Cookie Policy
This Cookie Policy explains which cookies bzz.nu sets, what they are for, and how long they last. It supplements our Privacy Policy and should be read together with it.
bzz.nu sets no cookies at all. The authenticated dashboard at dashboard.bzz.nu uses only strictly necessary cookies required to keep you signed in and protect your session. We do not use analytics cookies, marketing cookies, or third-party tracking of any kind.
1. What Is a Cookie?
A cookie is a small text file that a website stores on your device when you visit it. Cookies let a site remember things about you — for example, that you are signed in — across page loads. There are several categories:
- Strictly necessary cookies. Required for the website to function. Under the ePrivacy Directive (Article 5(3)), these do not require your prior consent.
- Functional cookies. Remember your preferences (language, theme).
- Analytics cookies. Track how visitors use the site so owners can measure traffic.
- Marketing cookies. Track you across sites to build advertising profiles.
bzz.nu only uses cookies in the first category. We use no functional, analytics, or marketing cookies.
2. Cookies on bzz.nu (marketing site)
None. The public marketing site at bzz.nu — including the landing page, all legal pages, and the short-link redirect endpoint /:slug — sets no cookies whatsoever. You can verify this by opening your browser’s developer tools and checking the Cookies tab after visiting bzz.nu.
3. Cookies on dashboard.bzz.nu (authenticated dashboard)
The dashboard uses Auth.js (formerly known as NextAuth) as its session layer, with our Keycloak identity provider at auth.junovy.com handling the actual authentication. When you sign in, Auth.js sets three strictly necessary cookies on dashboard.bzz.nu so we can remember you are signed in. They all have the HttpOnly, Secure, and SameSite=Lax attributes and are only sent over HTTPS. You cannot read them from JavaScript.
| Cookie name | Purpose | Duration | Type |
|---|---|---|---|
__Host-authjs.csrf-token |
Cross-site request forgery (CSRF) protection for sign-in and sign-out forms. | Session (deleted when you close your browser) | Strictly necessary |
__Secure-authjs.callback-url |
Remembers which page you were trying to access when we asked you to sign in, so we can send you there after authentication. | Session | Strictly necessary |
__Secure-authjs.session-token |
Identifies your authenticated session after you sign in. Without it, we cannot tell that you are signed in. | 30 days | Strictly necessary |
3.1 Why these cookies are necessary
All three cookies are essential to providing a service you explicitly requested (signing in to manage your links). Under Article 5(3) of the ePrivacy Directive, cookies that are “strictly necessary for the provision of an information society service explicitly requested by the subscriber or user” do not require prior consent. This is why you will not see a cookie banner on dashboard.bzz.nu — we are not entitled to show one unless we actually have optional cookies, and we do not.
4. Cookies on auth.junovy.com (Keycloak)
When you sign in, you are briefly redirected to our identity provider Keycloak at auth.junovy.com. Keycloak sets its own strictly necessary session cookies on that domain (for example, AUTH_SESSION_ID, KEYCLOAK_IDENTITY). These are controlled by Keycloak, not by bzz.nu. They are also strictly necessary for authentication and do not require prior consent.
5. Third-Party Cookies
bzz.nu sets no third-party cookies. We do not embed Google Analytics, Facebook Pixel, Hotjar, Mixpanel, Segment, or any similar service. We do not embed third-party widgets (social media share buttons, chat boxes, comment systems) that would set cookies in your browser.
6. How to Control Cookies
You can clear or block cookies using your browser settings:
If you block the session cookies listed in § 3, you will not be able to sign in to the dashboard. That is the only consequence of blocking cookies on bzz.nu.
7. Server-Side Analytics and IP Hashing
Because we use no cookies for analytics, the only way we can count link clicks is to record events server-side when a request arrives. We hash the visitor’s IP address with a server-side salt before writing anything to our database, so we cannot build a profile of individual visitors. Full details are in the Privacy Policy § 2.
8. Changes to This Policy
If we ever introduce new cookies — whether our own or those of a third party — we will update this page and, for anything that is not strictly necessary, show you a real consent banner first. We will never sneak analytics or marketing cookies in silently.
9. Contact
Questions about cookies or tracking? Email [protected email].