Cookies and similar technologies
Privacy and data security are treated as paramount. This page describes the cookies and similar technologies used by the VectorPredictor website as implemented today. A formal security audit is planned separately; this document reflects current application behaviour.
Who can see your data in the application?
The service is built so that ordinary users only see their own workspace: locations, metadata, spectra, and related records are loaded using your signed-in account, and the application checks ownership before showing or changing those records. Other registered users cannot open your dashboard or browse your uploads through the normal interface.
We do not use your account to read your research content for advertising, resale, or unrelated analytics. There is no third-party advertising network and no behavioural ad profiling layer in this product.
Staff and administrators: some institutional accounts may have elevated privileges (for example to support the platform or manage users). That access is for legitimate administration under University policy, not for casual browsing of research content. Infrastructure operators (for example hosting or IT staff) may technically be able to access servers where the database resides—for example for backups, security patching, or lawful disclosure—which is standard for any hosted web application. A dedicated security audit will document and tighten those controls where needed.
First-party cookies (essential)
These cookies are set by VectorPredictor itself. They are strictly functional: they keep you signed in securely and protect forms from forgery. They are not used to track you across other websites.
| Name (typical) | Purpose | Duration / notes |
|---|---|---|
sessionid |
Links your browser to a server-side session so you stay authenticated after sign-in. The session store is database-backed; the cookie holds only an opaque session key, not your password or spectra. | Default lifetime is one hour of browser use (see project settings). When the site runs with production security settings, this cookie is marked Secure and HttpOnly so it is only sent over HTTPS and is not readable by page scripts. |
csrftoken |
Protects state-changing requests (forms, log out, uploads) against cross-site request forgery. Required for safe use of the site. | Session-long or persistent depending on Django configuration; in production the project may mark this cookie Secure and HttpOnly. Some pages read this value in JavaScript only where needed for AJAX requests. |
Exact cookie names can be customised in deployment; the defaults above are Django’s usual names.
Browser storage (similar technologies)
In a few places the site uses browser local storage (not a cookie) to improve
your experience—for example on the user guide, progress through tutorial steps may be
remembered in localStorage on your device only. A slim cookie notice at the bottom
of the page stores vp_cookie_notice_ack when you choose OK, so the
bar is not shown on every visit. That data stays in your browser; it is not sent to our server
as a profile. You can clear it through your browser settings.
Development tools
When the application runs in developer mode with the Django Debug Toolbar enabled, additional cookies or storage may be used by that toolbar on your machine. Those tools are not enabled in typical production deployments.
Django administration
The separate /admin/ interface (staff only) uses Django’s own scripts; it
may store UI preferences in localStorage or sessionStorage in your
browser. That does not apply to routine use of the main VectorPredictor pages.
Third-party resources and maps
Pages load assets from content delivery networks (for example Bootstrap, jQuery, Font Awesome) and fonts from Google Fonts. Those providers may set or read their own cookies or identifiers according to their policies, independent of VectorPredictor. Map pages load Mapbox JavaScript and styles from Mapbox; Mapbox may use cookies or similar technologies under Mapbox’s privacy policy when you interact with maps or geocoding.
If you need to minimise third-party exposure, institutional deployments can self-host stylesheets and scripts or use stricter Content Security Policy; that is a deployment choice.
Managing cookies
You can delete or block cookies in your browser settings. Blocking essential cookies will prevent sign-in and most interactive features from working. For more on how we use personal data, see our privacy notice.
Website rules are in the terms of use.