Cookie Policy

Last updated: May 17, 2026

What are Cookies?

Cookies are small text files that are stored on your device when you visit our website. They help us save your preferences and improve your experience on our website. In addition to standard cookies, we also use "Local Storage" to save settings directly in your browser without transmitting them to our servers.

Cookie Categories

Necessary Cookies & Local Storage

Always active

These technologies are essential for the basic functions of our website and cannot be disabled. They are set automatically and are required for the proper functioning of the website. The localStorage entries listed below are stored only in your browser and are never transmitted to our servers; they are used to remember your preferences (such as your selected city or dismissed notifications), prevent duplicate community actions, and recover unsaved content.

Cookies:

  • __session (persistent login token, 180 days, HttpOnly/Secure/SameSite=Lax) — keeps you signed in across visits without requiring repeated authentication
  • i18next (language preference, 365 days)
  • flagged_spots (anonymous flag tracking, 365 days, HttpOnly)
  • voted_spots (anonymous vote tracking, 365 days, HttpOnly)
  • liked_articles (anonymous like tracking, 365 days, HttpOnly)
  • liked_products (anonymous product-like tracking, 365 days, HttpOnly)
  • copied_products (anonymous product-code tracking, 365 days, HttpOnly)
  • __cf_bm (Cloudflare Bot Management, 30 minutes, strictly necessary, set by Cloudflare as our reverse proxy to distinguish humans from bots)

localStorage (browser-only, never sent to our servers):

  • cookie_consent — records your consent decision so we don't prompt you again
  • cookie_preferences — your granular category choices (necessary, analytics)
  • userPreciseLocation, locationPermissionGranted, userManuallySelectedCity, userIPDetectedLocation — remember your chosen or detected city so pages are relevant
  • voted_<spotId>, flagged_<spotId>, spot-suggested-by, spotSuggestionNotificationDismissed — prevent duplicate map votes/flags and suggestion spam
  • photoAgeCTA_dismissed — hide the photo age call-to-action after you close it
  • event-result-<sessionId>, event-completed-<sessionId>, event-test-progress — keep your test answers if you refresh mid-test
  • article drafts, lastSeenArticlesTs, lastSeenEventsTs — unsaved draft recovery and the 'new' dot on nav items
  • logoHomeHintSeen — remembers that the logo-as-home-link hint has already been shown to you

sessionStorage (browser-only, cleared when you close the tab):

  • pending_biometrics — temporary holding of rPPG scan results before you save them
  • event-test-progress — in-progress test state within a tab

Analytics Cookies

With consent

These technologies help us understand how visitors interact with our website. They are only activated after your explicit consent via the cookie banner (legal basis: § 25(1) TDDDG (German Telecommunications Digital Services Data Protection Act) in conjunction with Art. 6(1)(a) GDPR). Before you grant consent, no analytics cookies are set; the Google Consent Mode v2 default is configured as "denied".

Services used:

  • Google Tag Manager (GTM)
  • Google Analytics 4 (loaded via GTM)

Data transfer: USA. Google is certified under the EU-US Data Privacy Framework. Standard Contractual Clauses apply.

Retention: Google Analytics 4 is configured with a 14-month user/event retention.

Third-Party Services

We use various third-party services to enhance the functionality of our website. These services may collect data such as your IP address and browser information.

Google Services

Google Analytics 4 (loaded via Google Tag Manager). Resources are loaded only after your consent.

Data transfer: USA (EU-US Data Privacy Framework + Standard Contractual Clauses)

Privacy Policy

Cloudflare (CDN, reverse proxy, DDoS and bot protection)

Provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA

Purpose: Cloudflare sits in front of our website as a CDN, reverse proxy and DDoS-protection layer. EEA traffic is primarily terminated at EU edges (Frankfurt/Amsterdam) and then forwarded via HTTPS re-encryption to our Hetzner server in Nuremberg. Cloudflare sets the __cf_bm cookie (30 minutes, strictly necessary) to distinguish humans from bots.

Legal basis: Legitimate interest in security, availability and DDoS protection (Art. 6(1)(f) GDPR) and § 25(2) no. 2 TDDDG for the strictly necessary __cf_bm cookie.

Data transfer: USA (corporate seat). EEA traffic is primarily terminated at EU edges; any onward transfers are safeguarded by EU Standard Contractual Clauses (SCCs) and the Cloudflare Data Processing Addendum (DPA).

Cloudflare DPA

Map Tile Providers

Our maps use Leaflet to display tiles from the following providers:

  • CartoDB Voyager (standard view) — provided by CARTO (USA / Global CDN). When tiles are loaded, your IP address and standard technical request data are transmitted.
  • Esri ArcGIS World Imagery (satellite view) — provided by Esri (USA). Loaded only when you actively switch to satellite mode.

Purpose: Delivery of map tiles for location-based features.

Legal basis: Legitimate interest in providing functional, performant maps (Art. 6(1)(f) GDPR).

Data transfer: USA. Standard Contractual Clauses apply.

CARTO PrivacyEsri Privacy

Location Detection

We use two methods to determine your location:

1. Server-side IP geolocation (default)

Provider: IPinfo (operated by Kloudend Inc., USA)

Purpose: When you visit our site, we resolve your IP address to a city-level location to show you geographically relevant content (e.g., your nearest chapter). The lookup is performed server-side; we do not store IP-to-location records.

Legal basis: Legitimate interest in providing geographically relevant content (Art. 6(1)(f) GDPR).

Data transfer: USA. Standard Contractual Clauses apply.

IPinfo Privacy

2. Browser-based precise geolocation (opt-in)

When you actively click the location button, your browser will ask for your permission to share your precise GPS location with our website. Your location is then stored locally in your browser (localStorage) and is never transmitted to our servers.

Legal basis: Consent (Art. 6(1)(a) GDPR), revocable at any time via your browser settings.

MediaPipe Face Landmarker (rPPG Heart Rate Scanner)

Provider: Google LLC (model file via storage.googleapis.com) and jsDelivr / Prospectone Sp. z o.o. (WASM runtime via cdn.jsdelivr.net)

Purpose: Face region detection for the webcam-based heart rate (rPPG) scanner. Resources are loaded only when you actively start the heart rate scan; no video data is transmitted off your device.

Legal basis: Consent (Art. 6(1)(a) GDPR) — resources are only loaded after you explicitly activate the scanner.

Data transfer: USA (Google Cloud Storage) and Poland / Global CDN (jsDelivr). Only your IP address and browser metadata are transmitted when downloading the library files. Standard Contractual Clauses apply.

Opt-out: Do not use the heart rate scanner feature. No resources are loaded unless you actively start a scan.

Lu.ma (Event Registration)

Provider: Lu.ma Inc. (USA)

Purpose: Embedded event registration and ticketing button on event pages. The Lu.ma script (embed.lu.ma/checkout-button.js) is loaded only when you actively click the registration button. Lu.ma may then set its own cookies on your device.

Legal basis: Consent (Art. 6(1)(a) GDPR) — resources are only loaded after active user interaction.

Data transfer: USA. Lu.ma processes registration and payment data as an independent controller; the relevant data processing is governed by Lu.ma's privacy policy.

Lu.ma Privacy Policy

ImageKit (Image CDN)

Provider: ImageKit (USA / Global CDN)

Purpose: Delivery of user-uploaded images (avatars, banners, article cover images, suggested map spots). When a page loads, a DNS prefetch hint resolves the ImageKit hostname; no cookies are set, and no personal content is transmitted by the prefetch alone.

Legal basis: Legitimate interest in performant image delivery (Art. 6(1)(f) GDPR).

Data transfer: USA. Standard Contractual Clauses apply.

Photo Age Test (External AI Service)

When you actively use the Photo Age Test feature, your image is transmitted to an external AI service for age estimation. The image is processed in memory only and is not stored after the response is returned. No cookies are set in connection with this feature.

Legal basis: Consent (Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR for health-related processing).

Full details on data handling are described in our Privacy Policy.

Fonts (Self-Hosted)

All fonts used on our website (Inter, Poppins, Lora, Chillax) are self-hosted on our infrastructure in Nuremberg, Germany (Hetzner data center). No connection to Google Fonts servers, Google CDN, or other third-party font providers is made. No data is transmitted for font delivery.

Cookie Management

You can adjust or revoke your cookie settings at any time. Click the button below to reopen the cookie consent banner and update your preferences.

You can also disable cookies entirely in your browser settings. Note that disabling necessary cookies may affect the functionality of our website.

Questions?

If you have questions about our use of cookies and similar technologies, please contact us at [email protected].

For full details on how we process personal data, your rights under the GDPR, and our data processors, please refer to our Privacy Policy.