What this page covers
This page explains every cookie and similar storage mechanism (localStorage, sessionStorage) that lastzrewards.com may set in your browser, what each one is for, and how to change your choices.
For the broader privacy posture — what data we hold, how long, your rights — see the Privacy Policy.
Cookie categories
We group cookies and storage into four categories. The cookie banner you see on your first visit lets you accept or reject each category independently; the Manage cookies link in the footer re-opens the banner so you can change your mind later.
- Strictly necessary — required for the site to function. Cannot be disabled.
- Functional — enable optional non-essential features that improve usability (currently: Crisp live chat).
- Analytics — let us understand aggregate site usage (currently: Google Analytics 4).
- Marketing — let us show the Ko-fi donate button.
Default state for non-necessary categories is off. We will re-prompt you for consent 6 months after your last decision, matching European Data Protection Board guidance.
Cookie inventory
Strictly necessary — always set
| Name | Set by | Purpose | Expires | HTTP-only |
|---|---|---|---|---|
session |
This site | Holds your signed-in session and any flash messages. Cleared on sign-out. | 31 days | Yes |
csrf_token (in form bodies, not a cookie) |
This site | Protects state-changing form submissions against cross-site request forgery. | Per session | n/a |
cc_cookie |
This site | Remembers which cookie categories you accepted, so we do not re-prompt on every visit. | 6 months | No |
lz_dismissed_alerts |
This site | Records which operator-published page alerts you have dismissed, so we do not re-render them. Pruned server-side as alerts age out. | 1 year | No |
If you have any localStorage entry under lastzrewards.com, the only key we set is lz-theme ("light" or "dark") — used to remember whether you toggled the site into light mode. localStorage is never sent to our servers; it is a pure client-side preference.
Functional — only after consent to "Functional"
| Name | Set by | Purpose | Expires |
|---|---|---|---|
crisp-client/session/... |
Crisp IM SAS | Identifies your live-chat session so the conversation persists across page loads. Multiple cookies under the crisp-client/ prefix. |
6 months |
crisp-client/socket-* |
Crisp | Manages the websocket connection used for real-time chat. | Session |
If you reject the Functional category, the Crisp script is never loaded and these cookies are never set. If you previously accepted and then withdraw consent, you can clear existing Crisp cookies via your browser settings.
Analytics — only after consent to "Analytics"
| Name | Set by | Purpose | Expires |
|---|---|---|---|
_ga |
Google Analytics 4 | Distinguishes unique visitors. | 2 years |
_ga_<measurement-id> |
Google Analytics 4 | Persists session state across pages within the same property. | 2 years |
We use GA4 in Consent Mode v2 with ad_storage, ad_user_data, and ad_personalization set to denied even after you accept analytics; only analytics_storage is granted. We do not run any advertising features or remarketing.
Marketing — only after consent to "Marketing"
The Ko-fi floating donate button is loaded from storage.ko-fi.com. The button itself does not set cookies on our domain; clicking it opens an iframe served from ko-fi.com which, under Ko-fi's own privacy policy, may set cookies on the ko-fi.com domain to track your support journey. See Ko-fi's privacy policy for their full inventory.
If you reject the Marketing category, the Ko-fi script is never loaded and you will not see the floating donate button. You can still support the project by navigating directly to ko-fi.com/lastzrewards in your own browser tab.
Sign-in widget — not consent-gated (strictly necessary)
When you visit /login and start the sign-in flow, our page loads a small JS widget served from phone.email (operated by Nextgen Phonemail Technology Private Limited). The widget itself does not set cookies on lastzrewards.com. During verification you are routed to a phone.email-hosted iframe / popup that may set cookies on the phone.email domain to manage the OTP session — those cookies are governed by phone.email's Privacy Policy and not by us.
We classify sign-in as strictly necessary rather than functional or marketing because without it you cannot sign in or use the rewards features at all. There is no consent gate on the sign-in widget for the same reason there is no consent gate on the session cookie: blocking it makes the service non-functional.
How to change your choices
- Re-prompt for consent now: click Manage cookies in the site footer.
- Block cookies entirely: use your browser's cookie controls (Settings → Privacy). Note that blocking the Strictly necessary cookies will sign you out and break form submissions.
- Clear existing cookies: clear browsing data for
lastzrewards.comin your browser. Clearingcc_cookiewill cause us to re-prompt for consent on your next visit.
Third-party links and embedded content
We do not embed third-party content (videos, images, social-media widgets) other than the phone.email sign-in widget and the Crisp / GA4 / Ko-fi widgets covered above. When you click an outbound link to a Last Z official page, a Discord server, a YouTube channel, or any other site, you are subject to that site's own cookie policy — we have no control over their cookies and you should read their policies.
Changes to this policy
We will note material changes at the top of this page with a new "Last reviewed" date. If we add a new cookie or service to one of the categories above, that change will be reflected here and — for non-strictly-necessary categories — we will re-prompt for consent.
Contact
Questions about cookies, the consent banner, or anything else on this page: /contact.
This cookie policy was last reviewed on 2026-05-22 and represents a starting point pending review by legal counsel. Material changes will be notified via the site footer and email where applicable.