This Cookie Policy explains how DropSub LLC ("DropSub", "we", "us") uses cookies and similar browser storage technologies when you visit dropsub.com or use the DropSub application.
DropSub is a minimal-footprint platform. We do not use advertising cookies, cross-site tracking, or analytics data brokers. The storage we use exists to keep you logged in and to make the product work correctly.
Cookies are small text files that a website saves to your browser. They are sent back to the server on subsequent requests so the server can recognize your browser session. Cookies can be "session cookies" (deleted when you close the browser) or "persistent cookies" (stored for a defined period).
Modern web applications also use two related browser storage mechanisms: localStorage and sessionStorage. These work differently from cookies:
DropSub uses localStorage and sessionStorage for authentication, not traditional cookies. This section explains exactly what we store and why.
DropSub's own first-party storage consists exclusively of authentication tokens. We do not set tracking pixels, session-replay scripts, or behavioral analytics cookies.
Authentication tokens are issued by our backend (api.dropsub.com) when you log in. They are JSON Web Tokens (JWTs) that prove your identity to our API. Without a valid token in browser storage, you cannot access any protected page or API endpoint.
When you log in with "Keep me signed in" checked, the token is stored in localStorage and survives until it expires or you log out. When you log in without that option, the token is stored in sessionStorage and is destroyed when you close the tab.
The table below lists every key DropSub reads or writes in your browser storage.
| Key name | Storage type | Purpose | Lifespan |
|---|---|---|---|
| access_token localStorage | localStorage | Persistent login — Bearer token sent with every authenticated API request. Set when "Keep me signed in" is selected at login. | Until token expiry (~7 days) or explicit logout |
| access_token sessionStorage | sessionStorage | Session-only login — same Bearer token, but destroyed when the tab is closed. Set when "Keep me signed in" is NOT selected. | Until tab close or explicit logout |
| ds_theme localStorage | localStorage | Reserved for future UI theme preference (light/dark). Not currently active. | Indefinite (small string value) |
No other keys are set by DropSub at this time. This table is updated whenever new storage use is introduced.
Some third-party services embedded in or connected to DropSub may set their own cookies. These are governed by those services' own privacy and cookie policies.
DropSub does not use Google Analytics, Facebook Pixel, Segment, Mixpanel, Intercom, Hotjar, or any advertising network. If this changes we will update this policy and notify users.
When you log in to DropSub, our API issues a signed JWT (JSON Web Token). The token payload contains your user ID, role (artist or fan), and an expiration timestamp. The token is signed with a server-side secret — it cannot be forged or tampered with.
This token is stored client-side under the key access_token in either localStorage or sessionStorage, depending on your login preference. Every subsequent request to our API includes this token in the Authorization: Bearer <token> HTTP header.
When you log out, DropSub deletes access_token from both storage locations and redirects you to the login page. We also invalidate the token server-side where possible.
If you believe your account has been compromised, log out immediately from all sessions using the account settings page, or contact support@dropsub.com.
You have several options for controlling how storage is used:
Session vs. persistent login: At the login screen, leave "Keep me signed in" unchecked to use sessionStorage instead of localStorage. Your session will end when you close the tab.
Explicit logout: Clicking "Log out" removes your access token from storage immediately.
Clear browser storage: You can clear localStorage and sessionStorage for dropsub.com at any time through your browser's Developer Tools (Application → Storage) or browser settings (Clear browsing data). Doing so will log you out.
Block third-party cookies: Most modern browsers allow you to block third-party cookies. This may affect Stripe payment flows but will not affect DropSub's own authentication.
Because DropSub does not use advertising or analytics cookies, there is no cookie consent banner — the only essential storage is the auth token, which is necessary for the service to function once logged in.
We may update this Cookie Policy as the platform evolves. If we introduce materially new tracking or analytics, we will update the "Last updated" date at the top of this page and notify users by email at least 14 days before the change takes effect.
Continued use of DropSub after a policy update constitutes acceptance of the new terms. If you have questions about any change, please contact us before the effective date.
Questions about this Cookie Policy or data practices in general can be directed to:
legal@dropsub.comSee also our Privacy Policy for a broader explanation of how we collect and use your data.