Cookies Policy

Why there is no accept/reject banner right now

At the time of this review, the public web flow only relies on cookies and similar technologies that are strictly necessary to provide the requested service or that are set as a direct result of an explicit user action, such as choosing a language or signing in.

For that reason, ZyvoCast currently documents these cookies transparently but does not display an accept or reject banner on first anonymous visit. If optional analytics, advertising, retargeting or cross-site tracking technologies are added later, a consent layer with accept, reject and settings controls must be deployed first.

Current cookie and storage inventory

NEXT_LOCALE. Owner: ZyvoCast web frontend. Purpose: remember the language selected by the user in the locale switcher. Trigger: only after the user explicitly changes the language. Lifetime: up to 31536000 seconds (about one year). Classification: preference cookie requested by the user.

csrftoken. Owner: ZyvoCast API. Purpose: protect authenticated and state-changing requests against CSRF attacks. Trigger: when the portal prepares a form or authenticated flow that needs CSRF protection. Lifetime: defined by backend configuration and browser session policies. Classification: technical security cookie exempt from consent.

sessionid or equivalent authenticated session cookie. Owner: ZyvoCast API. Purpose: keep the user signed in after magic-link verification and allow access to dashboard, checkout and household management routes. Trigger: after successful authentication. Lifetime: defined by backend session settings and browser policies. Classification: technical authentication cookie exempt from consent.

Server-side request headers or forwarded cookie state used by the Next.js server to call the API are not additional browser cookies by themselves. They are part of the authenticated session flow and only reuse the browser cookies already described above.

What is not currently used

The current public portal does not intentionally load Google Analytics, Google Tag Manager, PostHog, Mixpanel, Meta Pixel, Hotjar, Vercel Analytics, advertising tags or comparable third-party trackers in the initial public experience.

The current checkout flow is designed around redirection to the payment provider instead of embedding a marketing or analytics stack inside the public landing flow. If an embedded payment, video or analytics widget introduces non-exempt cookies later, ZyvoCast must revise this policy and add a consent manager before shipping it.

How to manage or remove cookies

You can clear or block cookies from your browser settings at any time. Doing so may sign you out, remove the stored locale preference or interrupt activation, dashboard or checkout flows that depend on security and session cookies.

Because the current site relies on cookies required for login, CSRF protection and authenticated household management, disabling those technical cookies may prevent parts of the service from working correctly.

Future changes

ZyvoCast must not introduce optional analytics, advertising, retargeting, social tracking pixels, non-essential media embeds or similar technologies without first implementing a compliant consent mechanism that offers accept, reject, granular configuration and later withdrawal.

This page should be updated whenever the cookie inventory, retention windows, providers or legal basis change in a way that affects users.