Cookie & Local Storage Policy

1. Authentication Cookies

When you sign in, our authentication provider (Supabase Auth) sets HTTP cookies on your device to maintain your session. These cookies are essential for the site to recognise you as a logged-in user and to protect your account.

• Purpose: Session management and authentication
• Provider: Supabase Auth (via @supabase/ssr middleware)
• Type: Essential / strictly necessary
• HttpOnly: Yes — not accessible to client-side JavaScript
• Secure: Yes — transmitted only over HTTPS
• SameSite: Lax — sent with top-level navigations but not with cross-origin sub-requests
• Can be disabled: No — these cookies are required for authentication to function. If you block them, you will not be able to sign in.

2. Cookie Inventory

The following table lists all cookies set by this site:

The * in the cookie name is replaced by your Supabase project reference ID. This is not personal data; it is the same for all users.

3. No Analytics or Marketing Cookies

This site does not use any non-essential cookies. Specifically:

• No analytics cookies (e.g. Google Analytics)
• No advertising or remarketing cookies
• No social media tracking cookies or pixels
• No third-party cookies of any kind
• No fingerprinting or behavioural profiling

4. Local Storage (localStorage)

In addition to cookies, this site uses your browser's localStorage API to store a small amount of data on your device. Unlike cookies, localStorage data is never automatically sent to servers with HTTP requests — it stays entirely in your browser.

We store only what is necessary for essential site functionality:

• Assessment progress: Your answers and current step in the compliance assessment, so you can resume where you left off if you close the browser.
• Consent preferences: Your acknowledgment of this policy, stored so you are not asked repeatedly.
• Language preference: Your selected interface language.

5. Cookies vs. localStorage

While both cookies and localStorage store data in your browser, they work differently:

6. Legal Basis: ePrivacy Directive

Under the EU ePrivacy Directive (2002/58/EC, as amended), storing information on a user's device generally requires informed consent. However, Article 5(3) provides an exemption for storage that is "strictly necessary" to provide a service explicitly requested by the user.

Both our authentication cookies and our localStorage usage fall under this exemption:

• The sb-*-auth-token cookies are strictly necessary for authentication — without them, the login system cannot function.
• localStorage items (assessment progress, consent preferences, language) are strictly necessary for the service you requested.

Because all storage on this site is strictly necessary, no cookie consent banner is legally required. We provide this policy for full transparency in accordance with GDPR Article 5(1)(a).

7. How to Clear Cookies and localStorage

You can delete all data stored by this site at any time:

• Chrome: Settings → Privacy and Security → Clear Browsing Data → select "Cookies and other site data"
• Firefox: Settings → Privacy & Security → Cookies and Site Data → Clear Data
• Safari: Settings → Privacy → Manage Website Data → Remove data for this site

Clearing cookies will sign you out. Clearing localStorage will reset your assessment progress and consent preferences. No personal data is stored in localStorage.

8. Questions

This cookie policy is maintained by Tina Gabrovec s.p., trading as Viktoria Compliance.

If you have questions about this policy or our use of cookies and localStorage, contact us at info@viktoria-compliance.eu. For details on how we handle personal data when you submit an assessment, see our Privacy Policy.