This Cookie Policy explains how Oleksandr Koniev Strataforge (Jednoosobowa działalność gospodarcza, a sole proprietorship registered in CEIDG in Poland, with its seat in Warsaw) uses cookies and equivalent technologies on the website at strataforge.co. It forms an integral part of, and should be read together with, our Privacy Policy.

In plain terms: we store almost nothing on your device. We do not run advertising or third-party tracking, our analytics are cookieless, and we set only the small number of cookies that are strictly necessary to make the site and your account work.

We set only strictly necessary cookies and run cookieless analytics, so we do not show a consent banner. If that ever changes, we will add one before any tracking cookie is set.

1. What a cookie is

In this Policy a "cookie" means any technique that stores information on the device you use to visit the site, or reads information already stored there. The term is broad on purpose.

It covers, without limitation, HTTP cookies (first-party and third-party), HTML5 localStorage and sessionStorage, IndexedDB, Service Workers, cache-based identifiers, and any equivalent mechanism that writes to or reads from your device. Reading signals from your device through techniques such as device fingerprinting or hash-based identifiers also falls within the scope of art. 5(3) of the ePrivacy Directive and art. 399 PKE, an interpretation supported by EDPB Guidelines 8/2020. If we store or read anything on your device, this Policy covers it.

2. The law we follow

Our use of cookies and equivalent technologies is governed primarily by Polish and EU law: art. 5(3) of the ePrivacy Directive 2002/58/EC, art. 6, art. 7 and the accountability and transparency duties in art. 5(2) and art. 13(2)(a) of the GDPR (RODO), the Act on the provision of services by electronic means (USUDE), and art. 399 of the Electronic Communications Law (PKE).

Article 5(3) of the ePrivacy Directive allows storing information in, or accessing information stored in, your terminal equipment only with your prior informed consent, with two exemptions: storage for the sole purpose of carrying out a transmission, and storage strictly necessary to provide a service you requested. The strictly-necessary exemption we rely on in this Policy comes from art. 5(3) of the ePrivacy Directive and art. 399 ust. 3 PKE.

In Poland, this rule sits at art. 399 of the Electronic Communications Law (PKE, Dz.U. 2024 poz. 1221), in force since 10 November 2024. It is the successor to the former art. 173 of the Telecommunications Law of 2004. Art. 398 PKE covers marketing consent and art. 400 PKE requires that any such consent meet the GDPR standard (freely given, specific, informed and unambiguous). We also follow EDPB Guidelines 05/2020 on consent for the conditions any future consent must meet (cookie walls do not yield freely given consent, scrolling is not a valid affirmative action, and withdrawal must be as easy as giving), and we treat EDPB Guidelines 8/2020 (final version adopted 13 April 2021) as supporting context on targeting techniques. Both are interpretive guidance rather than binding legislation.

3. Cookies and storage we use

As at the date of this Policy, we use only the following strictly necessary mechanisms. Each is exempt from the consent requirement under art. 5(3) of the ePrivacy Directive and art. 399 ust. 3 PKE, because it is necessary to deliver a service you have requested. To meet the transparency duty in art. 13(2)(a) GDPR, we state the configured lifetime of each mechanism below rather than an indicative range.

• Authentication session (Supabase). Stores a session token that keeps you logged in to your Strataforge account. Set only when you sign in. Configured lifetimes: the access token expires 1 hour after issue, and the refresh token expires 7 days after issue (rotated on use), so the maximum retention of the stored session is bounded by those values. Provider: Supabase, acting as our processor; see the Privacy Policy and Subprocessors list for transfer details.
• Theme preference (next-themes). A single localStorage key remembering whether you chose light, dark or system theme, so the site renders the way you picked it. It persists until you clear it in your browser (no fixed expiry). No personal data, no tracking.
• Strictly necessary security and session integrity. Where required, short-lived cookies that protect the security and integrity of your session (for example CSRF protection). Each expires when you close your browser, or after at most 1 hour, whichever comes first. Set only as needed to keep your account safe.

None of these are advertising or tracking cookies, and none are shared for marketing. Blocking the authentication cookie will stop you logging in; blocking the theme key just resets the site to its default theme on each visit.

4. Our analytics approach

We use Vercel Web Analytics, which is designed to be cookieless and privacy-respecting. Per Vercel's documentation, it measures traffic without third-party cookies and, rather than storing an identifier on your device, distinguishes visits using a daily hash derived from the incoming request. Vercel rotates this hash signal every 24 hours and reports metrics in aggregated form. Because the hash is derived from request data, we treat it as transient pseudonymous data rather than fully anonymous information until anonymisation is independently confirmed. It does not track you across sites or applications.

On the basis that this hash is computed server-side from the request and that nothing is read from or written to your device for analytics, art. 5(3) of the ePrivacy Directive and art. 399 PKE are not engaged, so no consent is required. The processing of the resulting aggregated metrics rests on our legitimate interest under art. 6(1)(f) GDPR, supported by a documented three-part assessment: purpose, understanding how the site performs and is used so we can keep it reliable; necessity, no less intrusive method gives us reliable traffic and performance figures, and the data is daily-rotated pseudonymous and reported in aggregate rather than profiled; balancing, there is no cross-site tracking, advertising, profiling or sale of data, the impact on you is minimal, and you can block the analytics script with no effect on the site. If we ever cannot stand behind the cookieless and server-side premise, or if we add a tracking-cookie tool, we will deploy a consent banner first.

5. What we do not use

As at the date of this Policy, we do not use any of the following:

• Third-party advertising cookies of any kind.
• Social-media tracking pixels (for example Facebook Pixel, LinkedIn Insight Tag, TikTok Pixel).
• Google Analytics, Google Tag Manager or other Google tracking tools.
• CRM tracking pixels or marketing-automation tooling (for example HubSpot, Salesforce, Marketo).
• Retargeting or remarketing pixels.
• Cross-site tracking of any kind, or any sale or sharing of personal data for advertising.

If we ever introduce analytical or marketing cookies, we will update this Policy and deploy a consent banner. That banner would let you choose per category (necessary, analytical, marketing), with everything except strictly necessary off by default, equal "Accept all" and "Reject all" options, an easy way to withdraw consent, and no cookie wall.

6. How to manage cookies in your browser

Every modern browser lets you view, delete and block cookies and localStorage, and ask to be warned before new cookies are set. The controls are usually under "Privacy" or "Cookies and site data". These links are provided for convenience; we are not responsible for the content of third-party sites.

• Chrome: Manage cookies in Chrome
• Firefox: Tracking protection in Firefox
• Safari: Manage cookies in Safari
• Edge: Delete cookies in Edge

Blocking the authentication cookie will prevent you from logging in. Blocking the theme key resets the site to its default theme on each visit. Blocking anything tied to analytics has no effect on how the site works.

7. Changes to this Policy

We may update this Policy from time to time. Material changes (a new storage mechanism, or a change to the legal basis of an existing one) will be announced on the site at least fourteen (14) days before they take effect, and the "Last updated" date will change accordingly. Routine edits (clarifications, updated links) may take effect on the date of the change without prior notice.

8. Contact and complaints

Questions about this Policy: alex@strataforge.co. For more on how we handle personal data, see our Privacy Policy.

You have the right to lodge a complaint with a supervisory authority (art. 77 GDPR). In Poland the competent authority is the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl. If you live in another EU Member State, you may instead contact your local supervisory authority.