Do We Store Cookies? 🍪

7 min

with how strict the eu has become around privacy and cookies here’s a breakdown based on eu eprivacy directive (aka the "cookie law") and gdpr 1\ cf bm (cloudflare bot protection cookie) type strictly necessary legal status ✅ allowed without consent why it’s used purely for security (bot detection, ddos protection) — not for tracking or advertising notes you do not need a cookie banner or explicit user consent for this one, but you must disclose it in your privacy/cookie policy 2\ connect sid (session cookie) type strictly necessary (when used only for login/session) legal status ✅ allowed without consent , as the law allows for it’s use when used to maintain logged in sessions it's use when it doesn’t track users across sites or store extra identifiable info why functional cookies like this are essential for the service to work (e g , logging in, staying authenticated) does it store personal or tracking data? ❌ no this cookie only stores a session id — not user data, pii, or tracking behavior the actual user session data is stored server side (e g , in memory, redis, or a db), not in the cookie itself tl;dr cookie summary table cookie consent required? legal if cf bm ❌ no used for security, bot management only connect sid ❌ no used strictly for login/session maintenance summary extra precautions you can take | optional ✅ keep a clear cookie/privacy policy that mentions both cookies ✅ you can mention to users that the service uses cloudflare for protection and sessions for login what we will always do ✅ we will always adhere to international laws to stay iso27001 compliant and safe under eu rules at the moment we only have a token for session handling, but if that were to change we would enforce the use of a cookie consent form