Legal

Cookie Policy

Every cookie Sikurd sets — name, purpose, and lifespan. First-party only; no analytics, advertising, or tracking.

Sikurd sets strictly-necessary and functional first-party cookies only. There are no third-party analytics, advertising, or tracking cookies anywhere on sikurd.com — not on the marketing site, not in the app. Because nothing we set requires consent under the ePrivacy Directive’s strictly-necessary carve-out, our banner is a notice, not a consent wall; we still record acknowledgments in our consent log (with IP and user agent) as evidence of disclosure.

The full inventory

In production, security-sensitive cookies carry a __Secure- or __Host- prefix (a browser mechanism that locks a cookie to HTTPS and to this exact host) — the table shows both names where that applies. All cookies are httpOnlywhere the browser doesn’t need to read them, and none are readable by other sites.

CookiePurposeLifespanSet when
authjs.session-token
prod: __Secure-authjs.session-token
Keeps you signed in. An encrypted session token (JWT) — this is the cookie that makes the dashboard work at all.30 daysWhen you sign in.
authjs.csrf-token
prod: __Host-authjs.csrf-token
Cross-site request forgery protection on the sign-in and sign-out forms (double-submit token).Browser sessionWhen you visit a sign-in page.
authjs.callback-url
prod: __Secure-authjs.callback-url
Remembers which page to return you to after signing in.Browser sessionWhen you start a sign-in.
NEXT_THEMEYour light / dark theme choice, so the page renders in the right theme without flashing.1 yearWhen you toggle the theme.
NEXT_LOCALEYour language preference for the marketing and legal pages (six languages).1 yearWhen you pick a language.
sikurd.console-stepup
prod: __Secure-sikurd.console-stepup
Short-lived proof that an administrator just passed a second-factor (MFA) check before opening a 3CX console, so opening several consoles back-to-back doesn't re-prompt every click. Admin accounts only.10 minutesWhen an admin verifies an MFA code to open a console.
sp_auth_<page>Access to a password-protected status page after you enter its password (one cookie per status page, signed, no personal data).12 hoursWhen you unlock a password-protected status page.

Browser storage that isn’t a cookie

A few preferences live in your browser’s localStorage instead of cookies. Unlike cookies, these are never sent to our servers— they stay on your device and you can clear them any time via your browser’s site-data settings.

KeyPurpose
sikurd_cookie_notice_v1Remembers that you've acknowledged the cookie notice, so the banner doesn't reappear on every page.
sikurd.demoModeOperator-facing demo mode that masks customer names on screen (used for screenshots and screen-shares).
UI preferences (sidebar, list/grid views, saved templates)Cosmetic interface state — collapsed sidebar, preferred instance view, and similar. Names vary by screen.

Third parties

Payment checkout happens on Stripe’s own pages (stripe.com), which set their own cookies under Stripe’s privacy policy. No Stripe JavaScript or cookies load on sikurd.com itself. The other vendors that process data for us server-side never touch your browser — they’re listed on the sub-processor page.

Managing cookies

You can delete or block cookies in your browser settings at any time. Blocking the session cookie signs you out; blocking the rest only loses small conveniences (theme, language, banner acknowledgment). Because we set no optional cookies, there is nothing to opt out of — there’s no hidden tracking running behind a “reject” button we didn’t build.

Questions about this policy: privacy@sikurd.com. See also the Privacy Policy and the GDPR program overview.

Last updated: June 11, 2026. This inventory is maintained against the codebase — every cookie the application can set is listed above.