This Cookie Policy explains how darkmes ("we", "us") uses cookies and similar technologies on darkmes.com ("the Service"). It supplements our Privacy Policy and gives more detail on the choices summarised there.
1. What are cookies?
Cookies are small text files stored in your browser when you visit a website. Similar technologies include localStorage, sessionStorage, and IndexedDB. Together we refer to these as "cookies" in this document.
We classify what we use into three categories, in line with the EU ePrivacy Directive and GDPR. You can accept or decline each category independently in the cookie banner.
2. The three categories
2.1. Essential cookies
Strictly necessary for the Service to function: authentication, security, fraud prevention, age-gate, and recording your cookie choices. No consent is required because the Service cannot work without them, but we still describe them here for transparency.
| Name | Purpose | Storage | Duration |
|---|---|---|---|
access_token | Authenticate API requests | In-memory (not persisted to disk) | Session |
refresh_token | Renew the access token without re-login | HttpOnly + Secure cookie | 30 days |
cookie_consent | Remember your cookie category choices | Cookie | 1 year |
nsfw_acknowledged | Remember your 18+ confirmation so we do not re-ask every visit | Cookie | 1 year |
csrf_token | Cross-site request forgery protection on state-changing requests | Cookie | Session |
| Server-side rate-limit counters | Block brute-force and abuse | Redis (server-side, keyed by hashed IP) | 1 hour rolling |
| Server-side browser-fingerprint hash | Multi-account abuse detection | Postgres (server-side) | While account active + 90 days after deletion |
Consent: not required (strictly necessary). Retention: as shown above; cleared on logout for session-scoped items, expired automatically for cookies, retained per the Privacy Policy for server-side items.
2.2. Analytics cookies
Help us understand how the Service is used so we can improve it. Self-hosted only — events are written to our own Postgres database; no third-party analytics provider receives data.
| Name | Purpose | Storage | Duration |
|---|---|---|---|
session_id | Group page-views from the same anonymous browser session | Cookie | Session |
| Self-hosted event log (anonymous page-view, feature-click, time-on-page) | Product improvement | Postgres (server-side) | Raw events 90 days, then anonymised; aggregated metrics retained indefinitely |
Consent: opt-in. Until you accept the Analytics toggle in the cookie banner, no analytics events are written and no session_id cookie is set.
Retention: see the table above.
Lawful basis: consent — GDPR Art. 6(1)(a).
2.3. Marketing cookies
Used for first-party retargeting and conversion measurement. We do not use any marketing cookies today. The category exists in the banner so that the consent record can capture an explicit "no thank you" from EU users, and so that we have an audit trail if we ever start.
| Name | Purpose | Storage | Duration |
|---|---|---|---|
| (none in use) | (reserved for future first-party retargeting) | — | — |
Consent: opt-in. No marketing cookie will ever be set without an explicit accept on this category. Retention: N/A while none is in use; will be specified before any are introduced and a Policy update will be sent. Lawful basis: consent — GDPR Art. 6(1)(a).
3. What we don't use
- Third-party advertising cookies (Google Ads, Meta Pixel, TikTok Pixel, etc.)
- Cross-site tracking cookies
- Behavioural-profiling pixels for marketing
- Sharing of cookie data with advertisers, data brokers, or any third party for their own marketing
4. Your choices
4.1. The cookie banner
On your first visit a banner appears with three options:
- Accept all — essential + analytics + marketing (marketing is currently empty, but the choice is recorded).
- Reject non-essential — essential only.
- Manage preferences — toggle each category individually and save.
Whatever you choose is recorded in our consent_log table together with a timestamp and hashed IP/user-agent, to demonstrate compliance with GDPR Art. 7(1).
4.2. Changing your mind later
- Footer link "Manage cookies" — re-opens the consent manager from any page.
- Settings → Privacy → Manage cookie preferences — same consent manager, accessible while logged in.
- Clearing the
cookie_consentcookie in your browser will re-show the banner on the next visit.
Withdrawing consent does not affect the lawfulness of any processing carried out beforehand.
4.3. Browser settings
You can also configure your browser to refuse cookies, alert you when cookies are sent, or delete cookies after each session. See your browser's help documentation:
4.4. Effect of declining
| Choice | Effect |
|---|---|
| Decline essential cookies (only possible via browser settings) | The Service will not work — you cannot log in or confirm 18+. |
| Decline analytics | The Service works normally; we learn nothing about your visit beyond raw server logs (retained 7 days for security only). |
| Decline marketing | No effect today — we do not use marketing cookies. If we ever introduce them, declining means no targeted retargeting. |
5. Updates to this Policy
We may update this Cookie Policy when our cookies or categories change. Material updates will be reflected in the Version and Last updated fields at the top, and the consent banner will be re-shown so you can review your choices.
6. Contact
Email: night@darkmes.com
darkmes — talk to anyone. write your story.