← Back to site

Cookie Policy

Last updated: 3 May 2026

Short version. The only cookies Cyber sets without asking you first are the strictly necessary ones for login and CSRF protection. Audience-measurement cookies are optional — the banner asks before any optional cookie is set, and Reject is as easy to click as Accept. Anonymous server-side page-view counts run regardless and never use cookies.

1. What cookies are

Cookies are small text files a website asks your browser to keep so it can recognise you on a later request — for example, to keep you signed in. Similar technologies such as localStorage are treated as cookies under EU/UK ePrivacy law and we treat them the same way here.

2. Cookies we set

Strictly necessary — always on

Required for the site to work. They cannot be disabled without breaking the sign-in and form-submission flow. No consent required under ePrivacy Directive Art. 5(3) / French LCED Art. 82.

  • DM_SESSION — the PHP session cookie. Identifies your browser to the server while you are signed in. HttpOnly, Secure, SameSite=Lax. Expires when the browser session ends.
  • CSRF token — stored inside the session (not as its own cookie) and echoed in a hidden form field. Protects against forged state-changing requests.
  • cyber_explain_seen — set by /auth.php when you have already viewed the "Permissions we will request" interstitial, so we don't show it on every retry. HttpOnly, SameSite=Lax. Expires after 30 days.

Audience measurement (optional — only if you click "Accept" on the banner)

To understand how visitors use the marketing pages we use one third-party audience-measurement provider. Until you click Accept on the banner, no request is sent to the provider, no cookie of theirs is set, and we fall back to anonymous, server-side page-view counts only. You can decline up-front or revoke at any time (see §4 below).

The current provider, the cookies it sets, and their lifetime:

  • Provider: Google Ireland Ltd. (Google Analytics 4).
  • Cookies set: _ga and the property-specific _ga_* cookies. Default lifetime up to 2 years. See Google's cookie list for the full per-cookie breakdown.
  • What it does: measures aggregate traffic patterns — page-views, reading time, device class. We have IP anonymisation on (the GA4 default), and Google Signals and the Advertising features are off. The tag does not run inside the authenticated app.
  • How it loads: from googletagmanager.com, only once the consent cookie is set to acc. Reject keeps the site fully analytics-cookie-free.

Choice marker — set when you answer the banner

  • cyber_consent_v1 — first-party cookie that records your answer to the analytics banner (acc for Accept or rej for Reject). SameSite=Lax, Secure. Lifetime 6 months. After 6 months we ask again, in line with CNIL guidance.

Third-party (payment)

When you reach the billing step, Stripe's hosted Checkout may set its own cookies inside the Stripe iframe to detect fraud. Those cookies are controlled by Stripe and governed by Stripe's privacy policy. We do not place those cookies and we cannot read them.

3. What we do not use

  • No advertising or retargeting cookies.
  • No cross-site tracking pixels.
  • No social-plugin cookies (no Facebook/Twitter "like" pixels, no LinkedIn Insight Tag).
  • No A/B-testing platforms that set fingerprint cookies.
  • No fingerprinting libraries.

We also run a small server-side, cookieless page-view counter. It records anonymous statistics (truncated IP, browser-class bucket, daily-rotating visitor hash) directly in our own database — no JavaScript beacon, no third party, no cookie. Under CNIL guidance this counter is exempt from consent. Retention is capped at 25 months and the data is never combined with your account.

4. Your choices

Change your analytics choice

Click the button below to clear your stored choice. The page will reload and the consent banner will reappear so you can pick again.

Manage cookies in your browser

You can also clear cookies directly:

  • Chrome: Settings → Privacy & security → Cookies and other site data
  • Firefox: Settings → Privacy & Security → Cookies and Site Data
  • Safari: Settings → Privacy → Manage Website Data
  • Edge: Settings → Cookies and site permissions

If you clear or block the session cookie you will be signed out and will have to log in again. Some features that rely on CSRF protection may stop working until you do.

Right to object — analytics

The cookieless server-side counter described in §3 honours the DNT: 1 request header. Browsers that send this header are not recorded at all. (Most modern browsers no longer expose DNT in the UI; the consent banner is the primary way to opt out of Google Analytics.)

5. Changes

If we add a new cookie or new analytics provider we update this page, bump the cookie name (e.g. cyber_consent_v2) so every browser is re-prompted, and where the law requires we will ask for fresh consent before the new cookie is set.

6. Contact

Questions about cookies? Email [email protected].