01 Introduction
Cookies are tiny text files that a website asks your browser to store on your device, so it can recognise you on later visits — for example to remember a language preference, a shopping cart, or a login session. They are sent back to the server with every HTTP request to the same domain.
Local storage (and its sibling session storage) is a different mechanism: it stores data inside the browser itself, key-by-key, and that data is never automatically sent to any server. Despite the technical difference, EU law — specifically the ePrivacy Directive (Article 5.3) — treats both the same way: any storage of, or access to, information on a user's terminal equipment requires consent unless it is strictly necessary to deliver a service the user explicitly asked for.
This page explains what is stored on your device when you visit walkie-talky.vercel.app, why, and how to control it. The scope is the marketing landing page only. The Talky iOS / iPadOS / macOS app handles data and tracking (Google AdMob, Firebase Analytics, Apple App Tracking Transparency) under a separate Privacy Policy shipped inside the app and on this site.
02 Cookie categories
Industry guidance from the European Data Protection Board and national authorities (CNIL, Garante, ICO) groups cookies into four broad categories. We define them here so the table in the next section makes sense.
- Strictly necessary — required to deliver the page or a feature the user has explicitly requested (load balancing, anti-fraud, remembering a consent choice). Exempt from consent under ePrivacy Art. 5.3.
- Functional — improve the experience but are not essential: language preference, theme, recent items. Require consent.
- Analytics — measure how the site is used so we can improve it (page views, scroll depth, bounce rate). Require consent in the EU/EEA/UK, even when anonymised, unless an exemption applies.
- Marketing / advertising — build a profile of the visitor to serve targeted ads, measure ad campaigns, or share data with ad networks. Always require explicit, freely-given consent.
03 What this site uses right now
We want to be unusually direct here: as of the Last updated date above, this landing page sets no first-party cookies and no third-party cookies of its own. It does not load any analytics script, any tag manager, any ad pixel, any social-media SDK, any chat widget, any heatmap. The only piece of information persisted on your device by us is a single key in your browser's localStorage, used to remember the choice you make in the consent banner so we don't show it on every page load.
| Name | Type | Category | Purpose | Duration | Party |
|---|---|---|---|---|---|
talky_consent_v1 |
localStorage | Strictly necessary | Stores the choice (accept / reject / customised) made in the consent banner so it is not shown on every visit. | Until you clear it manually or your browser is wiped. | First-party |
| Vercel session (anonymous) | HTTP header / edge token | Strictly necessary | DDoS protection, edge traffic routing and HTTPS termination at the hosting layer. Contains no personal identifier. | Session (cleared when the connection ends). | Third-party (Vercel Inc., USA) |
04 Third-party services loaded by this page
Even though we do not embed third-party trackers, your browser still talks to a handful of external services when it renders the page. Each one creates an entry in that service's HTTP access logs (typically your IP address, the requested file, the timestamp, and the User-Agent string). None of them set cookies on this domain.
Google Fonts — fonts.googleapis.com, fonts.gstatic.com
We load the typefaces Bricolage Grotesque, IBM Plex Mono, Fraunces and VT323 from Google's CDN. Since 2022, the Google Fonts CSS and WOFF2 endpoints no longer set any cookies — they are served from fonts.gstatic.com, a cookieless domain dedicated to static assets. The CSS request to fonts.googleapis.com is also cookieless. Google still receives the IP address as part of any HTTP request; this is unavoidable for any CDN-served resource. If you prefer to self-host fonts, you can block these domains in your browser or use a content-blocker — the page will simply fall back to system fonts.
Apple App Store thumbnails — is1-ssl.mzstatic.com
The screenshots and the app icon you see on the page are served directly by Apple's media CDN as plain <img> tags. These are simple HTTP GET requests for image files; the responses do not include any Set-Cookie header. Apple receives the IP address, the User-Agent, and the URL of the requested image.
Vercel — hosting and edge network
The site itself is hosted by Vercel Inc. Vercel may set short-lived, anonymous tokens or use HTTP headers at the edge to protect against denial-of-service attacks and to route traffic to the nearest data centre. These are technical, strictly-necessary identifiers and are not used for profiling. Vercel's own privacy statement is available at vercel.com/legal/privacy-policy.
05 What might be added in the future (with consent)
We may, at some point, want to know whether anyone is actually reading this thing. If we add measurement tools, we will pick the most privacy-respectful option available and we will gate it behind the consent banner. Candidates include:
- Plausible Analytics or Fathom or Simple Analytics — EU-hosted, cookieless, no personal data, no fingerprinting. These often qualify for the ePrivacy analytics exemption in some jurisdictions but we will still ask first.
- Google Analytics 4 — only if strictly needed, fully consent-gated, with IP truncation and Google Signals disabled.
- Microsoft Clarity or similar session-replay — would require explicit opt-in and a clear notice on the banner.
In any of these scenarios, the relevant tags will not load before you accept the corresponding category, the table in section 03 will be updated, the Last updated date will change, and the consent banner will re-appear with the new categories so you can confirm your choice. We will not silently re-purpose your existing acceptance.
06 How to manage your choice
You can change your mind at any time — and in more than one way.
- Reopen the consent banner via the Cookie preferences link in the footer of every page, or the button at the top and bottom of this page. This wipes the
talky_consent_v1key and sends you back to the home page, where the banner appears again. - Clear localStorage manually from your browser's developer tools (Application → Local Storage → right-click delete) or from Settings → Privacy → Clear browsing data, selecting cookies and other site data.
- Block cookies and storage at the browser level, either globally or only for this domain. Short instructions:
- Safari — Settings → Privacy → Manage Website Data to remove this site, or tick Block all cookies.
- Chrome — Settings → Privacy and security → Cookies and other site data → add the site to Sites that can never use cookies.
- Firefox — Settings → Privacy & Security → Cookies and Site Data → Manage Exceptions, or set Enhanced Tracking Protection to Strict.
- Edge — Settings → Cookies and site permissions → Manage and delete cookies and site data.
- Use a content-blocker (uBlock Origin, AdGuard, Brave Shields, Safari content blockers). The page is designed to degrade gracefully when external resources are blocked.
07 Do Not Track & Global Privacy Control
Browsers can transmit two machine-readable privacy signals:
- DNT — the legacy Do Not Track HTTP header. Widely deprecated, but we honour it: when present and set to
1, we treat it as a refusal of any non-strictly-necessary storage. - GPC — the Global Privacy Control signal, a more recent specification endorsed by Californian and EU regulators as an opt-out of sale/sharing under CCPA/CPRA and as a valid expression of refusal under GDPR. When your browser sends Sec-GPC: 1, we treat it as an explicit Reject all non-essential answer to the consent banner.
Today, since no analytics or marketing tags exist on this site, these signals do not change anything visible. They will become load-bearing the moment any non-essential script is added.
08 Legal bases
The handling described above relies on the following legal grounds:
- Strictly necessary storage — ePrivacy Directive Article 5.3, second sentence: storage that is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service is exempt from prior consent. This covers
talky_consent_v1(remembering your choice is the service you implicitly requested by interacting with the banner) and Vercel's edge tokens. - Any other storage — GDPR Article 6(1)(a), freely-given, specific, informed and unambiguous consent, expressed via the banner. We do not rely on legitimate interest or contract performance as a basis for analytics or marketing cookies.
09 Changes to this policy
If we change anything material — a new third-party script, a new category of cookies, a new retention period — we update the Last updated date at the top, change the version suffix of the consent key (e.g. talky_consent_v2) so the banner re-appears, and where relevant we describe the change in the changelog of the Talky GitHub repository. For minor editorial fixes (typos, clearer wording) we update silently. The most current version is always at this URL.
10 Contact
For anything related to cookies, storage, the consent banner, exercising your GDPR rights (access, rectification, erasure, restriction, portability, objection) or simply asking a question — write to us. We answer in English or Italian.
Versione italiana disponibile su richiesta.