Cookie Audit
Public list of every cookie and storage key used by TogoPeptide, by category, with purpose and duration. This is the technical companion to the Cookie Policy.
How to read this page
For full transparency we list every browser-side storage entry the site can create — HTTP cookies, localStorage keys and sessionStorage keys — whether it is set by us (first-party) or by a processor (third-party), and how long it persists. Strictly-necessary entries cannot be disabled. Optional entries only get written after you choose them in the consent banner.
You can inspect what is currently stored in your browser via DevTools → Application → Storage. You can clear everything by running TogoConsent.reset() in the console, or by clearing site data in your browser.
Strictly necessary
Required for the site to operate — consent state, age verification, cart, session security. No legal basis required (article 5(3) ePrivacy carve-out).
| Name | Type | Party | Purpose | Duration |
|---|---|---|---|---|
togo:age:21+ | localStorage | First-party | Records that you confirmed you are 21+ so the age-gate does not re-prompt every navigation. | Until cleared |
togo:consent | localStorage | First-party | Stores your cookie-banner choices (functional / analytics / marketing) plus the policy version. | Until cleared |
togo:consent-log | localStorage | First-party | Append-only audit trail of every consent decision (timestamp, source, prefs). Capped at 50 entries. Stays on your device — no network call. | Until cleared |
togo:cart | localStorage | First-party | Persists your shopping cart between visits. | Until cleared / order placed |
togo:theme | localStorage | First-party | Remembers your light / dark theme preference for zero-flash rendering. | Until cleared |
togo:lang | localStorage | First-party | Stores your selected interface language. | Until cleared |
nf_* | Cookie | Netlify (processor) | Edge routing, A/B split-testing buckets, anti-abuse. Set by our hosting provider for site delivery. | Session – 1 year |
Functional
Improve the experience but the site works without them. Set only after you opt in. Legal basis: article 6(1)(a) GDPR — consent.
| Name | Type | Party | Purpose | Duration |
|---|---|---|---|---|
togo:recently-viewed | localStorage | First-party | Track the last few compounds you opened so we can show a "recently viewed" rail. | Until cleared |
togo:wishlist | localStorage | First-party | Persist saved-for-later compounds without requiring an account. | Until cleared |
togo:compare | localStorage | First-party | Holds the compounds you've added to the side-by-side comparison tool. | Until cleared |
togo:currency | localStorage | First-party | Remember your preferred display currency. | Until cleared |
Analytics
Anonymized site-usage measurement to improve the experience. No cross-site tracking, no advertising IDs. Set only after you opt in.
| Name | Type | Party | Purpose | Duration |
|---|---|---|---|---|
togo:session-id | sessionStorage | First-party | Random per-tab id so we can de-duplicate page-view beacons sent to /__events. | Tab session |
togo:events | localStorage | First-party | Short rolling analytics buffer used only after analytics consent. Event URLs, referrers and props are scrubbed for email, phone, token, payment and order-reference patterns before storage or beacon upload. | Rolling 200 events, until cleared |
togo:cwv-sent | sessionStorage | First-party | Avoid sending the same Core Web Vitals beacon twice in one tab. | Tab session |
Marketing
Currently none. We do not run remarketing pixels, advertising-network cookies or social-tracking pixels. The marketing toggle in the consent banner is reserved for future opt-in only; if we ever start using a marketing tag we will list every key here before it is set, and re-prompt for consent.
Server-side logs
Aside from browser storage, our processors keep short-lived server logs (HTTP access, function invocations) for security, abuse prevention and debugging. Retention and legal basis are described in the Privacy Policy.
Last reviewed
2026-05-27. We re-audit this list whenever we add a feature that touches client storage or whenever we onboard a new processor.