Legal
Cookie Policy
Last updated: March 23, 2026
This policy applies to both the marketing website (faktor400.com) and the Faktor400 application (app.faktor400.com). Where the technologies used differ, this is indicated.
1. What Are Cookies and Similar Technologies?
Cookies are small text files stored by your browser on your device when you visit a website. They serve to make the website functional and to facilitate its use.
In addition to cookies, we also use Web Storage (Local Storage and Session Storage). These technologies are also subject to § 25 TDDDG and are covered in this policy.
2. Which Cookies and Storage Technologies Do We Use?
2.1 Strictly Necessary Cookies
These cookies are absolutely necessary for the operation of the website and the Faktor400 platform. They are set without consent.
| Cookie / Storage | Type | Scope | Purpose | Retention |
|---|---|---|---|---|
| sb-auth-token | Local Storage | App | Supabase authentication (session JWT) | Until refresh expiry / manual deletion |
| sb-*-auth-token-code-verifier | Session Storage | App | PKCE verifier for OAuth flow | Session |
| sb-* (SSR cookies) | Cookie | App | Supabase server-side authentication (@supabase/ssr) | Session / refresh expiry |
| faktor400-language | Cookie | Both | Store selected language (DE/EN) | 1 year |
| faktor400-timezone | Cookie | App | User timezone for date display | Session |
| faktor400-org-timezone | Cookie | App | Organization timezone for financial buckets | Session |
| faktor400-theme-id | Local Storage | App | Selected color scheme / theme | Until manual deletion |
| faktor400-layout | Local Storage | App | Layout preference (e.g., sidebar state) | Until manual deletion |
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website operation) in conjunction with § 25(2) TDDDG.
2.2 Local Storage / Session Storage (App)
| Key | Purpose | Retention |
|---|---|---|
| auth_token (Local Storage) | App JWT for API requests | Until logout / manual deletion |
| faktor400-cookie-consent (Local Storage) | Stores the user's cookie consent choice (granted / denied) | Permanent (until manual deletion) |
Additional UI state data (e.g., filter settings) may be added in future development and will be documented here.
Legal basis: § 25(2) TDDDG (technically necessary, no consent required).
2.3 Analytics Cookies
Within the Faktor400 app, we use PostHog as an analytics tool. PostHog cookies and storage are only set after explicit consent (via cookie banner).
| Cookie / Storage | Type | Scope | Purpose | Retention |
|---|---|---|---|---|
| ph_*_posthog | Cookie | App | PostHog session identification | 1 year |
| ph_* | Local Storage | App | PostHog event buffer and user assignment | Until manual deletion |
PostHog is operated via the EU instance (eu.posthog.com). Autocapture is disabled; only explicitly defined events are captured. Session recording is disabled. The Do-Not-Track browser setting is respected.
Provider: PostHog, Inc., San Francisco, CA, USA (EU data processing).
On the landing page (faktor400.com), no analytics cookies are currently used.
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TDDDG.
2.4 Marketing Cookies
We do not use marketing or retargeting cookies. Should this change, these cookies will be documented here and only activated after consent.
3. Third-Party Cookies
| Provider | Scope | Cookie Type | Purpose | Consent |
|---|---|---|---|---|
| Supabase (Supabase Inc., USA) | App | Strictly necessary | Authentication (Local Storage + SSR cookies) | No (§ 25(2) TDDDG) |
| Stripe (Stripe Payments Europe, Limited) | App (Checkout) | Strictly necessary | Payment processing, fraud prevention | No (§ 25(2) TDDDG) |
| PostHog (PostHog, Inc., USA — EU instance) | App | Analytics | Product analytics, event tracking | Yes (consent) |
Third-country transfer: Supabase, Inc. is based in the USA. Data transfer is based on the EU-US Data Privacy Framework (Art. 45 GDPR). Stripe Payments Europe, Ltd. is based in Ireland (EU) — no third-country transfer. Details: Privacy Policy § 8.
4. Consent Management (Cookie Banner)
Since the Faktor400 app uses PostHog as an analytics tool, a cookie banner with an opt-in function for analytics cookies is required. Analytics cookies are only set after explicit consent. Strictly necessary cookies continue to be set without consent. You can change your preferences at any time via the 'Cookie Settings' link in the app footer or your browser settings.
5. Managing Cookies in Your Browser
You can manage and delete cookies in your browser settings:
- Chrome: Settings → Privacy and Security → Cookies
- Firefox: Settings → Privacy & Security → Cookies
- Safari: Settings → Privacy → Cookies
- Edge: Settings → Cookies and Site Permissions
Please note: Disabling strictly necessary cookies may prevent the website from functioning properly.
6. Changes
We update this cookie policy as needed, in particular when we introduce new cookies or technologies. Registered users will be notified of material changes by email.
Contact
Questions about cookie usage: datenschutz@faktor400.com
Language Versions
In the event of discrepancies between the German and any English version of this cookie policy, the German version shall prevail.