Skip to content

Legal

Cookie Policy

What we store on your device, why, and how to change your mind any time.

Last updated: May 5, 2026

1. What this policy covers

This page explains every cookie and similar device-storage technology (localStorage, sessionStorage, indexedDB) used on goatwriter.io. It complements our Privacy Policy and is published in compliance with the German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG, vormals TTDSG) and the EU GDPR.

2. Categories & consent

We split storage into three categories. Essential is always on — the service cannot function without it. Analytics and Marketing are off by default and load only when you give explicit consent through the banner or the customizer below.

Essential (always on)

Used to authenticate you, keep you signed in, and prevent CSRF attacks. Legal basis: Art. 6(1)(b) GDPR (performance of contract) + § 25 Abs. 2 Nr. 2 TDDDG (strictly necessary).

  • __Secure-next-auth.session-token — NextAuth session, first-party, HttpOnly, Secure, SameSite=Lax. TTL: 30 days.
  • __Host-next-auth.csrf-token — CSRF protection, first-party, HttpOnly. TTL: session.
  • __Secure-next-auth.callback-url — post-login redirect target. TTL: session.
  • goatwriter_consent_v1 (localStorage) — your cookie preference itself, so we don't re-prompt every visit. Legal basis: § 25 Abs. 2 Nr. 2 TDDDG.

Analytics (opt-in)

Helps us understand which features get used. We currently load no analytics scripts by default. If we add Vercel Analytics or a similar privacy-respecting tool in the future, it will be gated on this consent category and listed here.

Marketing (opt-in)

Lets us measure ad campaigns and remember if you arrived from a referral link. We currently load no marketing scripts by default. Anything we add later (e.g. a conversion pixel) will be gated on this category and disclosed here.

3. Third-party scripts

When you visit a billing page, Stripe's js.stripe.com loads to render the secure card form. That script sets first-party cookies on the Stripe domain so they can process the payment. Legal basis: Art. 6(1)(b) GDPR.

4. Manage your choice

Open the cookie banner any time to change categories. We store your choice in goatwriter_consent_v1 in localStorage; clearing your browser data resets the choice and the banner will re-appear on the next visit.

You can also block cookies entirely in your browser settings — that disables sign-in and most product features.

5. Withdraw consent

Withdrawal is as easy as granting consent: click Withdraw in the banner, or email support@goatwriter.io. Withdrawal does not affect lawfulness of processing before the withdrawal.

6. Changes

We will update this page when we add a new cookie or change how an existing one is used. The version stamp at the top moves and we will re-prompt users for consent if a category changes.