Cookie & Consent Audit Decision
Audit date: 2026-04-04 Auditor: AI assistant (opencode)
Conclusion
No non-essential tracking found. No consent banner, gating utility, or cookie notice is needed at this time.
Scope Checked
- Analytics SDKs: GA4, GTM, PostHog, Mixpanel, Amplitude, Plausible, Vercel Analytics — none present
- Ad/marketing pixels: Meta Pixel, TikTok Pixel, Facebook Pixel — none present
- Session replay / heatmaps: Hotjar, FullStory, Clarity — none present
- Tag managers: Google Tag Manager — none present
- Third-party scripts: External
https://script loads, iframes, embeds — none present (only local images and schema.org JSON-LD) - Client storage:
localStorage,sessionStorage— zero usage - Consent code paths:
cookie_consent,gdpr,ccpa,privacy.*preference— only legal copy in privacy policy, no functional consent logic - Dependencies: All 10 runtime packages reviewed (
next,next-auth,stripe,prisma,nodemailer,jose,zod) — all strictly functional - Middleware:
proxy.tsreviewed — auth guard only, no tracking
Current Storage Classification
| Mechanism | Classification |
|---|---|
| next-auth session cookies | Necessary |
| Stripe payment cookies | Necessary |
| Schema.org JSON-LD | Necessary (SEO) |
| Google/Bing search console verification | Functional |
| Transactional email (nodemailer) | Necessary |
Re-evaluation Trigger
Before deploying any of the following, consent requirements must be re-evaluated:
- Google Analytics / GA4 or any pageview tracking
- Google Tag Manager
- Meta Pixel / Facebook Pixel / TikTok Pixel
- Hotjar / FullStory / Microsoft Clarity / session replay
- PostHog / Mixpanel / Amplitude / product analytics
- Ad retargeting or attribution scripts
- Any third-party widget that sets non-essential identifiers
- Any marketing or profiling cookies beyond strictly necessary auth/payment