Cookie Policy
Last updated: 7 May 2026
1. Overview
This page explains how orkestr (operated by WhiteCloud Project S.R.L., Romania) uses cookies and similar technologies on our marketing site (orkestr.eu), the console (console.orkestr.eu), and our public API (api.orkestr.eu). It complements our Privacy Policy.
We aim to use as few cookies as possible. We do not use advertising cookies, behavioural profiling, cross-site tracking, or third-party analytics cookies. Our analytics provider is self-hosted and runs without cookies (see Section 4).
"Cookies" in this policy means HTTP cookies and any equivalent client-side storage covered by Article 5(3) of the ePrivacy Directive (such as localStorage), regardless of the technical mechanism.
2. Cookies set by orkestr
The following first-party cookies are set directly by orkestr. They are strictly necessary for the service to work and are not used for analytics or marketing.
| Name | Domain | Purpose | Duration | Category |
|---|---|---|---|---|
| orkestr_signed_in | .orkestr.eu | Indicates that you have an active sign-in so navigation adapts accordingly. Contains no identifier and no session token. | 7 days | Strictly necessary |
The orkestr_signed_in cookie is deliberately scoped to the platform domain (.orkestr.eu) and never sent to applications you deploy on *.orkestr.run. It contains a fixed value and cannot be used to identify you.
3. Browser storage used by the console
When you sign in to the console, we store your authentication tokens in your browser's localStorage on console.orkestr.eu. These are not HTTP cookies, but they are covered by the same ePrivacy rules and we disclose them here for transparency.
| Key | Storage | Purpose | Duration |
|---|---|---|---|
| access_token | localStorage (console.orkestr.eu) | Short-lived JWT used to authenticate API requests from the console to api.orkestr.eu. | 30 minutes (rotated by the server) |
| refresh_token | localStorage (console.orkestr.eu) | Used to obtain a new access token without forcing you to sign in again. | 7 days |
These tokens are required to keep you signed in to the dashboard. Clearing site data or signing out removes them.
4. Analytics (Umami, cookieless)
We use Umami, an open-source, privacy-focused analytics tool. We self-host Umami on our own EU infrastructure (Hetzner, Falkenstein, Germany) at a.orkestr.eu. Umami:
- does not set any cookies on your device;
- does not use device fingerprinting or persistent identifiers;
- does not track you across websites;
- aggregates data into anonymised counts (page views, referrers, browser, country, and categorical interaction events such as CTA clicks, plan-card clicks, copy-to-clipboard actions on documentation snippets, and scroll-depth milestones on the homepage) with no free-text input captured, so individual visitors cannot be re-identified;
- does not share data with any third party.
We also use a small amount of browser sessionStorage on orkestr.eu so that once-per-session analytics events (for example the pricing-section view, or each scroll-depth milestone) are not double-counted within the same tab. These keys hold only the names of events already fired in the current session, are cleared automatically when you close the tab, and contain no personal data.
Because Umami is cookieless and processes only aggregated, non-identifying data, we rely on legitimate interest (Article 6(1)(f) GDPR) to operate it and do not require a consent banner for analytics.
5. Cookie consent banner (CookieYes)
We use CookieYes to display a cookie notice and to record your consent choice. CookieYes itself sets a small number of strictly necessary cookies on orkestr.eu to remember whether you have already seen and acknowledged the banner.
| Name | Domain | Purpose | Duration | Category |
|---|---|---|---|---|
| cookieyes-consent | orkestr.eu | Records your cookie consent choice so we do not show the banner on every page load. Set by the CookieYes consent management script. | 1 year | Strictly necessary |
Because we do not use any non-essential cookies, the banner is informational. You can review or change your choice at any time using the cookie settings link in the banner. CookieYes' own privacy notice is available at cookieyes.com/privacy-policy.
6. Third-party redirects
Some flows hand you off to a third-party site that may set its own cookies. These cookies are governed by the third party's privacy policy, not ours.
- Git provider OAuth - signing in with GitHub, GitLab, Bitbucket, or Codeberg redirects you to the provider, which sets its own session cookies on its own domain. We never see those cookies.
- Mollie (billing) - upgrading to a paid plan redirects you to Mollie's hosted checkout. Mollie may set cookies on its own domain. See the Sub-processors page for details.
- Bunny CDN - serves static assets and images for orkestr.eu. Bunny processes request metadata (IP, user agent) for delivery and DDoS mitigation but does not set tracking cookies.
- ALTCHA - the proof-of-work CAPTCHA we use on sign-up and contact forms is self-hosted and cookieless.
7. Managing cookies
Because all cookies we set are strictly necessary for authentication or to record your consent preferences, blocking them will degrade or break parts of the service (for example, you will not be able to stay signed in). You can still manage cookies in your browser:
You can also wipe your authentication state at any time by signing out of the console, which clears both the orkestr_signed_in cookie and the tokens in localStorage.
8. Live cookie audit
The table below is generated automatically by our consent management provider (CookieYes) and lists cookies it has detected on this site. It is a transparency backup to the curated tables above and may load slightly after the page renders.
9. Changes to this policy
If we add, remove, or change cookies, we will update this page and update the "Last updated" date at the top. Material changes will also be communicated through the console or by email where required.
10. Contact
Questions about cookies or about how we handle your data? Contact privacy@orkestr.eu.