This policy explains what information TESSA Training stores in your browser and why. It covers cookies as well as other client-side storage technologies such as localStorage and sessionStorage, because under the Privacy and Electronic Communications Regulations 2003 (PECR) the same rules apply to any technology that reads or writes information from your device.
TESSA Training uses only storage that is strictly necessary to deliver the training service. We do not use cookies or other storage for advertising, retargeting, social media tracking, third-party analytics, or profiling. No cookie banner is shown because PECR does not require consent for storage that is strictly necessary to provide the service you have asked for.
| Name | Type | Purpose | Duration |
|---|---|---|---|
sb-chbmodmsqexyvfkvhctu-auth-token |
localStorage | Your Supabase authentication session. Set by the Supabase JavaScript client (v2) after you complete a magic-link login. It is how the platform knows you are signed in as you move between pages. Nothing in this value is sent to any third party. | Until sign-out or until the refresh token expires (default 1 hour access, rolling refresh for up to 30 days) |
tessa_invite_code |
localStorage | Remembers an organisational invite code you entered at sign-up so that it can be attached to your profile after you complete the magic-link flow. | Until profile completion, then deleted |
tessa-a11y |
localStorage | Stores your accessibility preferences (for example, increased contrast or text size) so the site remembers them next time you visit. | Persistent until you clear your browser storage |
Note: the Supabase JavaScript client (version 2) stores its authentication state in localStorage, not in cookies. Earlier versions of this policy referred to these as "cookies", which was inaccurate. The regulatory treatment is the same either way.
We do not set any non-essential cookies or other non-essential storage. There is no advertising, retargeting, social plug-in, session-replay tool, heat-map, or third-party analytics script on this platform.
When you interact with a module, we record events such as module viewed, quiz started, quiz submitted, and certificate downloaded on our own Supabase database. These events are sent directly to our own backend and are never shared with a third party. We rely on this data to evidence CPD activity and to improve the platform, under the lawful bases set out in section 3 of our Privacy Policy.
We honour the Global Privacy Control (GPC) browser signal. If your browser sends GPC, we will not record these first-party engagement events for the duration of your session. Strictly necessary authentication and progress storage (section 3.1 above) will still function because it is required to deliver the training service.
We do not rely on the legacy "Do Not Track" (DNT) header, which is no longer consistently sent by modern browsers.
TESSA Training self-hosts its fonts and its JavaScript libraries. This means that simply loading a page does not cause your IP address to be transferred to Google, Cloudflare, jsDelivr, or any other third-party CDN. The only third parties that see your request are our hosting provider (Netlify) and our backend provider (Supabase), both of whom act as our data processors under written contracts. See section 4 of the Privacy Policy for full details.
You can inspect, clear, or block cookies and other site storage through your browser settings:
Please be aware that if you block or delete the Supabase authentication item in section 3.1 you will be signed out of TESSA Training and will need to request a new magic link to get back in.
We will update this policy whenever we change the set of storage items we use or the purposes for which we use them, and always before making such a change. The "Last updated" date at the top will change to reflect new versions.