Curba Cookie Policy
Effective date: May 9, 2026 Last updated: May 7, 2026
1. What This Policy Covers
This Cookie Policy explains what cookies, trackers, and similar technologies Curba uses on the Platform, what they do, who sets them, and how you can manage them. It supplements (and is referenced by) our Privacy Policy.
In this document, "cookie" refers to small text files stored in your browser, "tracker" refers to any technology used to identify a User or device (cookies, web beacons, scripts, browser fingerprints, e-tags, similar identifiers), and "storage" refers to your browser's local and session storage.
2. Why We Use Cookies and Trackers
Curba uses cookies and similar technologies to:
- Keep you signed in across sessions (authentication)
- Remember in-progress actions like a partially filled-out listing form (session state)
- Process payments securely through Stripe
- Detect fraud and abusive behaviour (Cloudflare Turnstile on contact forms, Cloudflare bot management on all traffic)
- Measure how the Platform is used so we can improve it (analytics)
- Render maps and address autocomplete (Google Maps / Places)
We do not use third-party advertising or remarketing cookies, and we do not sell your personal information to advertisers.
3. Categories of Cookies and Trackers
We use four categories of cookies and trackers, summarized below. The full inventory follows in Section 4.
3.1 Strictly necessary
Required for the Platform to function. They keep you signed in, hold short-lived state needed during checkout, secure payment forms, and protect against bots. Disabling these will break core functionality.
Examples: Keycloak session cookies, Stripe __stripe_mid / __stripe_sid, Cloudflare __cf_bm, sessionStorage entries.
3.2 Functional
Improve your experience by remembering preferences and short-lived state across page reloads. Disabling these will not break the Platform but may degrade the experience (you may lose unsaved form drafts on a hard reload, for example).
Examples: localStorage entries for in-progress declarations, returnUrl state, password-reset success flag.
3.3 Performance and analytics
Help us understand how the Platform is used so we can improve it. Anonymized at the aggregate level - used for things like funnel analysis and drop-off detection.
Examples: Google Analytics 4 (_ga, _ga_<id>), PostHog (ph_*).
3.4 Advertising
We do not use any advertising or remarketing cookies on the Platform. If this changes in the future, this policy will be updated and (where applicable) consent will be re-collected.
4. Inventory of Cookies, Trackers, and Storage
The following technologies may be set or accessed when you use Curba. Cookie names containing <id> or <key> mean the actual name varies by configuration (e.g. PostHog includes the project key in the cookie name).
4.1 Authentication and session - Keycloak
| Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
KEYCLOAK_IDENTITY | Curba (auth.curba.app) | First-party cookie | Identifies your authenticated session | Session |
KEYCLOAK_SESSION | Curba (auth.curba.app) | First-party cookie | Tracks single sign-on session | Session |
KC_RESTART | Curba (auth.curba.app) | First-party cookie | Used during the OAuth login flow | Up to 5 minutes |
AUTH_SESSION_ID | Curba (auth.curba.app) | First-party cookie | Internal Keycloak session correlation | Session |
Category: Strictly necessary. Disabling impact: You won't be able to sign in.
4.2 Bot protection and CDN - Cloudflare
| Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
__cf_bm | Cloudflare | Third-party cookie | Bot management - distinguishes humans from automated traffic | 30 minutes |
cf_clearance | Cloudflare | Third-party cookie | Records that you completed a security challenge | 30 days |
| Turnstile cookies | Cloudflare | Third-party cookies | Used by the Turnstile challenge on the Contact form to verify you're a human | Short (challenge lifetime) |
Category: Strictly necessary. Disabling impact: Cloudflare may serve more challenges or block your traffic; the contact form will not submit. Cloudflare Privacy Policy
4.3 Payments - Stripe
Set automatically when Stripe.js loads on payment, payout, or identity-verification pages.
| Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
__stripe_mid | Stripe | Third-party cookie | Fraud prevention - Stripe machine identifier | 1 year |
__stripe_sid | Stripe | Third-party cookie | Fraud prevention - Stripe session identifier | 30 minutes |
m | Stripe (m.stripe.network) | Third-party cookie | Stripe device fingerprinting for fraud detection | 2 years |
Category: Strictly necessary. Disabling impact: Payments will fail and identity verification will not load. Stripe Privacy Policy · Stripe Cookie Policy
4.4 Maps and addresses - Google
Set when Google Maps or Places autocomplete loads (browse pages, listing form, verify-identity page).
| Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
NID | Third-party cookie | Required by Google Maps and Places APIs | 6 months | |
| Other Google cookies | Third-party cookies | Set by Google's general infrastructure | Varies |
Category: Strictly necessary (for any page that displays maps or address suggestions). Disabling impact: Address autocomplete and listing maps will not work. Google Privacy Policy · How Google uses cookies
4.5 Analytics - Google Analytics 4
Set on every page once GA is configured (production only). Used to understand how visitors find and use the Platform.
| Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
_ga | Google Analytics 4 | Third-party cookie | Distinguishes unique users | 2 years |
_ga_<measurement-id> | Google Analytics 4 | Third-party cookie | Persists session state | 2 years |
_gid | Google Analytics 4 | Third-party cookie | Distinguishes unique users (legacy fallback) | 24 hours |
Category: Performance and analytics. Disabling impact: None - the Platform functions normally. How we configure GA: IP anonymization is on by default in GA4. We have configured Data Redaction to scrub sensitive query parameters (auth tokens, payment intent secrets, email/phone patterns) from URL hits. We do not enable Google Signals (cross-device tracking) and we do not allow Google to use Curba data for ad targeting. Google Analytics Privacy · Opt-out browser add-on
4.6 Product analytics - PostHog
Set on every page once PostHog is configured (production only). Used for funnel analysis, retention metrics, and (when enabled) session replay for UX debugging.
| Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
ph_<api-key>_posthog | PostHog | Third-party cookie | Anonymous device + session identifier and feature-flag cache | Up to 1 year |
Category: Performance and analytics. Disabling impact: None - the Platform functions normally. How we configure PostHog: Person profiles are set to identified-only (anonymous visitors are not associated with a persistent profile). Session replay is enabled for UX debugging. Auto-capture is enabled for clicks, form submissions, and pageviews. PostHog Privacy
4.7 Browser storage (not cookies)
Curba uses your browser's sessionStorage and localStorage for short-lived state. These never leave your device unless explicitly synced.
| Key (illustrative) | Storage | Purpose |
|---|---|---|
curba_password_reset_success | sessionStorage | One-time flag to display the password-reset success page |
curba_pending_password_reset | localStorage | Tracks that a password-reset email was sent |
verify-identity-cached-state | sessionStorage | Re-hydrates the listing inquiry after the verify-identity round-trip |
ngsw:* | IndexedDB / Cache API | Service-worker caches for offline assets |
Category: Strictly necessary or functional, depending on the entry. Disabling impact: You may lose in-progress state across reloads; the service worker won't cache static assets.
5. Third-Party Trackers
The third-party services listed above set their own cookies on your device under their own privacy policies. Curba has no direct control over how those providers operate their cookies. We have selected providers we consider reputable and that publish their own privacy and cookie policies. Links are provided in each row of Section 4 and in the Privacy Policy.
6. How to Manage Cookies
You can manage cookies in several ways:
6.1 Browser settings
Most browsers let you view, delete, and block cookies through their settings:
- Chrome: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Settings → Privacy → Manage Website Data
- Edge: Settings → Cookies and site permissions → Manage and delete cookies
If you block all cookies, the Platform's strictly-necessary cookies will be blocked too, which means you won't be able to sign in or complete a payment. We recommend allowing first-party cookies for Curba and the listed third-party providers.
6.2 Provider-specific opt-outs
- Google Analytics: Google Analytics Opt-out Browser Add-on (works for any site that uses GA)
- PostHog: PostHog respects the standard
Do Not Trackbrowser signal, and you can opt out per-device by clearing theph_*cookie
6.3 Do Not Track
Some browsers send a "Do Not Track" signal. Curba's analytics providers (PostHog and GA4) honour this signal where browser support exists. We do not, however, treat DNT as a blanket opt-out from strictly-necessary cookies, since those are required for the Platform to function.
6.4 Account-level opt-outs
You can withdraw consent and request deletion of analytics data we hold about you by contacting our Privacy Officer at privacy@curba.app. See Section 9 of our Privacy Policy for the full list of rights.
7. Consent and Quebec Law 25
Quebec residents have the right under Law 25 to be clearly informed about each technology used on their device and to consent in advance to non-essential trackers. Curba's current approach is:
- Strictly-necessary cookies are loaded without prior consent (permitted by Law 25 and PIPEDA when limited to what is required to provide a service the user has requested)
- Performance and analytics cookies (GA4, PostHog) are loaded after the user has been informed via this Cookie Policy and the persistent footer link to it. We do not currently display a per-visit consent banner.
- A consent banner is on our roadmap and will be deployed when we expand to advertising or cross-context behavioural sharing - neither of which we do today.
If you are a Quebec resident and you would like to opt out of analytics cookies in advance of the consent banner being deployed, please email our Privacy Officer at privacy@curba.app.
8. Changes to This Policy
We may update this Cookie Policy from time to time as our use of cookies and trackers changes. Material changes (new analytics or advertising providers, new cookie categories, changes to retention periods) will be announced on the Platform and reflected in the "Last updated" date at the top.
9. Contact
Questions about this Cookie Policy can be sent to:
- Email: privacy@curba.app
- Phone: +1 825 256 5110
- Privacy Officer: Stanley Ekpunobi, 2814447 Alberta Inc. (operating as Curba), 1034-1215 9th Ave SW, Calgary, AB T3C 0H9, Canada
10. Definitions
The following terms have specific meanings throughout this policy.
- Cookie - a small text file stored in your browser by a website you visit (first-party cookie) or by another service the website embeds (third-party cookie).
- First-party cookie - set by the domain in your browser's address bar (i.e.
curba.apporauth.curba.app). - Third-party cookie - set by a domain other than the one in your address bar (e.g. Stripe, Google, PostHog).
- Tracker - any technology used to identify a User or device, including cookies, web beacons, scripts, browser fingerprinting, e-tags, and similar identifiers.
- Storage -
sessionStorage,localStorage, IndexedDB, and similar browser-side persistence APIs that hold data on your device. - Strictly necessary - a cookie or tracker without which a service cannot function (e.g. authentication, fraud prevention, payments).
- Performance / analytics - a cookie or tracker used to measure how the Platform is used in aggregate.
- Advertising - a cookie or tracker used to deliver targeted advertising or to measure ad effectiveness across websites. Curba does not use these.
Generated portions of this document were originally produced via the iubenda Cookie Policy Generator and adapted by Curba to reflect the actual cookies and trackers in production and Canadian (PIPEDA, Quebec Law 25) requirements.