Legal / Engineering Reference
How We Use Cookies & Local Storage
This document explains — at the key/value level — which browser storage primitives are created when you load polymarketcopybot.com, when they are written, how long they live, and how to wipe them. Unlike a template policy, it stays in sync with the production code that ships to the dashboard.
7
First-party cookies
4
localStorage keys
0
Advertising pixels
~9KB
Total storage footprint
The 30-second summary
- — We do not use advertising cookies or retargeting pixels.
- — We do not share cookie identifiers with data brokers.
- — Your wallet address is stored in
localStorage, never in a cookie sent to our servers. - — Copy-bot settings (position size, tracked wallets, auto-sell targets) persist in
localStorageand only leave your browser when you explicitly sync them. - — The Polygon RPC endpoints we call (public nodes, Alchemy) set their own short-lived cookies; we do not control those.
1. Storage taxonomy we actually use
Session cookies
RequiredHttpOnly + Secure. Destroyed the moment you close the browser. Used exclusively to authenticate your wallet signature against our API.
Persistent cookies
RequiredCSRF tokens, chosen language (pmc_lang), and Cloudflare's bot-check cookie (__cf_bm). TTL: 30 minutes to 1 year.
localStorage
Device-localNever transmitted to our servers. Stores: connected wallet, theme, last-viewed trader profile, compact UI mode. Survives browser close, cleared via dashboard settings.
sessionStorage
Tab-scopedStores the in-memory trade plan while you are configuring the bot. Flushed when you close the tab or click "Reset configuration".
2. Exact first-party cookies we set
Below is the literal cookie jar as seen in Chrome DevTools (Application → Storage → Cookies) after a fresh login with MetaMask on the .polymarketcopybot.com domain.
| Name | Purpose | TTL | Flags | Type |
|---|---|---|---|---|
| pmc_sess | Signed session ticket linked to your wallet signature | Session (≤ 24h idle) | HttpOnly · Secure · SameSite=Lax | Required |
| pmc_csrf | Double-submit CSRF token for bot configuration endpoints | 2 hours | Secure · SameSite=Strict | Required |
| pmc_lang | Preferred UI language (en, de, es, fr, pt, ru, zh, ar, ja, it, id) | 1 year | Secure · SameSite=Lax | Optional |
| pmc_ui_density | Compact vs. comfortable dashboard spacing | 180 days | Secure · SameSite=Lax | Optional |
| pmc_consent_v2 | Records which cookie categories you accepted (bitmask) | 6 months | Secure · SameSite=Lax | Required |
| pmc_onboard | Tracks onboarding wizard progress so we don't re-prompt you | 30 days | Secure · SameSite=Lax | Optional |
| __cf_bm | Cloudflare bot-detection challenge cookie | 30 minutes | HttpOnly · Secure · SameSite=None | Third-party |
3. localStorage keys (never sent to us)
These keys live only on your device. They are written by the dashboard JavaScript and are visible in DevTools at Application → Storage → Local Storage.
walletConnected = "true" | "false"
walletAddress = "0xAbC…1234"
userData = { displayName, avatarSeed, preferredChain }
copyBotConfig = { positionSizeUsdc, autoSellTargetPct, trackedWallets[] }Clearing any of these via localStorage.clear() or the dashboard's "Reset local data" button cannot corrupt your on-chain positions. Your bot configuration will simply fall back to defaults on the next login.
4. What we deliberately do not do
- No Facebook Pixel, TikTok Pixel, LinkedIn Insight, Twitter Pixel.
- No Device fingerprinting (canvas, WebGL, audio context).
- No Cross-site tracking via third-party iframes.
- No Persisted wallet private-key material — your key never leaves MetaMask.
- No Sale or rental of cookie identifiers to data brokers.
5. How to inspect and purge our cookies
From inside the dashboard
- Open Settings → Privacy.
- Click Reset local data to wipe localStorage + sessionStorage.
- Click Sign out everywhere to invalidate
pmc_sessserver-side.
From the browser
- Open DevTools (
F12) → Application panel. - Pick Cookies, select
.polymarketcopybot.com, right-click → Clear. - Repeat under Local Storage and Session Storage.
6. Do Not Track (DNT) and Global Privacy Control (GPC)
When your browser transmits Sec-GPC: 1 or the legacy DNT: 1 header, our Cloudflare Worker automatically sets pmc_consent_v2 to the "strict" bitmask before any optional cookies are written. No action on your part is needed — the UI consent banner also won't appear.
7. Change log for this document
- 2026-04-20 — Re-published with per-cookie TTLs, GPC support details and DevTools-based audit steps.
- 2026-02-11 — Removed
_ga; migrated analytics to first-party logs. - 2025-10-03 — Introduced
pmc_consent_v2bitmask.
Questions about a specific cookie?
Send us the exact cookie name and our privacy engineer will reply with its source commit.