This policy explains what information TESSA Training stores in your browser and why. It covers cookies as well as other client-side storage technologies such as localStorage and sessionStorage, because under the Privacy and Electronic Communications Regulations 2003 (PECR) the same rules apply to any technology that reads or writes information from your device.
TESSA Training uses storage that is strictly necessary to deliver the training service, plus one optional, privacy-respecting analytics tool (PostHog) that is only ever loaded if you accept it. We do not use cookies or other storage for advertising, retargeting, social media tracking, or profiling, and we do not record your screen (session replay is switched off). Because the analytics is optional and not strictly necessary, we show a cookie banner and load it only after you click Accept. If you decline, or ignore the banner, PostHog is never loaded.
| Name | Type | Purpose | Duration |
|---|---|---|---|
sb-chbmodmsqexyvfkvhctu-auth-token |
localStorage | Your Supabase authentication session. Set by the Supabase JavaScript client (v2) after you complete a magic-link login. It is how the platform knows you are signed in as you move between pages. Nothing in this value is sent to any third party. | Until sign-out or until the refresh token expires (default 1 hour access, rolling refresh for up to 30 days) |
tessa_invite_code |
localStorage | Remembers an organisational invite code you entered at sign-up so that it can be attached to your profile after you complete the magic-link flow. | Until profile completion, then deleted |
tessa-a11y |
localStorage | Stores your accessibility preferences (for example, increased contrast or text size) so the site remembers them next time you visit. | Persistent until you clear your browser storage |
Note: the Supabase JavaScript client (version 2) stores its authentication state in localStorage, not in cookies. Earlier versions of this policy referred to these as "cookies", which was inaccurate. The regulatory treatment is the same either way.
If, and only if, you accept optional cookies via our banner, we load PostHog, a privacy-focused product analytics tool, to understand how visitors move through the site so we can improve it. PostHog is hosted in the European Union (the eu.i.posthog.com region) and acts as our data processor under a written contract. We have session replay switched off, so PostHog never records your screen, keystrokes, or form contents, and we also honour the browser Do-Not-Track signal. If you decline, none of the items below are set.
| Name | Type | Purpose | Duration |
|---|---|---|---|
ph_phc_*_posthog |
localStorage + cookie | PostHog's identifier for your browser and session, used to count visits and page journeys. Set only after you accept optional cookies. | Up to 12 months, or until you clear your browser storage or opt out |
tessa-training-cookie-consent |
localStorage | Remembers your accept or decline choice so we do not ask again on every page. This item is itself strictly necessary to honour your choice. | Persistent until you clear your browser storage |
We do not set any other non-essential storage. There is no advertising, retargeting, social plug-in, session-replay recording, or heat-map on this platform.
When you interact with a module, we record events such as module viewed, quiz started, quiz submitted, and certificate downloaded on our own Supabase database. These events are sent directly to our own backend and are never shared with a third party. We rely on this data to evidence CPD activity and to improve the platform, under the lawful bases set out in section 3 of our Privacy Policy.
We honour the Global Privacy Control (GPC) browser signal. If your browser sends GPC, we will not record these first-party engagement events for the duration of your session. Strictly necessary authentication and progress storage (section 3.1 above) will still function because it is required to deliver the training service.
The optional PostHog analytics described in section 3.2 also honours the browser "Do Not Track" (DNT) signal: if your browser sends DNT, PostHog will not capture, even if you have accepted optional cookies.
TESSA Training self-hosts its fonts and its JavaScript libraries. This means that simply loading a page does not cause your IP address to be transferred to Google, Cloudflare, jsDelivr, or any other third-party CDN. The third parties that see your request are our hosting provider (Netlify) and our backend provider (Supabase), both of whom act as our data processors under written contracts. If you accept optional cookies, our analytics provider PostHog (EU region) also receives analytics data as our data processor; if you decline, PostHog is never contacted. See section 4 of the Privacy Policy for full details.
You can inspect, clear, or block cookies and other site storage through your browser settings:
Please be aware that if you block or delete the Supabase authentication item in section 3.1 you will be signed out of TESSA Training and will need to request a new magic link to get back in.
We will update this policy whenever we change the set of storage items we use or the purposes for which we use them, and always before making such a change. The "Last updated" date at the top will change to reflect new versions.