Cookie Information
Last updated: June 2, 2026
1. Introduction
This site uses only essential cookies, as well as preference cookies and browser local storage technologies necessary for service operation or for delivering settings explicitly requested by you. We do not use analytics, advertising, or tracking cookies. No marketing, remarketing, behavioural profiling, or cross-site tracking cookies are used.
2. What Cookies Are
Cookies are small text files stored on your device when you visit a website. They allow the site to recognize the device, manage access sessions, and retain certain preferences or functional information.
3. Legal Basis
- Essential cookies (authentication, CSRF, Cloudflare security) rely on Article 6(1)(b) GDPR (necessary for providing the requested service) and are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive, as they are strictly necessary for service operation.
- Security-related processing (Cloudflare cf_clearance cookie) may also rely on Article 6(1)(f) GDPR (legitimate interest: platform security).
- Preference cookies (language, theme) are used for functional interface personalisation. The language cookie may be set automatically on first visit based on the browser's Accept-Language header, and the theme cookie defaults to 'dark' on first visit if no prior preference is stored, to ensure correct page rendering. Both are updated whenever you explicitly change your language or theme selection. These cookies fall under the interface-personalisation exemption per EDPB/WP194 guidance and do not require additional consent.
No consent mechanism for optional cookies is required, as the platform does not use analytics, marketing, advertising, or tracking cookies. The platform may nonetheless display an informative notice about cookies and local storage, for transparency.
4. Cookies We Use
| Cookie Name | Provider | Purpose | Duration | Legal Basis | Consent Required? |
|---|---|---|---|---|---|
| __Host-authjs.csrf-token | First party (NextAuth.js) | CSRF attack protection; required for authentication security | Session | Art. 6(1)(b) GDPR + ePrivacy exemption | No |
| __Secure-authjs.callback-url | First party (NextAuth.js) | OAuth authentication flow management; stores the redirect URL | Session | Art. 6(1)(b) GDPR + ePrivacy exemption | No |
| __Secure-authjs.session-token | First party (NextAuth.js) | Session maintenance; keeps you signed in | Up to 24 hours (JWT); forced re-authentication after 7 days of inactivity | Art. 6(1)(b) GDPR + ePrivacy exemption | No |
| cf_clearance | Cloudflare | Security cookie for DDoS and bot protection; required for secure site access | Variable (determined by Cloudflare's security configuration, typically up to 24 hours, but may vary outside the operator's direct control) | Art. 6(1)(b) + Art. 6(1)(f) GDPR + ePrivacy exemption | No |
| language | First party | Remembers the selected language so the server can render pages correctly | 1 year | Art. 6(1)(b) GDPR + ePrivacy exemption (interface personalization) | No |
| theme | First party | Remembers the selected display theme so the server can render pages correctly | 1 year | Art. 6(1)(b) GDPR + ePrivacy exemption (interface personalization) | No |
| csrf-token | First party (custom middleware) | CSRF attack prevention for non-authentication API endpoints; uses the double-submit cookie pattern and must remain readable by JavaScript to be included in request headers | 4 hours; refreshed on each page load if absent | Art. 6(1)(b) GDPR + ePrivacy exemption | No |
The language cookie is set automatically on your first visit based on your browser’s language settings (Accept-Language header), and is updated whenever you explicitly select a different language. The theme cookie defaults to ‘dark’ on first visit if no prior preference is stored; it is updated on every explicit theme selection. Both cookies are functional preferences necessary for correct page rendering and are therefore exempt from the consent requirement under Article 5(3) of the ePrivacy Directive per EDPB/WP194 guidance.
The durations indicated are approximate and may vary depending on server or third-party provider (Cloudflare) configuration.
Cloudflare may temporarily process HTTP requests, technical headers, security cookies, and IP addresses, including in raw form at the edge infrastructure level, for security, anti-abuse filtering, and DDoS protection. In Goldy.ro's own systems, raw IP addresses are stored only in the active technical IP block list for a maximum of 24 hours; in blocked-request logs, security-event logs, rate-limiting processing, and session tracking, IP addresses are stored in hashed/pseudonymised form in accordance with the retention periods stated in the Privacy Policy.
5. Technologies We Do NOT Use
We do not use any of the following technologies:
- Google Analytics or active third-party analytics tools
- Meta Pixel (Facebook Pixel)
- Google Ads or any advertising platform
- Analytics cookies of any kind
- Marketing or advertising cookies
- Remarketing cookies
- Social media tracking cookies
- Cross-site tracking
- Behavioural profiling technologies for advertising purposes
- Data brokers or data-selling platforms
This platform uses self-hosted Umami Analytics, which is currently active. Umami does not use cookies, does not fingerprint browsers, and does not share data with third parties. All data is stored on Goldy's own EU infrastructure. Anonymised page views are recorded. The following custom behavioural events are also tracked to understand how the platform is used: game_start (when a player begins a math game), game_complete (when a session ends - anonymised score and accuracy only), share_click (when a result is shared via WhatsApp, Facebook, Twitter, or link copy), and pwa_install (when the app is added to the home screen). No personal data, IP addresses, or user-identifiable information is attached to these events.
6. Local Storage
In addition to cookies, we use localStorage (browser local storage) for the following purposes:
By 'local storage' we refer to localStorage and, where applicable, sessionStorage. sessionStorage is typically retained only for the duration of the browser session.
- Tool settings: configurations for randomizer tools and other platform tools
- Game progress: educational game progress data
- Accessibility preferences: user-selected accessibility options
- Guest progress: if you use educational games or tools before creating an account, some progress and preference data may be stored locally in your browser
| Key | Provider | Purpose | Duration | Sent to server? | Consent required? |
|---|---|---|---|---|---|
| goldy_cookie_consent | First party | Stores acceptance of the cookie information notice | Persistent (until manually deleted) | No | No |
| goldy_favs | First party | Games marked as favourites by the user | Persistent (until manually deleted) | No (directly); possibly on optional migration to account | No |
| goldy_game_prefs | First party | Game preferences (volume, speed, accessibility) explicitly requested by the user | Persistent (until manually deleted) | No | No |
| goldy_vkb | First party | Virtual keyboard activation state | Persistent (until manually deleted) | No | No |
| goldy_game_completions | First party | Game completions for educational journeys | Persistent (until manually deleted) | No (directly); possibly on optional migration to account | No |
| goldy_perf_<gameId> | First party | Recent per-game performance (scores, reaction times) | Persistent (until manually deleted) | No | No |
| calculRapidSettings | First party | Custom Speed Math configuration | Persistent (until manually deleted) | No | No |
| worksheet-member-names | First party | Member names for worksheet generation | Persistent (until manually deleted) | No | No |
| randomizerTemporarySettings | First party | Temporary settings for the Randomizer tool | Persistent (until reset or manually deleted) | No | No |
| verify_email_notice_email | First party | Email entered at registration, displayed in the verification notice | sessionStorage (browser session duration) | No | No |
| pending_referral_code | First party | Temporary referral code for linking at registration | sessionStorage (browser session duration) | Yes, only if the user completes registration/authentication with that code; otherwise it remains local until the browser session ends. | No |
| goldy_active_linked_profile_id | First party | Stores the ID of the currently active linked (child) profile selected by the parent | Persistent (until profile change or account sign-out) | No | No |
| goldy_active_linked_profile_data | First party | Caches basic details (name, age group, avatar, PIN status) of the active linked profile to avoid extra server requests | Persistent (until profile change or account sign-out) | No | No |
| a11y-dyslexia | First party | Dyslexia-friendly font toggle (accessibility preference) | Persistent (until manually deleted) | No | No |
| a11y-fontSize | First party | Font size preference (normal / large / extra-large) | Persistent (until manually deleted) | No | No |
| a11y-spacing | First party | Increased text spacing toggle (accessibility preference) | Persistent (until manually deleted) | No | No |
| a11y-reduced-motion | First party | Reduced motion toggle (accessibility preference) | Persistent (until manually deleted) | No | No |
| a11y-high-contrast | First party | High contrast mode toggle (accessibility preference) | Persistent (until manually deleted) | No | No |
| colorblindMode | First party | Colorblind-friendly color palette toggle (accessibility preference) | Persistent (until manually deleted) | No | No |
| colorblindType | First party | Selected colorblind palette type (deuteranopia, protanopia, tritanopia, etc.) | Persistent (until manually deleted) | No | No |
| goldy_guide_auth | First party | Tracks parent onboarding guide progress for authenticated users | Persistent (until guide completion or manual deletion) | No | No |
| goldy_guide_guest | First party | Tracks parent onboarding guide progress for guest (non-authenticated) users | Persistent (until guide completion or manual deletion) | No | No |
| goldy_weekly_goal | First party | Stores the weekly learning goal (number of sessions per week) set by the user | Persistent (until manually deleted) | No | No |
| goldy_weekly_goal_week | First party | Tracks the current ISO week string for the weekly goal counter | Persistent (until manually deleted) | No | No |
| goldy_fact_fluency | First party | Stores fact-fluency game progress and settings for educational use | Persistent (until manually deleted) | No | No |
| goldy_sounds | First party | Stores the sound on/off preference for educational games | Persistent (until manually deleted) | No | No |
| goldy_sub_test_max | First party | Best score achieved in the Subtraction Test game (educational progress) | Persistent (until manually deleted) | No | No |
| goldy_sub_test_streak | First party | Current consecutive-day streak for the Subtraction Test game | Persistent (until manually deleted) | No | No |
| randomizerSettings | First party | Saved (non-temporary) configuration for the Randomizer classroom tool | Persistent (until manually deleted) | No | No |
| goldy_session_start_{userId} | First party | Records the session start timestamp per user for the break reminder feature (helps remind users to take breaks during extended use) | sessionStorage (browser session duration) | No | No |
| goldy_guest_migrated | First party | One-time flag indicating that guest progress data has been migrated to the user's account; prevents duplicate migration prompts | sessionStorage (browser session duration) | No | No |
| goldy_ab_arrival_v | First party | Non-personalised A/B variant assignment (A or B) used to test two versions of the arrival and onboarding screen | Persistent (14-day TTL, then deleted) | Yes (value transmitted in onboarding POST request body; persisted in database) | No |
| goldy_ab_arrival_date | First party | Timestamp of A/B variant assignment, used to expire the assignment after 14 days | Persistent (14-day TTL, then deleted) | No | No |
| goldy_practice_gap | First party | Self-reported practice history (e.g. "regular", "months", "years", "never") collected during onboarding to calibrate initial difficulty and messaging | Persistent (until manually deleted or account linked) | Yes (transmitted in onboarding POST request body; persisted in database) | No |
| goldy_arrival_seen | First party | One-time flag indicating that the arrival or onboarding screen has been shown; prevents the screen from appearing again | Persistent (until manually deleted) | No | No |
Local storage data is specific to the device and browser used. It is not accessible on other devices or browsers.
Locally stored data is not transmitted to servers or third parties solely by virtue of being stored in the browser. Some values may be read by the application and used locally for interface operation, and some may be transmitted to the server only if the functionality used involves synchronization, saving, authentication, or migration to an account.
When you create an account, you may be offered the option to migrate local data (such as guest progress) to your account. This migration is optional - you may choose to start fresh.
You may delete local storage data at any time through your browser settings. Deleting this data may result in the loss of locally saved preferences and progress.
We recommend that you do not enter full real names or sensitive data in locally saved worksheet fields; you may use first names, pseudonyms, or initials.
7. How You Can Control or Delete Cookies
You can manage and delete cookies through your browser settings. Most browsers offer options to view stored cookies, delete individual cookies or all cookies, block cookies from certain sites, and configure notifications when new cookies are set.
Deleting essential cookies will affect site functionality. For example, you will be signed out of your account, CSRF protection may be temporarily affected, and language and theme preferences may be reset.
If you block strictly necessary cookies, you may be unable to create an account, sign in, or use authenticated features.
Preference cookies (language, theme) will only be reset if you manually delete them; they will be restored upon the next active selection of a language or theme.
8. Additional Information
For detailed information about the processing of your personal data, see the Privacy Policy.
For account requirements, responsibilities, and conditions of use, see the Terms and Conditions.
For questions about cookies, local storage, or data protection, you can contact us through the Contact page, at [email protected], at [email protected], or at [email protected]. The [email protected] and [email protected] addresses are dedicated channels for data protection requests and do not constitute the formal designation of a DPO.