Sikurd sets strictly-necessary and functional first-party cookies only. There are no third-party analytics, advertising, or tracking cookies anywhere on sikurd.com — not on the marketing site, not in the app. Because nothing we set requires consent under the ePrivacy Directive’s strictly-necessary carve-out, our banner is a notice, not a consent wall; we still record acknowledgments in our consent log (with IP and user agent) as evidence of disclosure.
The full inventory
In production, security-sensitive cookies carry a __Secure- or __Host- prefix (a browser mechanism that locks a cookie to HTTPS and to this exact host) — the table shows both names where that applies. All cookies are httpOnlywhere the browser doesn’t need to read them, and none are readable by other sites.
| Cookie | Purpose | Lifespan | Set when |
|---|---|---|---|
authjs.session-tokenprod: __Secure-authjs.session-token | Keeps you signed in. An encrypted session token (JWT) — this is the cookie that makes the dashboard work at all. | 30 days | When you sign in. |
authjs.csrf-tokenprod: __Host-authjs.csrf-token | Cross-site request forgery protection on the sign-in and sign-out forms (double-submit token). | Browser session | When you visit a sign-in page. |
authjs.callback-urlprod: __Secure-authjs.callback-url | Remembers which page to return you to after signing in. | Browser session | When you start a sign-in. |
NEXT_THEME | Your light / dark theme choice, so the page renders in the right theme without flashing. | 1 year | When you toggle the theme. |
NEXT_LOCALE | Your language preference for the marketing and legal pages (six languages). | 1 year | When you pick a language. |
sikurd.console-stepupprod: __Secure-sikurd.console-stepup | Short-lived proof that an administrator just passed a second-factor (MFA) check before opening a 3CX console, so opening several consoles back-to-back doesn't re-prompt every click. Admin accounts only. | 10 minutes | When an admin verifies an MFA code to open a console. |
sp_auth_<page> | Access to a password-protected status page after you enter its password (one cookie per status page, signed, no personal data). | 12 hours | When you unlock a password-protected status page. |
Browser storage that isn’t a cookie
A few preferences live in your browser’s localStorage instead of cookies. Unlike cookies, these are never sent to our servers— they stay on your device and you can clear them any time via your browser’s site-data settings.
| Key | Purpose |
|---|---|
sikurd_cookie_notice_v1 | Remembers that you've acknowledged the cookie notice, so the banner doesn't reappear on every page. |
sikurd.demoMode | Operator-facing demo mode that masks customer names on screen (used for screenshots and screen-shares). |
UI preferences (sidebar, list/grid views, saved templates) | Cosmetic interface state — collapsed sidebar, preferred instance view, and similar. Names vary by screen. |
Third parties
Payment checkout happens on Stripe’s own pages (stripe.com), which set their own cookies under Stripe’s privacy policy. No Stripe JavaScript or cookies load on sikurd.com itself. The other vendors that process data for us server-side never touch your browser — they’re listed on the sub-processor page.
Managing cookies
You can delete or block cookies in your browser settings at any time. Blocking the session cookie signs you out; blocking the rest only loses small conveniences (theme, language, banner acknowledgment). Because we set no optional cookies, there is nothing to opt out of — there’s no hidden tracking running behind a “reject” button we didn’t build.
Questions about this policy: privacy@sikurd.com. See also the Privacy Policy and the GDPR program overview.
Last updated: June 11, 2026. This inventory is maintained against the codebase — every cookie the application can set is listed above.