Cookie Policy
Last updated: April 3, 2026
1. What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They allow the website to remember your preferences and provide essential functionality. Local Storage is a similar browser technology that stores data on your device without sending it to the server on every request. This policy covers all cookies, session storage, and local storage used by the XPXO Network.
2. Cookies & Storage We Use
The XPXO Network uses only strictly necessary cookies and storage entries. No analytics, advertising, or third-party tracking cookies are used. The table below lists every cookie/storage item set by our own infrastructure.
| Name | Provider | Type | Purpose | Duration | Legal Basis |
|---|---|---|---|---|---|
xpxo_cookie_consent | XPXO | localStorage | Records your cookie consent decision (essential/all) | Persistent (until cleared) | Art. 6(1)(f) GDPR |
xpxo-sso | XPXO | Cookie (HttpOnly, Secure, SameSite=None) | Cross-domain SSO authentication token — allows seamless login across all xpxo.* domains | 30 days | Art. 6(1)(b) GDPR |
next-auth.session-token | XPXO (NextAuth) | Cookie (HttpOnly, Secure) | Authenticates your session after OAuth login on xpxo.me | 30 days | Art. 6(1)(b) GDPR |
__Secure-next-auth.session-token | XPXO (NextAuth) | Cookie (HttpOnly, Secure) | Secure-prefixed session token (used when served over HTTPS) | 30 days | Art. 6(1)(b) GDPR |
next-auth.csrf-token | XPXO (NextAuth) | Cookie | CSRF protection token for authentication form submissions | Session | Art. 6(1)(f) GDPR |
next-auth.callback-url | XPXO (NextAuth) | Cookie | Stores the redirect URL to return to after successful login | Session | Art. 6(1)(f) GDPR |
lang | XPXO | Cookie | Stores your language preference (DE/EN) | 30 days | Art. 6(1)(f) GDPR |
__cf_bm | Cloudflare | Cookie | Bot detection and DDoS protection (set by Cloudflare CDN) | 30 minutes | Art. 6(1)(f) GDPR |
cf_clearance | Cloudflare | Cookie | Records that a security challenge was successfully completed | 30 minutes | Art. 6(1)(f) GDPR |
Note on OAuth provider cookies: When you initiate login via Discord, Google, GitHub, or Twitch, those providers may set their own cookies on their respective domains (e.g. accounts.google.com, discord.com). These cookies are outside XPXO's control and are governed by the respective provider's cookie/privacy policy.
3. Cookie Categories
Strictly Necessary
All cookies listed above are strictly necessary. They ensure login functionality, cross-domain session management, CSRF protection, language preference persistence, and protection against DDoS and automated bot traffic. None of these cookies are used for advertising, analytics, or profiling purposes. Strictly necessary cookies do not require consent and cannot be disabled without breaking core website functionality.
Analytics — Not Used
We do not use Google Analytics, Matomo, Plausible, or any other analytics or tracking pixel. No behavioural profiling takes place.
Advertising — Not Used
We do not use advertising networks, retargeting pixels, or social media tracking buttons (Facebook Pixel, Twitter/X Pixel, etc.).
Third-party Cookies
Cloudflare (our CDN/DDoS provider) sets the __cf_bm and cf_clearance cookies listed above. All fonts and static assets are self-hosted on our own server — no Google Fonts CDN calls are made. OAuth providers (Discord, Google, GitHub, Twitch) may set cookies on their own domains when you use their login, but do not set cookies on xpxo.* domains.
4. Managing & Deleting Cookies
You can manage, block, or delete cookies through your browser settings. Note that disabling the cookies listed above may break login functionality. Instructions for common browsers:
- Chrome: Settings → Privacy and Security → Cookies and other site data → See all site data and permissions
- Firefox: Settings → Privacy & Security → Cookies and Site Data → Manage Data
- Safari: Preferences → Privacy → Manage Website Data
- Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data
- Brave: Settings → Privacy and Security → Cookies and other site data
To reset your XPXO cookie consent preference and see the consent banner again, click the button below:
5. Consent & Legal Basis
Under Art. 5(3) of the ePrivacy Directive (Cookie Law) and the GDPR, access to or storage of information on a device requires either (a) the user's prior informed consent, or (b) strict necessity for the provision of a service explicitly requested by the user. All cookies listed in this policy fall under category (b) — strictly necessary for authentication, security, and basic website functionality — and therefore do not require consent under Art. 6(1)(f) or Art. 6(1)(b) GDPR. We nonetheless display a cookie banner for transparency.
6. Changes to This Policy
If we introduce new cookies or change how we use storage technologies, this policy will be updated and your consent will be requested again where required by law. The date at the top of this page indicates the last revision.
7. Contact
For questions about cookies or data privacy, please contact:
[email protected]
For full details on how we process your personal data, see our Privacy Policy.