Cookie Policy
This page describes the cookies and similar local-storage technologies that the Axion web client and marketing site at axionchat.chat use. It is published separately from the Privacy Policy for clarity.
Summary
Axion uses only strictly necessary cookies and local storage. We do not use advertising cookies, third-party analytics cookies, social-media tracking pixels, fingerprinting, or any cross-site tracker. There is therefore no consent banner: under Art. 5(3) of the ePrivacy Directive (as transposed in EU Member States), strictly necessary cookies do not require prior consent, only clear information — which is what this page provides.
What we set
| Name | Type | Set by | Purpose | Lifetime |
|---|---|---|---|---|
axion_session |
HTTP-only, Secure, SameSite=Lax cookie | axionchat.chat (first-party) | Authenticated session for the web client. Holds an opaque session identifier; server-side state holds the actual session data. | Session (deleted on logout) or 30 days for “keep me signed in”. |
axion_csrf |
Secure, SameSite=Strict cookie | axionchat.chat (first-party) | Cross-site request forgery token, required for any state-changing form submission. | Session. |
axion_lang |
Secure, SameSite=Lax cookie | axionchat.chat (first-party) | Stores your chosen interface language (en, az, etc.) so the site loads in the same language on the next visit. | 365 days. |
axion_theme |
Secure, SameSite=Lax cookie | axionchat.chat (first-party) | Stores your light/dark/system theme preference. | 365 days. |
| Matrix client local storage | Browser localStorage + IndexedDB |
axionchat.chat (first-party) | Caches your Matrix access token, encryption keys, room state, and message store so the web client can decrypt messages and work offline. | Until you log out or clear browser storage. |
__cf_bm / cf_clearance |
Cloudflare bot-management / challenge cookie | Cloudflare (first-party on axionchat.chat) | Distinguishes humans from bots, and remembers a successful CAPTCHA-style challenge to avoid re-prompting. Required to keep the site online during attacks. | 30 minutes for __cf_bm; up to 30 days for cf_clearance. |
What we do not set
- Google Analytics, Plausible, Fathom, Matomo, Hotjar, Mixpanel, Segment, or any other analytics cookie.
- Facebook Pixel, TikTok Pixel, X (Twitter) Pixel, LinkedIn Insight Tag, Reddit Pixel, or any other advertising tracker.
- Cross-site identifiers, cookie syncing, or fingerprinting via Canvas, WebGL, AudioContext, or font enumeration.
- Long-lived advertising IDs in
localStorageorIndexedDB. - Embeds from YouTube, Twitter, Vimeo, or other third parties on the marketing site — we self-host video previews where needed.
Controlling cookies
You can clear or block any of the above through your browser’s cookie controls.
Note that disabling axion_session or axion_csrf will prevent
you from signing in and submitting forms, and clearing the Matrix client’s
localStorage / IndexedDB will require you to verify your
device again and may make any messages encrypted with old session keys unreadable on
that browser.
The mobile and desktop apps do not use HTTP cookies; they store the equivalent state (access token, encryption keys, room database) in the operating system’s app-private storage, secured by the OS keystore where available.
Legal basis
All technologies listed above are strictly necessary for the requested service under Art. 5(3) of the ePrivacy Directive (transposed e.g. in § 25 TTDSG in Germany). For language and theme preferences, we additionally rely on consent (Art. 6(1)(a) GDPR) implied by you actively changing the preference; for everything else we rely on the contractual basis (Art. 6(1)(b) GDPR).
Changes
Material additions to this list will appear here at least 30 days before they take effect. The previous version is available on request.
Contact
Questions: trust@aevrix.org.