Cookies

1. What cookies and similar technologies are

Cookies are small text files stored by the browser on the User's device at the request of the visited website. localStorage and sessionStorage are key/value stores inside the browser itself; unlike cookies, their contents are not transmitted automatically with every request to the server.

This Cookie Policy applies to the Platform itself — the domains pages.otack.eu, app.otack.eu and its sub-domains. Websites generated and published by Users through the Platform have their own cookie posture, which is governed entirely by the relevant User as the data controller of that site and is not covered by this Policy.

The operator of the Platform is Goup Space Sp. z o. o., ul. Hoża 86/210, 00-682 Warszawa, Poland, KRS 0000932799, REGON 520583134, NIP 7011061440, e-mail info@pages.otack.eu.

2. What we use

The Platform uses only the following cookies and browser-storage items:

  • WGSESS_{port} — server-side authentication session cookie set by the PHP session_start() function. Strictly necessary. Origin: first-party. Attributes: HttpOnly (not readable by JavaScript), Secure (HTTPS-only in production), SameSite=Lax (CSRF mitigation). Duration: session — cleared when the browser session ends.
  • csrf_token — anti-CSRF token kept inside the server-side session and submitted with every state-changing request via a header or form field. This is not a separate browser cookie.
  • wg_keys_pwd (sessionStorage) — XOR-masked AI-keys password held only for the current browser tab session and used by the in-browser key-decryption flow. Strictly necessary for the AI-keys feature. First-party.
  • wg_keys_mask (sessionStorage) — random per-session XOR mask used together with wg_keys_pwd. First-party.
  • wg_keys_blob_local, wg_keys_mode (localStorage) — encrypted AI-keys blob and the active key-storage mode (account/local). First-party. Persistent until the User explicitly resets them.
  • wg_key_openai, wg_key_claude, wg_key_gemini, wg_key_moonshot (localStorage, legacy) — legacy unencrypted single-provider key slots preserved for backwards compatibility; the current code no longer writes them. First-party.
  • hCaptcha cookies (third-party, by Intuition Machines, Inc.) — set on the registration page to perform bot detection. Strictly necessary for the security of the registration flow. Domain: hcaptcha.com. Duration: per hCaptcha; see https://www.hcaptcha.com/privacy.
  • wg-cookie-ok-{slug} (localStorage, on a User's published site only) — not set by the Platform itself but described here for transparency: when a User publishes a Generated Site with a cookie banner configured, that site stores the visitor's consent in this localStorage key on the visitor's device. The visitor's privacy notice on that site is the User's responsibility.

3. What we do NOT use

The Platform does not use any of the following:

  • analytics or measurement cookies (no Google Analytics, no Plausible, no Matomo on the Platform itself — but a User's marketing landing pages may include analytics as configured by the User; see the caveat in §1);
  • advertising or tracking cookies;
  • cross-site fingerprinting or device-level identifiers;
  • social-media tracking pixels.

As to Users' own websites published via the Platform — the User decides what their own site collects; that is governed by the User as the data controller of that site.

4. Legal basis and why no Platform-wide consent banner

The Polish transposition of the ePrivacy Directive — Prawo telekomunikacyjne, in particular Art. 173 — requires the user's consent for storing information on, or accessing information on, the user's device, except where the storage or access is strictly necessary to provide the service that the user has requested.

All cookies and storage used by the Platform itself are either (i) strictly necessary for the authentication and security of the Platform, or (ii) strictly necessary for the AI-keys feature that the User explicitly enables.

hCaptcha is classified as strictly necessary for the security of the registration flow.

Because no non-strictly-necessary cookies are used by the Platform, a separate cookie-consent banner is not legally required for the Platform itself.

This may change if the Platform later adds analytics or marketing technologies — in that case, a consent banner will be added before any non-strictly-necessary cookie is set.

5. How to manage cookies and storage

Browser controls. Users can disable, block or delete cookies and clear localStorage/sessionStorage via their browser settings. Common paths:

  • Chrome: chrome://settings/cookies
  • Firefox: about:preferences#privacy
  • Safari: Preferences → Privacy
  • Edge: edge://settings/content/cookies

Effect of blocking. Blocking WGSESS_* prevents login; blocking hCaptcha prevents account registration. Clearing localStorage erases stored AI keys from the device — they would need to be re-imported or re-entered.

Mobile browsers offer similar controls in their settings.

6. Contact, related documents and changes

For questions about cookies and similar technologies: info@pages.otack.eu.

Related documents: Privacy Policy, Terms of Service, Data Processing Agreement.

Material changes to this Policy will be announced with at least 14 days' notice. The English version is the master version; in case of any conflict between translations, the English version prevails. Effective: 2026-05-20.