← Back to ScentLayer
ScentLayer
Transparency

How We Source
Our Data

Last updated: 14 May 2026  ·  Written for humans, not lawyers.

01

Our Fragrance Catalogue

ScentLayer's current catalogue contains 50 fragrance accords (oud, floral, woody, amber, etc.), 160 individual notes, and 300 perfumes. All of this data was assembled editorially by the ScentLayer team and is stored directly in the application's code — there is no external database call for catalogue data in the current version.

Accord and perfume classifications reflect our editorial judgement and are meant to be useful starting points for exploration, not authoritative taxonomies. Fragrance is subjective; a perfume we call "woody" may read entirely different on your skin.

Phase 2 note: The catalogue will migrate to a Supabase-backed /api/perfumes endpoint and will grow via affiliate retailer data feeds. The featured perfume cards on the landing page are already structured for this transition — the inline data array is tagged // TODO(phase-2): replace with /api/perfumes?featured=true.
02

Fragrance Photos

Accord and note thumbnails are fetched on-demand from Wikipedia's public REST API (en.wikipedia.org/api/rest_v1/page/summary/). We don't host or proxy these images — your browser fetches them directly from Wikimedia's servers.

Each image is then cached in your browser's localStorage under a key starting with sl_img_ (for example, sl_img_rose), so we don't re-fetch the same image on every visit. If an image is unavailable or the request fails, we store the value 'NONE' for that key — this tells the app not to try again, rather than hitting Wikipedia repeatedly.

Hero image: The Scent DNA page loads a hero photo from images/hero.png if present, falling back through .jpg.jpeg.webp, and finally a Wikimedia Commons photo if none of the local files are found.

Third-party note: Opening the Scent DNA page may cause your browser to send requests to en.wikipedia.org for any accord or note thumbnail not already in your local cache. Wikimedia's privacy policy governs those requests. Wikipedia images are served under various licenses (commonly Creative Commons); we don't redistribute or re-host them.

03

What We Store on Your Device

Everything ScentLayer stores today lives in your browser's localStorage. Nothing is sent to our servers in the current version. You can view, edit, or delete this data at any time via your browser's developer tools (usually: DevTools → Application → Local Storage → select the page origin → clear).

Key What it contains When it's written
sl_user Your display name, email address, and a derived password hash plus its unique salt. Your original password is never stored. Account sign-up and sign-in
sl_dna A snapshot of your last Scent DNA result: archetype name, icon, tagline, and which discovery path you took. After completing the DNA quiz
sl_wardrobe An array of perfume IDs you've saved to your wardrobe. When you add or remove a perfume
sl_img_* Cached Wikipedia thumbnail URLs for individual accord and note IDs (e.g. sl_img_rose, sl_img_oud). Stored as a URL string, or 'NONE' for failed lookups. First time a thumbnail is displayed
sl_rate Recent failed sign-in attempts per email address, used to enforce the login rate limit. Contains a count and timestamps — no passwords. Each failed sign-in attempt

No data from any of these keys is transmitted off your device in the current version of ScentLayer.

04

How Your Account Works

When you create an account, your password goes through PBKDF2-SHA-256 — a standard password-hardening function built into modern browsers. We use a unique random value (a "salt") generated separately for every account, and run the derivation 150,000 times. This makes offline guessing attacks slow and expensive even if someone were to access your device's storage. Your original password is discarded immediately; only the derived hash and salt are kept (in sl_user).

  • Login protection. After 5 failed attempts in any 15-minute window, sign-in is blocked for 15 minutes for that email address. This limit is tracked locally in sl_rate.
  • Auto-logout. If you're signed in and there's no mouse movement, keyboard input, scrolling, or touch activity for 20 minutes, you'll be automatically signed out and shown a prompt to sign back in.
Prototype notice
This is an early-stage prototype. Your credentials are stored in your browser's localStorage, which is accessible to any JavaScript running on the same page origin. While the password itself is never stored, the hash and salt are. We recommend using a password you don't use on other services. A proper server-side authentication system (Supabase) will replace the current approach in Phase 2.
05

What We Deliberately Don't Do Today

  • No servers. All computation and storage runs in your browser. We don't have application servers processing your requests in the current version.
  • No email sending. Creating an account shows a confirmation message in the UI, but no real email is dispatched — the EmailJS integration is scaffolded but the keys are placeholders.
  • No analytics or tracking. There are no Google Analytics, Mixpanel, Facebook Pixel, Hotjar, or similar scripts on any ScentLayer page.
  • No data selling. There is no data to sell — everything is on your device, not ours.
  • No cookies. We use localStorage, not HTTP cookies. No cookie banner is shown because none are set.
  • No affiliate tracking yet. Perfume retailer links on the site currently point to # placeholders. When affiliate links are added in Phase 2, we will update this page to disclose which retailers we work with and how commissions work.
06

Questions?

If you have questions about how ScentLayer handles data, or if you'd like us to delete anything stored about you, email us at contact@thescentlayer.com. We'll respond within a few days.

This page will be updated as ScentLayer moves from prototype to production. The "Last updated" date at the top of the page reflects the most recent revision.