Cookie Policy

2.1 Definition

A cookie is a small text file deposited and stored on your device (computer, smartphone, tablet) when visiting a website.

Cookies allow to:

• Recognise your device during subsequent visits
• Remember your preferences and settings
• Analyse Platform usage
• Improve your user experience

2.2 Similar Technologies

In addition to cookies, we also use other similar technologies:

• Invisible pixels (web beacons): small images integrated into web pages or emails allowing to measure their consultation
• Local storage: HTML5 storage technologies (localStorage, sessionStorage)

For simplicity, the term "cookie" in this policy encompasses all of these technologies.

3.1 Strictly Necessary Cookies (Essential)

Purpose:These cookies are essential for the Platform's functioning and the provision of services you request. They cannot be disabled.

Examples of use:

• Authentication and maintaining your login session
• Login via Google OAuth (if you choose this method)
• Login via Facebook Login (if you choose this method)
• Login by email and password
• Security and fraud prevention
• Server load balancing
• Respecting your cookie choices

Legal basis: Legitimate interest (art. 6.1.f GDPR) – these cookies are exempt from prior consent in accordance with European Data Protection Board (EDPB) guidelines.

Retention period: Session (deleted at browser closure) to 12 months maximum.

Cookie examples:

• connect.sid: Express.js session cookie (login maintenance)
• spixes_session: user session identifier
• spixes_auth_token: secure authentication token
• spixes_csrf: CSRF attack protection
• spixes_cookie_consent: memorization of your cookie choices
• spixes_oauth_state: OAuth authentication security (Google, Facebook)

3.2 Functionality Cookies (Preferences)

Purpose: These cookies allow to improve your experience by remembering your preferences and choices.

Examples of use:

• Memorization of your preferred language
• Memorization of your currency (EUR, USD, etc.)
• Memorization of your display preferences (dark/light mode)
• Memorization of your geographic location (if authorized)
• Recall of your search filter choices

Legal basis: Consent (art. 6.1.a GDPR) – you can accept or refuse these cookies.

Retention period: 6 to 13 months.

Cookie examples:

• spixes_lang: interface language
• spixes_currency: preferred currency
• spixes_theme: display mode (light/dark)
• spixes_location: location (if consented)

3.3 Performance and Analytics Cookies (Statistics)

Purpose:These cookies allow us to measure the Platform's audience, analyze its usage and identify technical problems.

Examples of use:

• Number of visitors and page views
• Visit duration and bounce rate
• Most consulted pages
• Navigation path
• Technical error identification
• Platform performance analysis

Legal basis: Consent (art. 6.1.a GDPR), unless data is anonymized and used only for internal statistical purposes (possible exemption).

Retention period: 13 months maximum for cookies, 26 months for collected data.

Tools used:

• Google Analytics (with IP anonymization enabled)
• Privacy-friendly alternative (Matomo, Plausible) if applicable

Cookie examples:

• _ga: Google Analytics – User identifier
• _gid: Google Analytics – Session identifier
• _gat: Google Analytics – Request throttling

3.4 Social Network Cookies (Login and Sharing)

Purpose: These cookies are used to enable login via third-party services (Facebook, Google) and to share content on social networks.

A. OAuth Login (essential):

• Authentication via Google ("Sign in with Google" button)
• Authentication via Facebook ("Sign in with Facebook" button)
• Session maintenance after OAuth login

B. Social sharing (optional):

• Share buttons on Facebook and Instagram

Legal basis:

• OAuth Login (Google, Facebook): Legitimate interest / Contract performance (art. 6.1.b and 6.1.f GDPR) – essential cookies for the authentication service you have chosen
• Sharing and integration: Consent (art. 6.1.a GDPR) – you can accept or refuse

Retention period:

• OAuth cookies: Session to 30 days (depending on chosen login method)
• Sharing cookies: Variable by social network (generally 13 months)

Warning: These cookies are managed by the social networks themselves. We invite you to consult their respective privacy policies.

4.1 Our Partners' Cookies

We work with service providers who place their own cookies:

Secure payment:

• Stripe: Credit card payment processing

Authentication:

• Google OAuth: Login via Google account (if you choose this method)
• Facebook Login: Login via Facebook account (if you choose this method)

Analysis and performance:

• Google Analytics: Audience measurement (with IP anonymization enabled)
• Google reCAPTCHA: Anti-spam and anti-bot protection

Communication:

• SMTP service: Sending transactional emails (registration confirmation, notifications, password reset)

Important note: Transactional emails are sent via an SMTP service that does not use tracking cookies on your browser. Your personal data is only used to send system emails necessary for your account functioning.

4.2 Responsibility

These third-party cookies are governed by their respective publishers' privacy policies.

Spixes does not control these cookies and cannot be held responsible for their use.

We recommend consulting these third parties' privacy policies:

• Google: https://policies.google.com/privacy
• Facebook: https://www.facebook.com/privacy/explanation
• Stripe: https://stripe.com/privacy

6.1 Applicable Guarantees

When transfers occur to third countries, we ensure that appropriate guarantees are in place:

• European Commission adequacy decision (if available)
• Standard Contractual Clauses (SCC) approved by the European Commission
• Binding Corporate Rules (BCR)
• The EU–US Data Privacy Framework (DPF), adopted in July 2023, for certified US sub-processors

6.2 Risks

Transfers to third countries may present risks for your data protection, including:

• Less protective local legislation (e.g., Cloud Act in the United States)
• Access by public authorities without guarantees equivalent to those of the EU

6.3 Informed Consent

By accepting analytics cookies and using login services via Facebook or Google, you explicitly consent to these data transfers.

You may withdraw your consent at any time for optional cookies (see Article 7).

Note: OAuth login cookies (Google, Facebook) are necessary for the functioning of the authentication service you have chosen to use.

7.1 Cookie Management Banner (Consent Management Platform)

Upon your first visit to the Platform, a cookie management banner is displayed.

You can:

• Accept all cookies:by clicking "Accept all"
• Refuse all non-essential cookies:by clicking "Refuse all"
• Customize your choices:by clicking "Manage my preferences", you can enable/disable each cookie category

7.2 Your Account Settings

If you have an account, you can modify your preferences at any time from the "Privacy Settings" > "Cookie Management" space.

7.3 Your Browser Settings

You can configure your browser to refuse cookies or be alerted when they are placed.

Instructions by browser:

• Google Chrome:Menu > Settings > Privacy and security > Cookies and other site data
• Mozilla Firefox:Menu > Options > Privacy & Security > Cookies and site data
• Safari:Preferences > Privacy > Manage Website Data
• Microsoft Edge:Settings > Privacy, search, and services > Cookies and site permissions

Warning: Refusing all cookies may limit your user experience and prevent access to certain Platform features, particularly login via Facebook or Google.

8.1 Nature of Collected Data

Cookies may collect different categories of data:

Technical data:

• IP address (anonymized or complete depending on cookie)
• Browser type and version
• Operating system
• Screen resolution
• Visited pages, clicks, visit duration

Behavioral data:

• Browsing history
• Inferred interests
• Content interactions

Identification data:

• Unique cookie identifier
• User identifier (if logged in)
• Public profile information (name, email, profile photo) if login via Facebook or Google

8.2 GDPR Compliance

Personal data processing via cookies is governed by:

• GDPR (EU Regulation 2016/679)
• ePrivacy Directive (2002/58/EC as amended)
• Estonian legislation on data protection

8.3 User Rights

You have rights of access, rectification, erasure, restriction, portability and objection regarding data collected via cookies.

To exercise your rights: contact@wearespixes.com

8.4 Reference to Privacy Policy

For more information on personal data processing, consult our Privacy Policy.

10.1 Security Measures

Spixes implements technical and organizational measures to secure cookies:

• HTTPS encryption: all communications are encrypted (TLS 1.3)
• Secure cookies: Secure, HttpOnly, SameSite attributes configured
• Automatic expiration: cookies expire after defined duration
• Data minimization: only necessary data is collected

10.2 Third-Party Cookies

Cookies placed by third parties are subject to their publishers' security policies.

We select trusted partners certified and GDPR-compliant.

11.1 Notification

Any substantial modification will be notified by:

• Update of the "Last update" date at the top of this document
• Notification on the Platform (pop-up, banner)
• Email (for registered users, if major modification)

11.2 New Consent

If modifications concern new purposes or extend the scope of cookie use, new consent may be required.

12.1 Questions and Requests

For any question regarding cookie use or to exercise your rights:

• Email: contact@wearespixes.com
• Mail: Spixes OÜ – DPO Service, Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145 Tallinn, Estonia

12.2 Data Protection Officer (DPO)

Nicolas Michaud – Email: contact@wearespixes.com

12.3 Complaint to Supervisory Authority

If you believe your rights are not being respected, you may lodge a complaint with the competent supervisory authority:

Estonia

Data Protection Inspectorate (Andmekaitse Inspektsioon)

Address: Tatari 39, 10134 Tallinn, Estonia
Phone: +372 627 4135
Email: info@aki.ee
Website: https://www.aki.ee

France

CNIL (Commission Nationale de l'Informatique et des Libertés)

Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Phone: +33 1 53 73 22 22
Website: https://www.cnil.fr

If you reside in another EU Member State, you may also contact the supervisory authority of your country of residence.

Official guides

• EDPB (European Data Protection Board): https://edpb.europa.eu
• ICO (UK): https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/
• European Commission: https://ec.europa.eu/info/law/law-topic/data-protection_en

Cookie management tools

• Your Online Choices: http://www.youronlinechoices.com/
• All About Cookies: https://www.allaboutcookies.org/

Strictly Necessary Cookies

• connect.sid – Express.js session cookie – Session – First-party
• spixes_session – User session identifier – Session – First-party
• spixes_auth_token – Secure authentication – 30 days – First-party
• spixes_csrf – CSRF attack protection – Session – First-party
• spixes_cookie_consent – Cookie choice memorization – 13 months – First-party
• spixes_oauth_state – OAuth security (Google, Facebook) – Session – First-party

Functionality Cookies

• spixes_lang – Interface language – 12 months – First-party
• spixes_currency – Preferred currency – 12 months – First-party
• spixes_theme – Display mode (light/dark) – 12 months – First-party
• spixes_location – Approximate location – 6 months – First-party

Performance Cookies (Analytics)

• _ga – Google Analytics – User identifier – 2 years – Third-party (Google)
• _gid – Google Analytics – Session identifier – 24 hours – Third-party (Google)
• _gat – Google Analytics – Request throttling – 1 minute – Third-party (Google)

OAuth Authentication Cookies (essential if used)

• Google OAuth – Authentication via Google account – Session to 30 days – Third-party (Google)
• Facebook Login – Authentication via Facebook account – Session to 30 days – Third-party (Meta)

Important note: These cookies are placed only if you choose to log in via Google or Facebook. They are necessary for the functioning of the authentication service you explicitly requested by clicking the corresponding login button.

OAuth cookies allow to:

• Maintain your login between sessions
• Retrieve your public profile information (name, email, photo)
• Ensure authentication security

Social Network Cookies (optional, require consent)

• Facebook/Instagram share buttons – Content sharing on social networks – Variable – Third-party (Meta)

Note: These social sharing cookies are distinct from OAuth login cookies. They require your prior consent and can be disabled via the cookie management banner.