Cookie Policy

Version 2026.04.13 · Last updated 13 April 2026 · Effective 13 April 2026

This Cookie Policy explains what cookies and similar technologies this site uses, why, and how you can control them. It complements the Privacy Notice and together they satisfy our obligations under Articles 6 and 7 of the EU General Data Protection Regulation (GDPR), the ePrivacy Directive 2002/58/EC as transposed in each EU member state (Germany TTDSG §25, France LIL art. 82), the UK Privacy and Electronic Communications Regulations 2003 (PECR) regulation 6 and the Brazilian LGPD (Lei 13.709/2018) Art. 7 where applicable.

1. What is a cookie

A cookie is a small text file a website asks your browser to store. Similar technologies include localStorage, sessionStorage, and pixel-based tracking. Throughout this policy the word "cookie" refers to all of these.

2. Your choices

Except for strictly necessary cookies, no cookie is set before you make a choice. The consent banner that appears on your first visit offers three options that are equally prominent, as required by the French CNIL (2020 guidelines) and the Irish Data Protection Commission (2023):

Accept all — all categories are enabled.
Reject non-essential — only strictly necessary cookies are set.
Cookie settings — per-category choice.

Your choices are recorded against a consent receipt with a unique identifier and the exact policy version in force at the time. You can change them at any moment by clicking Cookie settings in the site footer, or in your browser console by running CookieConsent.openPrefs().

3. Categories and retention

Category	Purpose	Legal basis	Retention
Strictly necessary	Session authentication, CSRF protection, load balancing, fraud prevention.	GDPR Art. 6(1)(b) contract · ePrivacy Art. 5(3) exemption · LGPD Art. 7(V) contract.	Session — cleared on logout.
Functional	Language and theme preference; remembered responsible-gambling limits.	GDPR Art. 6(1)(a) consent · LGPD Art. 7(I) consent.	Up to 12 months.
Analytics	Aggregate, anonymous usage metrics (Cloudflare Analytics, Plausible). No individual profiling.	GDPR Art. 6(1)(a) consent · LGPD Art. 7(I) consent.	Up to 13 months (CNIL guidance).
Marketing	Affiliate attribution, retargeting pixels. Set only with explicit opt-in.	GDPR Art. 6(1)(a) consent · ePrivacy Art. 5(3) consent · LGPD Art. 7(I) consent.	Up to 13 months.

We do not pre-tick any box. The Court of Justice ruled in Planet49 GmbH (Case C-673/17, 1 October 2019) that pre-ticked consent is not valid consent. Our banner starts every non-essential category switched off.

4. Third parties

We list only the vendors that actually place cookies through this site. Vendors added in the future are reflected here before deployment.

Vendor	Purpose	Data classes	Transfer mechanism
Cloudflare, Inc.	CDN, bot mitigation, analytics.	IP address, user-agent, anonymised request metadata.	EU–US Data Privacy Framework (Commission Decision 2023/1795) with supplementary SCCs and client-side encryption on sensitive paths.
Google Fonts (fonts.googleapis.com)	Web font delivery.	Transient IP only; no persistent cookies.	EU–US DPF.

5. Consent lifetime and renewal

Your consent expires 395 days (≈ 13 months) after it was given, matching the French CNIL 2020 default. After that the banner re-appears and you choose again. We also re-solicit consent whenever this policy is updated — the policy version string shown in the banner footer changes.

6. How to withdraw consent

Withdrawal is as easy as giving consent:

Click Cookie settings in the site footer.
Uncheck any category.
Click Save choices.

Or from your browser console: CookieConsent.reset(). This clears the locally stored preference and shows the banner again.

7. Consent receipt and audit

Every decision produces a receipt stored on this device (in localStorage under the key cc_v1) and sent to our server for audit (POST to /api/v2/consent/record, preserved for the retention of the regulatory obligation). The receipt carries: the receipt identifier, the exact policy version, your choices per category, the action (accept_all, reject_all, or custom), and the timestamp. You can obtain a copy by emailing the Data Protection Officer (see section 9).

8. Do Not Track and Global Privacy Control

We honour the Sec-GPC header as a signal to opt out of analytics and marketing categories by default, consistent with the California Privacy Rights Act (CPRA) §1798.135 and the CNIL 2024 guidance on GPC.

9. Contact

Data Protection Officer: dpo@backendofluck.com. You may also lodge a complaint with your supervisory authority — for the EU, typically your national DPA; for the UK, the ICO; for Brazil, the ANPD.