Cookies
Every cookie we set.
Last updated: May 28, 2026
The short version
- We do not use cookies for advertising. There are no third-party ad-network trackers on Lumora.
- The cookies below fall into four buckets: necessary (the site cannot function without them), security (bot protection, CSRF, fraud), functional (preferences, drafts), and analytics (anonymous product usage; opt-out via the banner).
- You can clear all cookies via your browser settings, or use the "Manage cookies" link in the consent banner to opt out of functional and analytics cookies. Necessary and security cookies cannot be disabled — the site stops working without them.
- We never read or store the contents of cookies set by other websites. Each third-party listed below has its own privacy policy.
See also our Privacy Policy and Children's Privacy notice for the full picture.
Strictly necessary
| Name | Set by | Purpose | Lifetime |
|---|---|---|---|
| lumora_anon_session | First-party | Identifies your anonymous session so a story you create before signing up can be claimed to your account afterwards. | 1 year (cleared on sign-up after claim) |
| lumora_csrf | First-party | Cross-site request forgery protection on state-changing form submissions. | Session (cleared when you close the tab) |
| lumora_consent | First-party | Records the consent choices you made in the cookie banner so we don't ask again. | 1 year |
| __session, __client, __clerk_* | Third-party (Clerk) | Auth — keeps you signed in after login. Set only when you sign in. | Up to 7 days (rolling) |
| __cf_bm, cf_clearance | Third-party (Cloudflare) | Bot protection at the edge. Blocks automated abuse from burning through generation costs. | 30 minutes (cf_bm); session (cf_clearance) |
| cf-turnstile-* | Third-party (Cloudflare Turnstile) | Invisible human-check on the story-creation page. Issues a one-time token; not used for tracking. | Short-lived (minutes) |
Functional
| Name | Set by | Purpose | Lifetime |
|---|---|---|---|
| lumora_language | First-party | Remembers your language choice so the UI loads in your preferred locale. | 1 year |
| lumora_region | First-party | Remembers a region override if you've set one (e.g., to see holidays from another country). | 1 year |
| lumora_theme | First-party | Remembers your light / dark theme preference. | 1 year |
| lumora_just_claimed | First-party | Short-lived signal so we can show you the "We saved your stories" banner on the first page after sign-up. | 10 minutes |
| lumora_create_draft | First-party | Persists your in-progress story-creation form so you don't lose work if you close the tab. | 30 days |
| lumora_did | First-party | Lightweight device identifier so we can detect when the same browser returns. Used for the anonymous-story claim fallback when cookies are cleared. | 1 year |
| lumora_ref | First-party | Captures a referral code if you arrived via a referral link, so the referrer can get credit when you sign up. | 30 days |
| lumora_cancel_flow, lumora_reason | First-party | Stores in-flight state for the subscription cancellation flow (e.g., the reason you selected) so the multi-step flow can resume after a redirect. | Session |
| lumora_ab | First-party | A/B test bucket assignment. Determines which variant of a feature you see so experiments stay consistent across visits. | 90 days |
| __stripe_mid, __stripe_sid | Third-party (Stripe) | Set only on checkout pages. Helps Stripe detect fraud during payment. | 1 year (mid); 30 minutes (sid) |
Analytics
| Name | Set by | Purpose | Lifetime |
|---|---|---|---|
| ph_* | Third-party (PostHog) | Anonymous product analytics — which features are used, where users get stuck. We use PostHog only with anonymized device IDs; no personal identifying info is recorded. | 1 year |
Cookies we explicitly do not use
- Advertising or behavioral-targeting cookies from networks like Google Ads, Meta Pixel, TikTok Pixel, or similar. We do not run ads.
- Cross-site tracking cookies. The few third-party cookies listed above (Clerk, Cloudflare, Stripe, PostHog) are scoped to specific functions and don't share data with advertising networks.
- Cookies that contain personal identifying information like email or name. Our first-party cookies hold opaque identifiers (UUIDs, locale codes, etc.) only.
Local storage
In addition to cookies, Lumora may use your browser's local storage for the same kinds of functional data (preferences, draft state, language). Local storage stays on your device and is not transmitted to our servers. Clearing your browser's site data clears it.
Questions
Write to privacy@lumora.kids or hello@lumora.kids.