COOKIE POLICY

Version 1.0 – 2025-07-14

1 Scope and controller

This Cookie Policy explains how JadenX GmbH (trading as 'cntrctrs', 'we', 'our'), Kegelbahnstr. 10, 67753 Reipoltskirchen, Germany (Amtsgericht Kaiserslautern HRB 205783B, VAT DE323821525, e‑mail info@entaingine.com), uses cookies and comparable technologies on cntrctrs.com (the "Service").

Unless stated otherwise, JadenX GmbH is the controller within the meaning of Art 4 No 7 GDPR.

2 Cookies and similar technologies

"Cookies" are small text files that a website stores on a visitor’s device and that the browser returns on subsequent visits. Technologies such as localStorage, sessionStorage, tracking pixels, web beacons and tags serve comparable purposes. In this notice, "cookie" is shorthand for all such technologies.

Legal framework. Reading or writing information on end‑user devices is governed by Art 5 (3) ePrivacy Directive, transposed in Germany via § 25 TTDSG. Where a cookie involves processing of personal data, the GDPR applies in parallel.

3 Why we use cookies

Category	Purpose	Legal basis (GDPR)	Default state
Strictly necessary	Provide the Service and keep it secure (authentication, CSRF‑protection, load balancing)	Art 6 (1)(b) contract or Art 6 (1)(f) legitimate interest	Always active – § 25 (2) TTDSG
Analytics	Understand and improve how visitors interact with the Service (Google Analytics, Vercel Analytics, Posthog)	Art 6 (1)(a) consent	Disabled until opt‑in
Marketing / Advertising	Measure campaign performance, build audiences and serve relevant ads (LinkedIn Insight Tag, X Pixel, Google Ads Tag)	Art 6 (1)(a) consent	Disabled until opt‑in

Non‑essential cookies are never set before you give consent. 'Accept all' and 'Reject all' are equally prominent. The banner is implemented with react-cookie-consent.

4 Detailed cookie list

Audit date: 2025‑07‑14 – we re‑scan quarterly and update this table as required.

4.1 Strictly necessary

Name	Provider / Domain	Purpose	Expiry	HttpOnly	Secure	SameSite
`cntrctrs-cookie-consent`	cntrctrs – `cntrctrs.com`	Stores your cookie consent preferences	12 mo	–	✔︎	`Lax`
`sb-*-auth-token`	Supabase – `*.supabase.co`	Authentication session token	Session	✔︎	✔︎	`Lax`

4.2 Analytics – loaded only after consent

Name	Provider	Purpose	Default expiry
`ph_<project_api_key>_posthog`	PostHog	Distinct ID, session ID, feature‑flag state	12 mo
`_ga`	Google Analytics 4	Distinguishes users	24 mo
`_ga_<container-id>`	Google Analytics 4	Persists session state	24 mo
`_gid`	Google Analytics 4	Distinguishes users per day	24 h

PostHog also writes to localStorage for feature‑flags. LocalStorage is cleared when you withdraw consent.

4.3 Marketing / Advertising – loaded only after consent

Name	Provider	Purpose	Default expiry
`personalization_id`	X (Twitter)	Ad personalisation & analytics	24 mo
`guest_id_ads`	X (Twitter)	Identifies devices for ads when logged‑out	24 mo
`bcookie`	LinkedIn Insight Tag	Browser ID for fraud detection & ads	12 mo
`lidc`	LinkedIn Insight Tag	Datacentre selection & load balancing	24 h
`li_gc`	LinkedIn Insight Tag	Stores guest consent for non‑essential cookies	6 mo
`li_fat_id`	LinkedIn Insight Tag	Member indirect identifier for conversions	30 d
`IDE`	Google Ads (doubleclick.net)	Stores ad preferences & user ID	13 mo
`__gads`	Google Ads	Measures interactions with ads & prevents duplicate displays	13 mo
`_gcl_au`	Google Ads / Tag Manager	Stores Google Click ID (GCLID) for conversion tracking	90 d
`test_cookie`	Google Ads (doubleclick.net)	Tests if the browser supports cookies	15 min

5 Consent mechanism & withdrawal

Our banner:

Loads only strictly necessary cookies by default.
Shows “Accept all” and “Reject all” with equal prominence, plus category toggles and a “Save preferences” button.
Stays visible until you make a choice.
Stores decisions in the cookie_consent cookie for 12 months.
Can be reopened at any time via Cookie Settings in the footer.

Withdrawing consent deletes analytics/marketing cookies and blocks the associated scripts.

6 International data transfers

PostHog EU Cluster is hosted in Frankfurt/Stockholm – no data leaves the EEA.
Google LLC, X Corp. and LinkedIn Corp. may process data in the United States. Transfers rely on:
- certification under the EU–US Data Privacy Framework (DPF),
- Standard Contractual Clauses (SCCs), and
- documented Transfer Impact Assessments.

Copies of the SCCs are available on request.

7 Storage duration & deletion

We keep personal data derived from cookies no longer than necessary. Analytics events are truncated or aggregated after 25 months at the latest. Marketing identifiers are deleted once a campaign ends or after 30 days of inactivity, whichever comes first.

8 Your rights

You may exercise the rights in Art 15–22 GDPR (access, rectification, erasure, restriction, portability, objection, automated decision‑making) at any time. See our Privacy Policy for details.

9 Changes to this policy

We review this notice at least quarterly. Material changes (e.g. adding a new marketing pixel) trigger a renewed consent request.

Last update: 2025‑07‑14

10 Contact

Data Protection Officer
JadenX GmbH
Kegelbahnstr. 10
67753 Reipoltskirchen, Germany
info@entaingine.com

You may also lodge a complaint with the State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz).