Cookie Policy
Information on cookies and similar technologies
Effective: 1 July 2026 · Caelex, Julian Polleschner, Berlin, Germany · Version 3.1
This Policy explains which cookies and similar technologies (LocalStorage, SessionStorage, IndexedDB, pixels) we use, for what purpose, on what legal basis and for how long.
For non-strictly-necessary cookies, Section 25(1) TTDSG applies: we set them only with your express, informed, prior consent.
For data-protection details we additionally refer to the Privacy Policy (/legal/privacy-en).
The German version at /legal/cookies is the legally binding version.
Section 1 What are cookies?
Cookies are small text files stored in your browser when visiting a website. They hold information that can be read on later visits or interactions. We also use browser-stored technologies such as LocalStorage (e.g. Atlas guest bookmarks) and SessionStorage (e.g. session data).
Section 2 Categories and legal basis
Our usage statistics operate in two tiers. Tier 1 is an anonymous, cookieless baseline statistic that runs for all visitors without consent: it neither sets nor reads any identifier on your device, does not store your IP address, and produces only aggregate totals (e.g. how often a path was opened per product surface). Because it does not access information on your device (Section 25 TDDDG does not apply) and processes no retained personal data, the aggregate reach measurement relies on our legitimate interest (Art. 6(1)(f) GDPR). Tier 2 is the richer, consent-based product analytics described in paragraph (3): it loads only after your opt-in, then sets a device/session identifier and links your user id once you are signed in. The two tiers are separate; Tier 1's anonymous aggregate counts cannot be joined to Tier 2 events.
(1) Strictly necessary (Section 25(2) TTDSG, no consent required): cookies and LocalStorage entries without which the platform cannot operate — session token, CSRF protection, language preference, MFA flow state, Atlas guest bookmarks.
(2) Functional (Art. 6(1)(a) GDPR, Section 25(1) TTDSG, consent): optional convenience features (beyond necessary dark-mode memory, table layouts, optional chat widgets).
(3) Analytics and product improvement. We run our own self-hosted first-party product analytics (no third-party analytics services such as Google Analytics or Facebook). It involves two processing operations with two legal bases: (a) setting and reading a session/device identifier in browser storage (sessionStorage), and stitching your usage across products into one identity profile (a new purpose under Art. 5(1)(b) GDPR), both require your consent under Section 25(1) TTDSG; (b) the pseudonymous usage telemetry itself (event counts, per-product feature usage, dwell time, approximate country derived from IP) is processed on the basis of our legitimate interest in product improvement (Art. 6(1)(f) GDPR), to which you may object at any time under Art. 21 GDPR. A typed event schema ensures the telemetry cannot capture free-text input, client or party names. See the privacy policy (Section 3(3)) for details.
(4) Marketing: we set no third-party marketing cookies (Facebook pixel, LinkedIn Insight Tag, Google Ads).
Section 3 Cookies and storage entries in use
A. Strictly necessary:
- authjs.session-token — login session, HTTP-only, Secure, SameSite=Lax · retention: until logout or 30 days
- authjs.csrf-token — CSRF protection, HTTP-only · retention: session
- authjs.callback-url — OAuth-login callback · retention: session
- caelex.locale — language preference (de, en, fr, es) · retention: 1 year
- atlas:bookmarks:v1 (LocalStorage) — guest bookmarks in Atlas · retention: until user clears
- consent.v1 — cookie consent state · retention: 12 months
B. Functional (consent only):
- caelex.ui-prefs — UI preferences, e.g. table layouts · retention: 6 months
C0. Anonymous baseline statistic (Tier 1, no consent):
- Anonymous, cookieless reach measurement (no browser-storage entry, no identifier): on each page view we send, server-side, only the path visited (without query parameters), the referrer host, the product surface and a coarse viewport bucket. NO device/session identifier is set or read, NO user id is linked, and NO IP address is stored. These signals produce only a daily total per path and product surface. Legal basis: legitimate interest (Art. 6(1)(f) GDPR); as no access to your device takes place, Section 25 TDDDG does not apply and no consent is required.
C. Analytics (Tier 2, consent only, where enabled):
- caelex_session_id (SessionStorage) — session/device identifier of our own self-hosted first-party product analytics. Set once you consent to analytics; therefore NOT cookieless in the sense of 'no device access' (Section 25(1) TTDSG). Retention: until end of the browser session.
- caelex-cookie-consent-session (LocalStorage) — pseudonymous correlation id for the server-side consent proof (stored hashed). Retention: until the user clears it.
- Self-hosted telemetry (no browser-storage entry, server-side): for each captured event we store, on our own EU infrastructure (database at Neon, Frankfurt region), the event type, the path visited (without query parameters), referrer, user agent (anonymised after 30 days), the country derived from the IP and — for signed-in users — your user id and organisation id. This analytics is therefore neither anonymous nor solely Vercel-based. Event retention: 90 days. Feature dimensions captured are categorical (e.g. Atlas topics, Comply modules, Trade classify→licence, Scholar simulations) and contain no free-text input or personal content.
- Vercel Web Analytics (optional, additional): cookieless page-view statistics for the public site with a per-session rolled hash and IP anonymisation. This is a SEPARATE service and NOT the product telemetry described above.
D. Third parties: Stripe sets cookies strictly required for checkout flows (e.g. __stripe_mid, __stripe_sid). Set only on the checkout page and subject to the Stripe privacy statement.
Section 4 Consent and withdrawal
(1) On first visit we show a cookie banner. You can reject all non-essential cookies, select individually or accept all.
(2) You can withdraw consent at any time via the „Cookie settings“ link in the footer or via browser settings. Withdrawal operates for the future only.
(3) Consent is logged in your browser (time, version, per-category selection), supplemented server-side for logged-in users for evidence.
Section 5 Browser settings
You can also manage cookies in your browser (block, delete, notify on set). Note that without strictly necessary cookies parts of the platform will not work.
- Chrome: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Settings → Privacy → Cookies and website data
- Edge: Settings → Cookies and site permissions
Section 6 Changes
We update this Policy on changes to our cookies or legal requirements. The current version is at caelex.eu/legal/cookies-en.
Contact
CaelexOwner: Julian PolleschnerAm Maselakepark 3713587 Berlin, GermanyData-protection inquiries:privacy@caelex.euVersion 3.1 · 1 July 2026