Cookie & Storage Policy

Our Commitment to Privacy

WIGGWIGG is built on zero-knowledge architecture. We use minimal cookies and browser storage. Only what's strictly necessary for security and functionality. Your data stays on your device whenever possible.

Cookies We Use

We use only 3 essential cookies. All are HttpOnly (JavaScript cannot access them) and Secure (HTTPS only) for maximum security.

Session Authentication Token

wiggwigg_session_token

Purpose: Keeps you logged in to your WIGGWIGG account

Duration: 7 days (sliding window - extends on activity)

Type: HttpOnly, Secure, SameSite=Strict

Security: Cannot be accessed by JavaScript (XSS protection)

Required: No - Required for authentication

Refresh Token

wiggwigg_refresh_token

Purpose: Allows automatic session renewal without re-login

Duration: 30 days (sliding window)

Type: HttpOnly, Secure, SameSite=Strict

Security: Cannot be accessed by JavaScript (XSS protection)

Required: No - Required for session management

New Tab Authentication Mode

wiggwigg_new_tab_auth_mode

Purpose: Stores your preference for seamless cross-tab access (only if enabled)

Duration: 30 days

Type: Secure, SameSite=Strict

Security: Contains no sensitive data, only user preference flag

Required: Yes - Only set if you enable seamless cross-tab access in settings

What We Don't Use

Analytics cookies (e.g., Google Analytics)

Advertising or marketing cookies

Social media tracking pixels

Third-party tracking cookies

Behavioral tracking of any kind

Performance monitoring cookies

A/B testing cookies

Session Storage (Cleared When Tab Closes)

Session storage holds temporary data for your current browser tab. Everything is automatically deleted when you close the tab, no persistence across sessions.

Session Management

Session Token Expiry Time

wiggwigg_token_expiry

Purpose: Stores when your session token expires (for UX only. Actual token is in HttpOnly cookie)

Contains: ISO timestamp string

Security: Non-sensitive metadata

Refresh Token Expiry Time

wiggwigg_refresh_expiry

Purpose: Stores when your refresh token expires (for UX only)

Contains: ISO timestamp string

Security: Non-sensitive metadata

User ID

wiggwigg_user_id

Purpose: Stores your user ID for API requests

Contains: Your unique user identifier

Security: Non-sensitive identifier

Account ID (Username)

wiggwigg_account_id

Purpose: Stores your username for anti-phishing display

Contains: Your WIGGWIGG username

Security: Used for security feature (anti-phishing)

Encrypted Master Key Storage

These keys enable password-less session restoration on page refresh (within same tab only). All data is encrypted with a random session key.

Session Encryption Key

wiggwigg_session_key

Purpose: Random key used to encrypt your master key in sessionStorage

Contains: 256-bit AES-GCM key

Security: Generated per browser tab, cleared on tab close

Encrypted Master Key

wiggwigg_session_encrypted_mk

Purpose: Your encrypted master key (encrypted with session key)

Contains: AES-GCM encrypted master key

Security: Cannot be decrypted without session key

Session Encryption Nonce

wiggwigg_session_nonce

Purpose: Random nonce for master key encryption

Contains: 12-byte random nonce

Security: Public value, safe to store

Session Authentication Tag

wiggwigg_session_tag

Purpose: Authentication tag for encrypted master key

Contains: 16-byte authentication tag

Security: Ensures ciphertext hasn't been tampered with

Encryption Salt

wiggwigg_encryption_salt

Purpose: Salt used for password verification during session unlock

Contains: Cryptographic salt (random bytes)

Security: Public value, safe to store

Password Verification Signature

wiggwigg_password_verification_sig

Purpose: HMAC signature to verify password correctness during unlock (without storing password)

Contains: HMAC-SHA256 signature

Security: Cannot be reversed to get password

User Preferences Cache

wiggwigg_preferences_cache

Purpose: Caches ALL your preferences for instant access before decryption

Contains: Theme, locale, onboarding status, audio preferences, etc.

Security: Non-sensitive user preferences

Anti-Phishing Display Cache

wiggwigg_anti_phishing_cache

Purpose: Caches anti-phishing display settings for instant display on login

Contains: Display flags (show phrase, colors, avatar, audio)

Security: Non-sensitive display preferences

Phone Number Provisioning

Temporary data during phone number checkout. Expired reservations automatically cleaned on app load.

Phone Number Reservation

wiggwigg_phone_reservation

Purpose: Reserves a phone number during checkout (prevents others from claiming it while you complete payment)

Contains: Reserved phone number, expiry time, plan details

Security: Temporary checkout data (15-min expiry). Expired reservations automatically deleted on app load.

Account Recovery

Pending Account Recovery ID

pending_recovery_id

Purpose: Temporary storage during account recovery flow

Contains: Recovery request ID

Security: Temporary recovery flow data

Recovery Expiry Time

pending_recovery_expires

Purpose: When the recovery request expires

Contains: ISO timestamp

Security: Non-sensitive expiry metadata

Recovery Account Username

recovery_account_id

Purpose: Username being recovered (during recovery flow)

Contains: Account username

Security: Temporary recovery flow data

Rate Limiting & Security

Session Key Restore Attempts

wiggwigg_session_key_attempts

Purpose: Tracks failed attempts to restore session key (rate limiting)

Contains: Number of failed attempts

Security: Security rate limiting counter

Session Key Lockout Time

wiggwigg_session_key_lockout

Purpose: When rate limit lockout expires (after 5 failed attempts)

Contains: Timestamp when lockout ends

Security: Security rate limiting enforcement

Session storage is isolated per tab and automatically cleared when you close your browser tab. More secure than localStorage for sensitive session data.

Local Storage (Persists Across Sessions)

Local storage persists data across browser sessions. We use it only for user preferences and optional encrypted session recovery (if you enable it).

Security Settings & Preferences

wiggwigg_security_settings

Purpose: Stores your security preferences (session persistence mode, auto-lock timeout, quick unlock settings)

Duration: Until manually cleared

Contains: User preferences (no sensitive data)

Clear: Yes - Settings → Security → Reset to Defaults

Encrypted Persisted Session

wiggwigg_persisted_session

Purpose: Stores your encrypted master key for cross-browser/cross-tab session recovery (ONLY if you enable 'Remember me')

Duration: Based on your max session age setting (1-30 days)

Contains: Encrypted master key, cryptographic nonce, authentication tag, salt

Security: Encrypted with your password or biometric. Cannot be decrypted without your password.

Optional: Yes - Disable 'Remember me' in login settings

Session Version Number

wiggwigg_session_version

Purpose: Version counter that invalidates all persisted sessions when incremented (security feature)

Duration: Until manually cleared

Contains: Integer version number

Security: Public counter, non-sensitive

Shared Account ID

wiggwigg_account_id_shared

Purpose: Stores username for cross-tab anti-phishing display (ONLY if you enable cross-tab access)

Duration: Until manually cleared

Contains: Your WIGGWIGG username

Optional: Yes - Disable cross-tab access in security settings

Recent Search History

wiggwigg_recent_searches

Purpose: Stores your recent searches for quick access (local only, never sent to server)

Duration: 30 days (auto-expires old searches). Automatically cleared when you log out.

Contains: Search queries, timestamps, search type

Security: Zero-knowledge: stored only on your device. Automatically removed on logout to protect privacy.

Clear: Yes - Automatically cleared when you log out, or manually clear in app settings

Phone Search Preferences

wiggwigg_phone_search_prefs

Purpose: Stores your phone number search filters and sorting preferences

Duration: Until manually cleared

Contains: Search filters, sort order

Clear: Yes - Reset filters in phone number search

How to clear all local storage:

Clear all local storage: Browser Settings → Privacy → Clear Site Data → Cookies and Site Data

Local storage is isolated per domain. WIGGWIGG cannot access data from other websites, and other websites cannot access WIGGWIGG data.

Zero-Knowledge Architecture

Your master encryption key is NEVER stored unencrypted. Here's how it works:

Master key derived from your password on login (client-side only)

Stored in memory only during active session

Optionally encrypted and stored in sessionStorage for same-tab refresh (no password required)

Optionally encrypted and stored in localStorage for cross-tab access (requires password unlock)

Can only be decrypted with your password or biometric authentication

WIGGWIGG servers never see your master key

All identity data encrypted client-side before sending to server

Even if an attacker gains access to your browser storage, they cannot decrypt your master key without your password.

Your Privacy Controls

You have full control over what's stored:

Session Persistence

Enable/disable 'Remember me' functionality

Settings → Security → Session Persistence

Cross-Tab Access

Enable/disable seamless access across browser tabs

Settings → Security → New Tab Authentication

Auto-Lock Timeout

Configure how long before your session locks automatically

Settings → Security → Auto-Lock Timeout

Clear All Data

Clear all cookies, session storage, and local storage

Browser Settings → Privacy → Clear Site Data

Read Full Privacy Policy

View our complete privacy policy covering data collection, usage, and your rights

Read Policy

Learn About Our Security

Deep dive into WIGGWIGG's zero-knowledge encryption and security architecture

Learn More

Contact Us

Questions about cookies or privacy? Get in touch with our team

Last Updated: January 6, 2026