Cookie Policy | ITSailor

01

Overview

This Cookie Policy explains how Michal Jatczak T/A ITSailor (Malta VAT MT32760411) uses cookies and similar technologies (local storage, session storage, pixels) on itsailor.io and on the SaaS dashboards we operate (SEAWALL, HOIST, DECKLOG — currently in sales MVP phase).

We operate under Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) and its Maltese implementation in the Electronic Communications Act (Chapter 399). Non-essential cookies are set only after you give informed, specific, freely given, and unambiguous consent (CJEU Planet49, C-673/17, paragraphs 49–65).

02

What is a cookie

A cookie is a small piece of data stored in your browser by a website. It can be read back on later visits to the same site (first-party) or by other sites that embed shared resources (third-party). “Similar technologies” in this Policy means local storage, session storage, IndexedDB, and tracking pixels — the consent rules are the same regardless of the underlying mechanism (EDPB Guidelines 2/2023 on Article 5(3), paragraph 14).

Cookies are not, by themselves, personal data. They become personal data under GDPR (Regulation 2016/679, Article 4(1)) when they are linked or linkable to an identified or identifiable natural person — which happens for most non-essential cookies once they associate a browsing session with an account, a fingerprint, or an analytics ID.

03

Cookie categories

We classify cookies into four categories, aligned with EDPB guidance and the structure of our consent banner:

Strictly necessary — required for the site to function: authentication, CSRF protection, the consent record itself. No legal basis required under ePrivacy Article 5(3) (Recital 25 exemption). Always on.
Functional — remember preferences you set (e.g. dark mode, language). Not required for the site to work; opt-in.
Analytics — privacy-respecting, self-hosted measurement (planned: Plausible Analytics on Hetzner). Aggregated, no cross-site profile, no third-party broadcast. Opt-in.
Marketing — currently disabled across the entire site. If we ever enable a retargeting pixel or attribution tracker (e.g. for a specific LinkedIn or Google Ads campaign), it goes here. Opt-in.

04

Per-cookie inventory

The following table is the canonical inventory at the effective date of this Policy. We refresh it whenever a category changes (and notify active customers per section 08).

Strictly necessary

Name	Purpose	Set by	Duration
`itsailor.consent.v1`	Records your cookie consent choices (per-category booleans + schema version)	itsailor.io (first-party, localStorage)	12 months
`directus_session_token`	Authentication session for the customer dashboard	itsailor.io (first-party, httpOnly)	Session expiry (default), or 30 days if you tick “Keep me signed in”
`directus_refresh_token`	Refreshes the session token without forcing re-login	itsailor.io (first-party, httpOnly)	7 days (default), 30 days with “Keep me signed in”
`__Host-*` prefixed variants	Same as above; the `__Host-` prefix pins the cookie to its origin and HTTPS (production only)	itsailor.io (first-party)	Matches the underlying session/refresh duration
`next-auth.csrf-token`	CSRF token for NextAuth-handled SSO sign-in flows	itsailor.io (first-party)	Session

Functional · opt-in

No functional cookies are active at the effective date of this Policy. When we add one (e.g. a dark-mode preference), it will be listed here and the consent schema version will bump — your banner re-appears so you can decide.

Analytics · opt-in

No analytics cookies are active at the effective date of this Policy. Our plan when analytics goes live is a single first-party measurement cookie set by self-hosted Plausible on a Hetzner-resident endpoint — no third-party broadcast, no cross-site identifier.

Marketing · opt-in

No marketing cookies are active. If we ever run a paid attribution pixel (e.g. for a specific LinkedIn Ads campaign), the vendor, cookie name, and retention are added here before the campaign goes live.

05

How consent works

The first time you visit itsailor.io, a consent banner appears at the bottom of the page. You have three equal options (EDPB Guidelines 05/2020 require reject and accept to be equally prominent):

Accept all — opts you in to all four categories.
Reject all — leaves only strictly-necessary on. The site continues to work in full.
Customize — opens a panel with one toggle per category. Strictly necessary is locked on; the other three are independent.

Whichever you choose, your decision is recorded in itsailor.consent.v1(localStorage) plus an audit row in our consent_log Directus collection. The audit row contains: the event type (accept-all / reject-all / save-selection / withdraw / re-prompt), the schema version that was active, the categories you chose, your user agent, a SHA-256 hash of your IP (salted with CONSENT_IP_HASH_SALT — we never store raw IPs), and a timestamp.

You can change or withdraw your choice at any time:

Open the Cookie preferences link in the site footer. The settings panel re-opens with your current state pre-loaded.
Save a new selection. The change writes another consent_log row and adjusts which cookies fire from that point forward.
Already-set non-essential cookies are not retroactively deleted from third-party vendors (none currently fire), but their continued use stops immediately.

06

Third-party cookies

We currently set no third-party advertising or cross-site tracking cookies. Third-party requests are limited to:

Stripe Checkout — when you initiate a purchase, Stripe sets payment-processing cookies on the Stripe-hosted checkout page (you are redirected to checkout.stripe.com for the transaction). Stripe's cookie policy applies on that page; ours does not.
Microsoft Entra / Google OAuth — if you choose to sign in to the dashboard via Microsoft or Google SSO, those providers set authentication cookies during the redirect. Their cookie policies apply.
YouTube / Vimeo embeds — none currently embedded on itsailor.io. If we add a video embed in the future, we will use the privacy-extended embed mode where the platform supports it, and gate the embed behind a click-to-load placeholder until consent is given.

07

Do Not Track and Global Privacy Control

We honour the Global Privacy Control (GPC) signal. If your browser sends Sec-GPC: 1, we treat that as a Reject-all signal for non-essential categories and persist the choice as you would have made it through the banner. This aligns with EDPB Guidelines 05/2020 on signals that constitute valid expressions of refusal.

The older Do Not Track (DNT) header is also honoured the same way. Where a browser sends contradictory signals (DNT off + GPC on, or vice versa), the more privacy-preserving signal wins.

08

Changes to this Policy

We refresh this Policy whenever the cookie inventory changes. Material changes — adding a new vendor, a new category, or a new purpose for an existing cookie — are announced by email to active customers at least 30 days before they take effect, and trigger a schema-version bump that re-prompts the consent banner.

Non-material changes (typographical corrections, vendor reference URL updates, restructuring of this Policy without changing what cookies fire) are made silently with a revised effective date.

09

Contact and complaints

Data Subject Rights requests (access, rectification, erasure, objection, withdraw consent in writing): dsr@itsailor.io
General privacy questions: privacy@itsailor.io
Legal: legal@itsailor.io

Postal: Michal Jatczak T/A ITSailor, 507 Cityway, Triq Il-Madonna Tal-Gebla, Gzira GZR 1564, Malta.