and update this page. We’re not putting up a fake consent banner pre-emptively while there is nothing to consent to.

4. Your controls

  • Block cookies and storage for either www.finto.fun or app.finto.fun in your browser settings. The public site will keep working; the app needs Firebase Auth’s session storage to keep you signed in.
  • Switch your operating system between light and dark mode. Both sites pick that up automatically.
  • Use a content blocker if you want to block Google Fonts. The public site will fall back to your system fonts.
  • Sign out of the app to clear Firebase Auth session state. Use Settings → Danger zone → Request deletion to remove your account; see Data deletion.

5. Contact

Questions about this page: hello@finto.fun.