Cookie Policy

Last updated 2026-05-29 · v1.0

SkillOx uses a small set of cookies and similar local-storage entries needed to make the site work. We do not set any cookie for analytics, advertising, audience-measurement, social-media sharing, or behavioural profiling. This page lists every cookie we know of, what it does, and how long it lives.

3. Cookies and local-storage we set

Authentication (NextAuth / Auth.js)

  • `authjs.session-token` — keeps you signed in after you authenticate via GitHub OAuth. HttpOnly, Secure, SameSite=Lax. First-party cookie set by skillox.io. Lifetime: 30 days, rolling on use.
  • `authjs.csrf-token` — anti-CSRF token for the sign-in flow. HttpOnly, Secure, SameSite=Lax. First-party cookie. Lifetime: session only.
  • `authjs.callback-url` — remembers the page you came from so we can send you back after sign-in. First-party cookie. Lifetime: session only.
  • `authjs.state` — short-lived state parameter exchanged with GitHub during the OAuth handshake. First-party cookie. Lifetime: a few minutes.

Theme preference (next-themes)

  • `theme` (browser localStorage, not a cookie) — remembers whether you chose light, dark or system. First-party. Lifetime: until you clear browser storage.

Abuse protection (Cloudflare Turnstile)

  • `cf_clearance` and short-lived challenge cookies — set by Cloudflare when verifying that your browser is not part of an attack. Third-party (challenges.cloudflare.com). Lifetime: short, typically under a day; details on Cloudflare's privacy page at https://www.cloudflare.com/cookie-policy/.

Payment (Stripe Checkout / Customer Portal)

  • When you reach Stripe's hosted checkout or customer portal (linked from /account/billing), Stripe sets its own cookies — `__stripe_mid`, `__stripe_sid` and others. These are not set by SkillOx and are governed by Stripe's cookie policy at https://stripe.com/cookies-policy/legal. We share only the customer / subscription identifier with Stripe; we never see your full card number.

4. What we do not use

SkillOx does not set or use:

  • Analytics cookies (no Google Analytics, no Plausible, no Umami, no Mixpanel, no PostHog)
  • Advertising or retargeting cookies (no Google Ads, no Facebook Pixel, no LinkedIn Insight Tag)
  • Social-media share-button cookies (we link out via plain anchors; no embeds)
  • Cross-site fingerprinting scripts
  • Behavioural profiling of any kind

If we ever add an analytics product we will (a) update this page first, (b) prefer a privacy-respecting self-hosted option in the EU, and (c) ensure it does not require cross-site tracking. We would clearly disclose what is collected here before turning it on.

5. Managing cookies

All major browsers let you view, delete and block cookies from settings. Specific guides:

  • Chrome: https://support.google.com/chrome/answer/95647
  • Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
  • Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac
  • Edge: https://support.microsoft.com/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

Blocking the authentication cookies will sign you out and prevent you from using any signed-in feature (creator portal, follow, billing, API keys, admin). Blocking the Cloudflare challenge cookie may stop you from passing the abuse-protection check and therefore from running scans through the public scanner.

6. Changes to this policy

If we add, remove or change a cookie we update the date and version at the top of this page. Material changes are announced on /docs/changelog.

7. Contact

Cookie-policy questions: privacy@skillox.io. ATOMIRA TECHNOLOGIES, S.L. (CIF B27662717), Calle Lepant 270, 08013 Barcelona, Spain.