Cookie Policy
Vilkax sets the smallest possible number of cookies, and only the ones we cannot do without. We run no advertising, no cross-site tracking, and no cookies that profile you. Every cookie below is strictly necessary to sign you in or to keep the service secure. We do keep optional, first-party, anonymous product analytics (no cookies, no third parties), but it is off until you opt in: on your first visit we ask once with a small banner, it honours your browser's Do-Not-Track / Global Privacy Control, and you can change your choice below at any time.
This page explains exactly what is stored on your device when you use vilkax.com, what each item is for, whether it is strictly necessary, and how long it lasts. It complements the Privacy Policy.
The short version
- We use one first-party cookie of our own (your sign-in session).
- Cloudflare - our security and edge provider - may set its own strictly-necessary security cookies to keep the site online and block abuse.
- Our fonts are self-hosted - no third-party font request, so no external server ever sees your IP for typography.
- We set no advertising, profiling, or cross-site tracking cookies. We do keep first-party, anonymous product analytics (no third parties, no ad networks, no profile of you) - it is off until you opt in on your first visit, and you can change your choice any time.
First-party cookie we set
-
vilkax_sid- your sign-in session. This is what keeps you logged in after you authenticate, and it is the cookie that protects your account.- Purpose: authentication / session management. Carries a signed session identifier (a SID plus an HMAC); it holds no personal data in itself.
- Category: strictly necessary. Without it you could not stay signed in, so it is exempt from consent under the ePrivacy rules.
- Set by: Vilkax (first party).
- Security flags:
HttpOnly(not readable by JavaScript),Secure(HTTPS only),SameSite=Lax(not sent on cross-site requests),Path=/. - Retention: up to 24 hours, then it expires; it renews on use while you stay active. Signing out clears it immediately.
Security & infrastructure cookies (Cloudflare)
Vilkax is served and protected by Cloudflare. To keep the site available and to tell humans apart from automated abuse, Cloudflare may set its own strictly-necessary cookies when you encounter a security check.
-
Cloudflare Turnstile / challenge cookies -
set only when you hit a security challenge (for example on
sign-in or sign-up). Turnstile is the privacy-preserving
challenge we use instead of a traditional tracking CAPTCHA.
- Purpose: bot mitigation and abuse prevention - confirming a request is from a real person, and keeping the platform online under attack.
- Category: strictly necessary (security). Exempt from consent.
- Set by: Cloudflare, our infrastructure and security provider (acting as a processor).
- Retention: short-lived; managed by Cloudflare and typically cleared within the same session or a short window after the challenge. We do not read or repurpose these cookies.
Cloudflare does not use these to profile you for advertising. For the technical detail, Cloudflare publishes its own cookie reference at developers.cloudflare.com.
Third-party requests (not cookies we set)
-
Fonts - self-hosted, no third-party request.
Our typefaces (Manrope and the rest of the brand set) are served
from our own domain, not from Google Fonts or any
other third-party font service. Loading a page here makes
no font request to any external server, so no
third party sees your IP address to deliver typography. (Earlier
versions of this site loaded fonts from
fonts.googleapis.com; we removed that dependency.) - Spotify player - optional, consent-gated. The home and Sounds pages can show an embedded Spotify playlist player. Spotify is a third party, so its player - and any request or cookie it makes - does not load when the page opens. It loads only after you accept analytics on the first-visit banner or click the player to load it. Until then, no request reaches Spotify. Once loaded, Spotify's own privacy policy governs what it collects.
What we do NOT use
- No advertising or marketing cookies.
- No cross-site tracking pixels or third-party ad networks.
- No behavioural analytics that build a profile of you - our product analytics are anonymous and are never used to profile or target an individual.
- No advertising or profiling cookies - the only cookies we set are strictly necessary. Our optional first-party analytics use device storage (not advertising cookies) and are off until you opt in via the first-visit banner; we also honour your browser's Do-Not-Track / Global Privacy Control automatically, and you can change your choice below.
Product analytics & your choice
To understand which features help and where the product breaks,
we collect first-party, anonymous usage signals
(for example: a page was viewed, a scan was run). These are
not advertising, are never shared with a third
party, and are never used to build a profile of you - a random
session token (kept in your browser's sessionStorage)
is sent to our own server, which only ever stores a hashed value.
Analytics is off until you opt in: on your first
visit we ask once with a small banner, and nothing non-essential is
sent until you accept. We also automatically respect your browser's
Do-Not-Track and Global Privacy Control
settings as a decline.
We apply this the way your local law expects. Where the law requires your prior consent, such as in the EU and the UK, this analytics stays off until you opt in. Where the law instead gives you a right to opt out, such as in the United States, it may run by default and you can opt out at any time, including a Do Not Sell or Share My Personal Information choice. Global Privacy Control and Do-Not-Track are always honoured, and we never sell your personal data.
You can change your choice on this device at any time - it takes effect immediately:
Managing cookies
You can clear or block cookies from your browser settings at any
time. Blocking the strictly-necessary vilkax_sid
cookie will sign you out and prevent you from staying signed in;
everything else on the public site will still work.
Contact
Questions about cookies or your data: use our contact form.
To reach our data protection officer, contact us and select the privacy topic.
This summary is provided for transparency and is not a substitute for the full Privacy Policy or our terms; it is subject to review and may be updated as the platform evolves.
Last updated: 2026-06-10 · Cookie inventory verified against the deployed session and security configuration.