Cookie Policy

Version 3.2 Effective date: January 2026

In accordance with Directive 2002/58/EC (ePrivacy) as amended by Directive 2009/136/EC and Regulation (EU) 2016/679 (GDPR)

Article 1 – Preamble

This Cookie Policy aims to inform you about the use of cookies and similar technologies on the Spixes platform (website and mobile application), published by Spixes OÜ.

This policy complements our Privacy Policy and is an integral part of our Terms of Use (ToU).

By using the Platform, you accept the use of cookies in accordance with this policy.

Article 2 – What is a Cookie?

2.1 Definition

A cookie is a small text file deposited and stored on your device (computer, smartphone, tablet) when visiting a website or using a mobile application.

Cookies allow to:

  • Recognize your device during your subsequent visits
  • Remember your preferences and settings
  • Analyze Platform usage
  • Improve your user experience
  • Display personalized content or targeted advertising

2.2 Similar Technologies

In addition to cookies, we also use other similar technologies:

  • Invisible pixels (web beacons): small images integrated into web pages or emails allowing to measure their consultation
  • Local storage: HTML5 storage technologies (localStorage, sessionStorage)
  • Mobile SDKs: software development kits integrated into the mobile application
  • Advertising identifiers: identifiers provided by mobile operating systems (IDFA for iOS, GAID for Android)

For simplicity, the term "cookie" in this policy encompasses all of these technologies.

Article 3 – Types of Cookies Used

We use different categories of cookies depending on their purpose:

3.1 Strictly Necessary Cookies (Essential)

Purpose: These cookies are essential for the Platform's functioning and the provision of services you request. They cannot be disabled.

Examples of use:

  • Authentication and maintaining your login session
  • Login via Google OAuth (if you choose this method)
  • Login via Facebook Login (if you choose this method)
  • Login by email and password
  • Security and fraud prevention
  • Server load balancing
  • Respecting your cookie choices

Legal basis: Legitimate interest (art. 6.1.f GDPR) – these cookies are exempt from prior consent in accordance with CNIL and European Data Protection Board (EDPB) guidelines.

Retention period: Session (deleted at browser closure) to 12 months maximum.

Cookie examples:

  • connect.sid: Express.js session cookie (login maintenance)
  • spixes_session: user session identifier
  • spixes_auth_token: secure authentication token
  • spixes_csrf: CSRF attack protection
  • spixes_cookie_consent: memorization of your cookie choices
  • spixes_oauth_state: OAuth authentication security (Google, Facebook)

3.2 Functionality Cookies (Preferences)

Purpose: These cookies allow to improve your experience by remembering your preferences and choices.

Examples of use:

  • Memorization of your preferred language
  • Memorization of your currency (EUR, USD, etc.)
  • Memorization of your display preferences (dark/light mode)
  • Memorization of your geographic location (if authorized)
  • Recall of your search filter choices

Legal basis: Consent (art. 6.1.a GDPR) – you can accept or refuse these cookies.

Retention period: 6 to 13 months.

Cookie examples:

  • spixes_lang: interface language
  • spixes_currency: preferred currency
  • spixes_theme: display mode (light/dark)
  • spixes_location: location (if consented)

3.3 Performance and Analytics Cookies (Statistics)

Purpose: These cookies allow us to measure the Platform's audience, analyze its usage and identify technical problems.

Examples of use:

  • Number of visitors and page views
  • Visit duration and bounce rate
  • Most consulted pages
  • Navigation path
  • Technical error identification
  • Platform performance analysis

Legal basis: Consent (art. 6.1.a GDPR), unless data is anonymized and used only for internal statistical purposes (possible exemption).

Retention period: 13 months maximum for cookies, 26 months for collected data.

Tools used:

  • Google Analytics (with IP anonymization enabled)
  • Privacy-friendly alternative (Matomo, Plausible) if applicable

Cookie examples:

  • _ga: Google Analytics – User identifier
  • _gid: Google Analytics – Session identifier
  • _gat: Google Analytics – Request throttling

3.4 Social Network Cookies (Login and Sharing)

Purpose: These cookies are used to enable login via third-party services (Facebook, Google) and to share content on social networks.

Examples of use:

A. OAuth Login (essential):

  • Authentication via Google ("Sign in with Google" button)
  • Authentication via Facebook ("Sign in with Facebook" button)
  • Session maintenance after OAuth login

B. Sharing and integration (optional):

  • Share buttons on Facebook, Instagram, Twitter
  • Display of embedded content (YouTube videos, Instagram feeds - if applicable)
  • Social engagement measurement

Legal basis:

  • OAuth Login (Google, Facebook): Legitimate interest / Contract performance (art. 6.1.b and 6.1.f GDPR) – essential cookies for the authentication service you have chosen
  • Sharing and integration: Consent (art. 6.1.a GDPR) – you can accept or refuse

Retention period:

  • OAuth cookies: Session to 30 days (depending on chosen login method)
  • Sharing cookies: Variable by social network (generally 13 months)
⚠️ Warning: These cookies are managed by the social networks themselves. We invite you to consult their respective privacy policies.

Article 4 – Cookies Placed by Third Parties

Certain cookies are placed by third parties (partners, service providers) when you use the Platform.

4.1 Our Partners' Cookies

We work with service providers who place their own cookies:

Secure payment:

  • Stripe: Credit card payment processing

Authentication:

  • Google OAuth: Login via Google account (if you choose this method)
  • Facebook Login: Login via Facebook account (if you choose this method)

Analysis and performance:

  • Google Analytics: Audience measurement (with IP anonymization enabled)
  • Google reCAPTCHA: Anti-spam and anti-bot protection

Communication:

  • SMTP service: Sending transactional emails (registration confirmation, notifications, password reset)
Important note: Transactional emails are sent via an SMTP service that does not use tracking cookies on your browser. Your personal data is only used to send system emails necessary for your account functioning.

4.2 Responsibility

These third-party cookies are governed by their respective publishers' privacy policies.

Spixes does not control these cookies and cannot be held responsible for their use.

We recommend consulting these third parties' privacy policies:

Article 5 – Cookie Retention Period

Cookie retention period varies by category and purpose:

Cookie category Maximum duration
Strictly necessary cookies Session to 12 months
Functionality cookies 6 to 13 months
Performance cookies 13 months (cookies) / 26 months (data)
Social network cookies Variable (13 months generally)

In accordance with CNIL recommendations, consent validity period is 13 months maximum. Beyond this, new consent will be required.

Article 6 – Data Transfers Outside EU/EEA

Certain cookies, particularly analytics and OAuth authentication cookies, may result in personal data transfers to countries outside the European Union / European Economic Area (EU/EEA), particularly to the United States.

6.1 Applicable Guarantees

When transfers occur to third countries, we ensure that appropriate guarantees are in place:

  • European Commission adequacy decision (if available)
  • Standard contractual clauses (SCC) approved by the European Commission
  • Binding corporate rules (BCR)
  • Recognized certifications

6.2 Risks

Transfers to third countries may present risks for your data protection, including:

  • Less protective local legislation (e.g., Cloud Act in the United States)
  • Access by public authorities without guarantees equivalent to those of the EU

6.3 Informed Consent

By accepting analytics cookies and using login services via Facebook or Google, you explicitly consent to these data transfers.

You may withdraw your consent at any time for optional cookies (see Article 7).

Note: OAuth login cookies (Google, Facebook) are necessary for the functioning of the authentication service you have chosen to use.

Article 7 – Managing Your Preferences

You have several means to manage your cookie preferences:

7.1 Cookie Management Banner (Consent Management Platform)

Upon your first visit to the Platform, a cookie management banner is displayed.

You can:

  • Accept all cookies: by clicking "Accept all"
  • Refuse all non-essential cookies: by clicking "Refuse all"
  • Customize your choices: by clicking "Manage my preferences", you can enable/disable each cookie category

7.2 Your Account Settings

If you have an account, you can modify your preferences at any time from the "Privacy Settings" > "Cookie Management" space.

7.3 Your Browser Settings

You can configure your browser to refuse cookies or be alerted when they are placed.

Instructions by browser:

  • Google Chrome: Menu > Settings > Privacy and security > Cookies and other site data
  • Mozilla Firefox: Menu > Options > Privacy & Security > Cookies and site data
  • Safari: Preferences > Privacy > Manage Website Data
  • Microsoft Edge: Settings > Privacy, search, and services > Cookies and site permissions
⚠️ Warning: Refusing all cookies may limit your user experience and prevent access to certain Platform features, particularly login via Facebook or Google.

7.4 Mobile Advertising Identifiers

On mobile, you can disable advertising tracking (if applicable):

  • iOS: Settings > Privacy > Tracking > Disable "Allow Apps to Request to Track"
  • Android: Settings > Google > Ads > Disable "Ad Personalization"

Article 8 – Cookies and Mobile Applications

8.1 Technologies Used

On Spixes mobile applications (iOS and Android), we use technologies similar to cookies:

  • Third-party service SDKs (Analytics, Crash Reporting, Push Notifications)
  • Advertising identifiers (IDFA for iOS, GAID for Android) – only if you use features that require it
  • Local storage (SharedPreferences for Android, UserDefaults for iOS)

8.2 Preference Management

You can manage your preferences directly from the application: Menu > Settings > Privacy and Data > Cookie and Tracker Management

8.3 Disabling Advertising Tracking

See Article 7.4 above.

Article 9 – Cookies and Personal Data

9.1 Nature of Collected Data

Cookies may collect different categories of data:

Technical data:

  • IP address (anonymized or complete depending on cookie)
  • Browser type and version
  • Operating system
  • Screen resolution
  • Visited pages, clicks, visit duration

Behavioral data:

  • Browsing history
  • Inferred interests
  • Content interactions

Identification data:

  • Unique cookie identifier
  • User identifier (if logged in)
  • Public profile information (name, email, profile photo) if login via Facebook or Google

9.2 GDPR Compliance

Personal data processing via cookies is governed by:

  • GDPR (EU Regulation 2016/679)
  • ePrivacy Directive (2002/58/EC as amended)
  • Estonian legislation on data protection

9.3 User Rights

You have rights of access, rectification, erasure, restriction, portability and objection regarding data collected via cookies.

To exercise your rights: contact@spixes.com

9.4 Reference to Privacy Policy

For more information on personal data processing, consult our Privacy Policy.

Article 10 – Cookies Exempt from Consent

In accordance with Article 5(3) of the ePrivacy Directive and EDPB (European Data Protection Board) guidelines, certain cookies are exempt from consent as strictly necessary for providing a service expressly requested by the user:

✅ Exempt cookies (do not require prior consent):

  • Authentication and session maintenance (connect.sid, spixes_session, spixes_auth_token)
  • OAuth login (Google, Facebook) – only if the user explicitly chooses this login method
  • Shopping cart (e-commerce) – if applicable
  • Load balancing
  • Interface personalization (language, currency) if requested by user
  • Cookie choice memorization (spixes_cookie_consent)
  • CSRF protection (spixes_csrf)

❌ NON-exempt cookies (require prior consent):

  • Audience analysis (Google Analytics)
  • Targeted advertising (if applicable)
  • Social networks (content sharing and integration)
  • Marketing performance measurement

Article 11 – Cookie Security

11.1 Security Measures

Spixes implements technical and organizational measures to secure cookies:

  • HTTPS encryption: all communications are encrypted (TLS 1.3)
  • Secure cookies: Secure, HttpOnly, SameSite attributes configured
  • Automatic expiration: cookies expire after defined duration
  • Data minimization: only necessary data is collected

11.2 Third-Party Cookies

Cookies placed by third parties are subject to their publishers' security policies.

We select trusted partners certified and GDPR-compliant.

Article 12 – Modifications to Cookie Policy

Spixes reserves the right to modify this Cookie Policy at any time, particularly to:

  • Comply with legal and regulatory developments
  • Integrate new cookies or remove existing cookies
  • Improve transparency and user information

12.1 Notification

Any substantial modification will be notified by:

  • Update of the "Last update" date at the top of this document
  • Notification on the Platform (pop-up, banner)
  • Email (for registered users, if major modification)

12.2 New Consent

If modifications concern new purposes or extend the scope of cookie use, new consent may be required.

Article 13 – Contact and Complaints

13.1 Questions and Requests

For any question regarding cookie use or to exercise your rights:

13.2 Data Protection Officer (DPO)

Email: dpo@spixes.com

13.3 Complaint to Supervisory Authority

If you believe your rights are not being respected, you may lodge a complaint with the competent supervisory authority:

🇪🇪 Estonia

Data Protection Inspectorate (Andmekaitse Inspektsioon)

Address: Tatari 39, 10134 Tallinn, Estonia
Phone: +372 627 4135
Email: info@aki.ee
Website: https://www.aki.ee

🇫🇷 France

CNIL (Commission Nationale de l'Informatique et des Libertés)

Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Phone: +33 1 53 73 22 22
Website: https://www.cnil.fr

Annex – Detailed Cookie List

Strictly Necessary Cookies

Cookie name Purpose Duration Third-party
connect.sid Express.js session cookie Session No
spixes_session User session identifier Session No
spixes_auth_token Secure authentication 30 days No
spixes_csrf CSRF attack protection Session No
spixes_cookie_consent Cookie choice memorization 13 months No
spixes_oauth_state OAuth security (Google, Facebook) Session No

Functionality Cookies

Cookie name Purpose Duration Third-party
spixes_lang Interface language 12 months No
spixes_currency Preferred currency 12 months No
spixes_theme Display mode (light/dark) 12 months No
spixes_location Approximate location 6 months No

Performance Cookies (Analytics)

Cookie name Purpose Duration Third-party
_ga Google Analytics – User identifier 2 years Yes (Google)
_gid Google Analytics – Session identifier 24 hours Yes (Google)
_gat Google Analytics – Request throttling 1 minute Yes (Google)

OAuth Authentication Cookies (essential if used)

Service Purpose Duration Third-party
Google OAuth Authentication via Google account Session to 30 days Yes (Google)
Facebook Login Authentication via Facebook account Session to 30 days Yes (Meta)
Important note: These cookies are placed only if you choose to log in via Google or Facebook. They are necessary for the functioning of the authentication service you explicitly requested by clicking the corresponding login button.

OAuth cookies allow to:

  • Maintain your login between sessions
  • Retrieve your public profile information (name, email, photo)
  • Ensure authentication security

Social Network Cookies (optional, require consent)

Cookie type Purpose Duration Third-party
Facebook/Instagram share buttons Content sharing on social networks Variable Yes (Meta)
YouTube integration Playing embedded videos (if applicable) Variable Yes (Google)
Note: These social sharing cookies are distinct from OAuth login cookies. They require your prior consent and can be disabled via the cookie management banner.

This list is subject to change. The updated version is accessible on the Platform.

END OF COOKIE POLICY

Document established in accordance with ePrivacy Directive and GDPR.
Last update: January 2026