exceptao.com), paraKSCol (parakscol.pl), and Cyberzgodnošć EDU (cyberzgodnosc.edu.pl). The same minimal cookie set applies across all brands.
sessionid)| Attribute | Value |
|---|---|
| Purpose | Maintains your authenticated session after login. The server uses this cookie to look up your session record and identify you on each request. |
| Type | First-party, server-side session |
| Necessity | Strictly necessary — the application cannot function without it |
| Flags | Secure; HttpOnly; SameSite=Lax |
| Duration | Expires on browser close or after 15 minutes of inactivity; refresh logic extends the session on activity up to a maximum absolute lifetime of [TO BE COMPLETED: confirm absolute session lifetime — e.g. 24 hours] |
| Data stored in cookie | Session ID only — an opaque random identifier. No personal data is stored in the cookie itself. All session data (user identity, permissions, tenant) is held server-side in Redis, keyed by the session ID. |
| Data stored server-side | User ID, tenant ID, authentication method used, TOTP status, last activity timestamp. Retained until session expiry; deleted on explicit logout. |
csrftoken)| Attribute | Value |
|---|---|
| Purpose | Protects against Cross-Site Request Forgery attacks. The frontend reads this cookie and includes the value as a X-CSRFToken header on every state-mutating AJAX request. The server rejects requests where the header and cookie values do not match. |
| Type | First-party |
| Necessity | Strictly necessary — required for the security of all write operations |
| Flags | Secure; SameSite=Lax (readable by JavaScript for inclusion in AJAX requests — this is by design and does not reduce security because SameSite=Lax prevents cross-origin reads) |
| Duration | 1 year (rotated on each login) |
| Data | Opaque cryptographically random token; no personal data |
Cloudflare, our CDN and WAF provider, may set one or more cookies at the edge layer before a request reaches our application.
| Cookie name | Purpose | Duration |
|---|---|---|
__cf_buid | Bot management — distinguishes legitimate human browsers from automated traffic. Does not identify individual users across sessions. | Session or short-lived persistent |
__cflb | Load balancing — routes requests from the same client to the same Cloudflare edge server during a session for connection consistency. | Session |
These cookies are set by Cloudflare pursuant to our use of the Cloudflare CDN/WAF service. They do not contain personal data. They are technically necessary to operate the CDN and WAF layer. See Cloudflare’s privacy policy at cloudflare.com/privacypolicy/ for their handling of these cookies.
The marketing site (exceptao.com, parakscol.pl, cyberzgodnosc.edu.pl) currently loads fonts from Google Fonts. When the browser requests a font file, the HTTP request transmits the visitor’s IP address and User-Agent header to Google’s servers. Google’s handling of this data is governed by Google’s privacy policy.
This is a known privacy consideration. The Operator is evaluating self-hosting all font files to eliminate this third-party request entirely. When self-hosting is complete, this section will be removed from this disclosure.
Legal basis for the current Google Fonts request: legitimate interest (Art. 6(1)(f) GDPR) in consistent font rendering across browsers. The Operator’s assessment is that this interest does not override the visitor’s right to data protection given that: (a) Google Fonts requests do not set any persistent cookie on the visitor’s device; (b) the font files are served from fonts.gstatic.com with no additional tracking parameters; (c) the IP address transmitted to Google is transient and is not linked by the Operator to any individual identity. Visitors who wish to prevent this request entirely may use a browser extension that blocks fonts.gstatic.com, or disable remote font loading in their browser settings.
The marketing site does not load scripts from Google’s analytics or advertising platforms.
Strictly necessary cookies (sessionid, csrftoken, Cloudflare edge cookies) are exempt from the ePrivacy consent requirement. Under the ePrivacy Directive (2002/58/EC) as implemented in Poland (Ustawa z dnia 16 lipca 2004 r. — Prawo telekomunikacyjne, Art. 173), cookies that are strictly necessary for a service explicitly requested by the user do not require prior consent.
We do not deploy optional cookies, tracking cookies, or cookies that would require a consent banner. If we add optional cookies or tracking tools in the future, we will update this disclosure and implement a GDPR/ePrivacy compliant consent mechanism before deployment.
You can control cookies using your browser’s built-in cookie settings:
Deleting or blocking sessionid will log you out of the application. Deleting or blocking csrftoken will cause write operations to fail until the cookie is re-set at next login.
If we add new cookies or tracking tools, we will:
/legal/subprocessors).| Purpose | Contact |
|---|---|
| Privacy enquiries | privacy@exceptao.com |
| Polish public sector enquiries | kontakt@cyberzgodnosc.edu.pl |
| Data Subject Rights requests | privacy@exceptao.com (see also /legal/privacy) |
| Complaints | Urząd Ochrony Danych Osobowych (UODO), uodo.gov.pl |