Version 1.0 - April 2026
This Cookie Policy describes the cookies and similar technologies used on the orixium.com site and the Orixium operational service, in accordance with Article 22.2 of Law 34/2002 on information society services and electronic commerce (LSSI-CE), Directive 2002/58/EC (ePrivacy) and the Spanish Data Protection Agency (AEPD) Guide on the use of cookies (2024 edition).
The orixium.com site and the operational service use strictly necessary cookies to guarantee technical operation, security and protection against automated abuse. These cookies are exempt from the prior consent obligation under Article 22.2 LSSI-CE. Additionally, with prior opt-in consent from the user, product analytics cookies from PostHog (hosted on PostHog Cloud EU โ AWS Frankfurt, Germany) are used exclusively to measure aggregate usage of the service. No advertising or cross-site tracking cookies are used. If additional non-strictly-necessary cookies (marketing, third-party integrations) are incorporated in the future, this Policy will be updated and the consent banner implemented or extended in accordance with AEPD requirements before activation.
A cookie is a small text file that a website stores in the user's browser to enable technical operation of the site, remember preferences or collect usage information. In this Policy the term "cookie" is used broadly to also refer to similar technologies, such as local storage tokens or technical identifiers used for equivalent purposes.
All cookies listed below are strictly necessary third-party technical cookies (Cloudflare, Inc.), used by the site's hosting, CDN and anti-bot provider. They are exempt from consent under Article 22.2 LSSI-CE.
| Name | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| __cf_bm | Cloudflare | Bot mitigation and distinction between human and automated traffic for correct operation of the site. | 30 minutes | Strictly necessary (security). |
| cf_clearance | Cloudflare | Verification that the user has passed a Cloudflare security challenge, avoiding repetition during the session. | Up to 30 days | Strictly necessary (security). |
| cf_chl_* | Cloudflare Turnstile | Protection of the waitlist form and authentication forms against automated submissions (invisible CAPTCHA). No user fingerprinting. | Session / short duration | Strictly necessary (security). |
The following cookies are activated ONLY if the user gives opt-in analytics consent in the cookie banner. They are managed by PostHog, Inc. via the PostHog Cloud EU instance hosted on AWS Frankfurt (Germany, EEA). No data is transferred outside the EEA. IP addresses are automatically anonymized. No cross-site tracking or personal profiling.
| Name | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| ph_* | PostHog, Inc. (hosted in EU โ AWS Frankfurt) | Product analytics. Aggregate usage measurement (pages visited, actions, session time). No cross-site tracking or personal profiling. IP anonymized. | 1 year | Analytics (opt-in). |
| ph_distinct_id | PostHog, Inc. (hosted in EU โ AWS Frankfurt) | Pseudonymous session identifier to measure retention and usage flows within the same device. Not linkable to real identity without the project key. | 1 year | Analytics (opt-in). |
Once the operational service is available, first-party session cookies will be used exclusively to maintain the user's authenticated session and for CSRF protection. These cookies are strictly necessary to deliver the service expressly requested by the user and are exempt from consent under Article 22.2 LSSI-CE. They are not used for tracking and are not shared with third parties. They are deleted on logout or on token expiration.
The cookies listed in sections 3 and 4 are exempt from the prior consent obligation under Article 22.2 LSSI-CE, as they are strictly necessary to deliver the service expressly requested by the user (accessing orixium.com, registering on the waitlist safely against abuse, and maintaining the authenticated session in the operational service). The AEPD Guide on the use of cookies (2024 edition) confirms that security, load-balancing/CDN, strictly necessary CAPTCHA and session cookies fall within this exemption.
Although orixium.com has no cookies subject to consent, all browsers allow the user to block or delete cookies from their settings. Note that blocking strictly necessary technical cookies may prevent correct operation of the site, the waitlist form or the operational service. The user can consult official instructions in the documentation of Google Chrome, Mozilla Firefox, Safari and Microsoft Edge.
The technical information processed by the cookies described, including the visitor's IP address, constitutes personal data processing within the meaning of GDPR. This processing is described in detail in the Privacy Policy, under the legal basis of the controller's legitimate interest (Art. 6.1.f GDPR) in abuse prevention and site security.
This Policy may be updated if the set of cookies used changes. Any incorporation of non-strictly-necessary cookies (analytics, advertising, social networks, personalization) will require activation of a consent banner in accordance with the AEPD Guide before use, and will be reflected in a new version of this document.
For any query regarding the cookies used on orixium.com, please contact the site controller at [email protected].