Cookie Policy

1. Scope of this Cookie Policy

This Cookie Policy (the Policy) describes the cookies and equivalent storage mechanisms used on chirpcoop.com and the related Chirp Coop services (together, the Service), operated by Remény Farm Kft. The Policy is issued in compliance with:

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (the GDPR);
• The ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC), which governs the storage of, and access to, information on a user's terminal equipment within the European Economic Area;
• The Hungarian transposition of those rules in Act C of 2003 on Electronic Communications, Section 155(4).

For the full account of how personal data is processed across the Service, refer to our Privacy Policy. The English-language site at chirpcoop.com is the public prestige surface (leaderboards, public chicken profiles, marketing). The patron experience is hosted in Hungarian at tyuk.remeny.farm and is governed by a parallel set of Hungarian-language legal notices.

2. What a cookie is

A cookie is a small text record that a website asks a browser to store on the user's device and that the browser returns with subsequent requests to the same origin. Functionally equivalent mechanisms — such as localStorage, sessionStorage, and embedded session tokens — fall within the scope of this Policy where they perform the same role as a cookie.

A cookie carries its name, value, the issuing domain, an expiry time, and attributes that instruct the browser how to handle it (HttpOnly, Secure, SameSite). A cookie marked HttpOnly is not readable by JavaScript running in the browser, which reduces the risk of session hijacking through cross-site scripting.

3. Cookies currently used

The Service uses strictly necessary cookies and storage mechanisms only. The current inventory is:

| Cookie / storage item | Purpose | Duration | Type | |---|---|---|---| | sb-<project-ref>-auth-token (a value held in the browser's localStorage, not a cookie) | Maintains the session after a successful magic-link sign-in: it stores the access and refresh tokens used to identify the user and to renew the session automatically without a new email link. | For the lifetime of the session, until the user signs out or clears the browser's storage. | Strictly necessary | | Framework-managed operational cookies issued by Next.js (for example __Host- prefixed cookies, when CSRF protection or any future locale-negotiation layer is engaged) | Secure framework operation, cross-site request forgery (CSRF) protection, and short-lived operational state. | Session. | Strictly necessary |

The authentication token is held in the browser's localStorage. This storage mechanism is accessible to browser-side JavaScript, but the browser's same-origin policy means it can only be read from the issuing origin, and the token is always transmitted over HTTPS. Any framework-managed operational cookies are set with the HttpOnly, Secure, and SameSite=Lax attributes and are not readable by browser-side JavaScript.

3.1 Legal basis for strictly necessary cookies

The Service relies on Article 6(1)(f) of the GDPR — the legitimate-interest legal basis — for setting and reading strictly necessary cookies. The legitimate interest pursued is the secure and uninterrupted operation of the Service: user authentication, session continuity, and CSRF protection. The data subject (the user) understands that the Service can only be used while signed in; without the authentication cookies, the magic-link session cannot be maintained.

Under the ePrivacy Directive, consent is required before storing information on, or accessing information already stored on, a user's terminal equipment, except where the storage or access is strictly necessary for the provision of an information-society service explicitly requested by the user. The cookies listed above fall within that exception: the user requests the Service by signing in, and the authentication cookies are technically indispensable to provide it.

4. Third-party cookies

The Service does not set any third-party cookies. Specifically:

• no analytics or product-telemetry cookies (for example Google Analytics or PostHog browser-side cookies);
• no marketing or advertising pixels (for example Meta Pixel or Google Ads remarketing);
• no social-media embed cookies;
• no advertising-network tracking cookies.

The backend services that the Service relies on (Supabase for authentication, Sentry for error reporting, Anthropic for AI processing, OpenWeatherMap for weather, RevenueCat for mobile Game IAP entitlement management) — within the scope described in the Privacy Policy — are integrated through server-side API calls. They do not place cookies in the user's browser.

5. Consent and objection

5.1 Why no cookie banner is shown

Because the Service uses strictly necessary cookies only, the ePrivacy Directive's strictly-necessary carve-out applies and no cookie consent banner is displayed. There is no storage operation on the Service that would require the user's explicit consent.

5.2 Blocking cookies in your browser

The user is free, at any time, to block or delete cookies issued by the Service through the browser's settings. The consequences of doing so are the user's own responsibility:

• deleting the authentication token (the sb-<project-ref>-auth-token value in localStorage) or blocking the browser's storage prevents the magic-link session from being maintained; the Service will not function while signed in, and most user-specific features will be unavailable;
• blocking framework-managed cookies may disable security features such as CSRF protection and cause request failures.

Browser-specific instructions are available from each vendor:

• Mozilla Firefox: support.mozilla.org
• Google Chrome: support.google.com/chrome
• Apple Safari: support.apple.com/safari
• Microsoft Edge: support.microsoft.com

5.3 Right to object

Where the user wishes to exercise the right to object under Article 21 of the GDPR with respect to the legitimate-interest legal basis described in Section 3.1, the request can be submitted through the contact channel set out in the Privacy Policy. Requests are reviewed on the merits; bear in mind that withholding strictly necessary cookies may make it impossible for the Service to be delivered.

6. Future changes

If we ever introduce analytics, performance-measurement, or marketing cookies, or any other non-strictly-necessary storage mechanism, we will, before any such cookie is placed:

1. update this Policy to reflect the new cookie inventory and publish the revised text on the Service;
2. in line with the ePrivacy Directive and Article 7 of the GDPR, present a cookie consent banner that asks for explicit, granular, and withdrawable consent before any non-strictly-necessary cookie is set;
3. notify signed-in users of the change through the contact channel on file;
4. only enable the new cookies after the notice has gone live and after consent (where required) has been collected.

In the absence of any new cookie introduction, this Policy is reviewed at least annually to keep the inventory accurate.

7. Contact and complaints

Questions about this Policy, and the objection requests described in Section 5.3, are received through the contact channel set out in the Privacy Policy. We respond on the merits within 30 days.

The user is entitled to lodge a complaint with the competent supervisory authority. In Hungary, the controlling authority for cookies and personal-data processing is:

• Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
  • H-1055 Budapest, Falk Miksa utca 9–11.
  • naih.hu
  • ugyfelszolgalat@naih.hu

Users in other EEA Member States are entitled to lodge a complaint with their own national data-protection authority, or to bring the matter before the competent court in their place of residence.