SURWAY'R
Cookie Policy
Document ID: SURWAYR-CP-v1.1
Effective date: 28 March 2026
Last reviewed: 28 March 2026
Version history: 1.0 — Initial release; 1.1 — Analytics cookies removed (aligned with actual deployment)
Hungarian original (HU): Download the authoritative PDF (HU)
1. What are cookies?
Cookies are small text files stored on your device by the browser when you visit surwayr.com. Similar technologies include local storage and session storage — this policy applies to them on the same principles.
2. Cookies we use
SURWAY’R only places technically necessary cookies. We do not use analytics, marketing, or tracking cookies on your device.
2.1 Technically necessary (essential) cookies
These cookies are required for the Service to function; without them, sign-in and the application would not work.
| Cookie name | Purpose | Type | Expiry |
|---|---|---|---|
Fastapi_session |
Sign-in session identification | HTTP cookie, HttpOnly, Secure | Session |
Fastapi_csrf_secret |
Stores CSRF signing secret (HttpOnly) | HTTP cookie, HttpOnly, Secure | Session |
lang (session) |
Selected language (session internal key) | Session data (not a standalone HTTP cookie) | For the session lifetime |
theme |
Display mode (e.g. dark mode) | localStorage | Persistent |
cookie_consent |
Stores banner decision | localStorage | Persistent |
Note on CSRF: The
Fastapi_csrf_secretcookie stores the CSRF secret; the browser also receives a hiddencsrf_tokenfield on submitted forms (not placed as a separate cookie). Together they enforce CSRF protection.
Note on language: The selected language is stored under the
langkey inside theFastapi_sessionsession; there is no standalonelocaleHTTP cookie.
Legal basis: Contract performance (GDPR Art. 6(1)(b)) / legitimate interest (GDPR Art. 6(1)(f)).
Consent required: No — under the ePrivacy Directive and GDPR, these cookies may be set without consent.
2.2 Payment cookies (Stripe)
Required for secure payment processing and Stripe’s fraud prevention. They only affect your device when you initiate a payment flow.
| Provider | Purpose | Data transfer | Legal basis |
|---|---|---|---|
| Stripe Ireland Limited | Payment processing, fraud prevention (__stripe_mid, __stripe_sid) |
Ireland / USA (Stripe DPA + SCC 2021/914/EU) | Contract (GDPR Art. 6(1)(b)) |
3. Analytics and tracking — current status
SURWAY’R does not currently use analytics, statistical, or marketing cookies or tracking technologies.
Neither Google Analytics nor any other third-party analytics tool is deployed. We do not record browsing behaviour for profiling or transfer such data to third parties for that purpose.
If we introduce analytics in the future, we will update this policy and place such cookies only with your explicit prior consent, in line with GDPR Art. 6(1)(a) and the ePrivacy Directive.
4. The cookie banner and consent
4.1 Current banner
On first visit, a cookie banner appears that:
- Informs you about technically necessary cookies
- Lets you record a choice
Because only necessary cookies are used, the banner is primarily informational and UX — the choice is stored in localStorage to control display.
4.2 Consent principles (if analytics are introduced later)
If analytics cookies are introduced:
- Giving and withdrawing consent will be equally easy — withdrawal via the footer “Cookie settings” link or account settings
- Analytics cookies will activate only after explicit acceptance
- Scrolling or clicking alone does not constitute consent
- Withdrawal applies for the future
5. Managing cookies in the browser
You may delete or block cookies directly in your browser:
| Browser | Settings |
|---|---|
| Chrome | chrome://settings/cookies |
| Firefox | about:preferences#privacy |
| Safari | Settings → Privacy |
| Edge | edge://settings/privacy |
Note: Blocking essential cookies may prevent sign-in and some features from working.
6. Third-party cookies — principles if introduced in the future
If we introduce third-party cookies in the future (e.g. analytics or marketing), the following principles apply:
- Every third-party cookie provider will be identified (company name, address, link to privacy policy, indication of any EU transfers)
- Third-party cookies may only be placed with the data subject’s explicit prior consent
- Every third-party provider will be subject to applicable processor or controller agreements including SCCs where relevant
- The cookie banner will be updated at least 30 days before such cookies are introduced
7. Validity and amendment of this policy
For material changes, we will notify Users at least 30 days before they take effect.
8. Related documents
- Privacy Policy (SURWAYR-PP-v1.0) — legal bases and processing principles
- Data Processing Agreement (SURWAYR-DPA-v1.1) — processor relationship