Cookie Policy
Last updated: 9 June 2026
This Cookie Policy explains precisely which cookies and browser storage technologies Evestival uses on evestival.com. It should be read alongside our Privacy Policy.
Short version: Our analytics tool (Matomo) is self-hosted in Germany and runs without cookies by default, so we can measure aggregate usage without identifying you. We set cookies only if you click "Accept" on our banner — namely Matomo first-party cookies (so we can recognise returning visitors) and Google AdSense advertising cookies. If you decline, no cookies are set and Matomo simply continues in cookieless mode. You can withdraw consent at any time (section 6).
1. What are cookies?
Cookies are small text files stored on your device by your browser when you visit a website. They can be "session" cookies (deleted when you close the browser) or "persistent" cookies (stored until they expire or you delete them).
We also use localStorage — a browser mechanism that stores data locally on your device without sending it to our server on every request. Unlike cookies, localStorage data is not transmitted automatically with each HTTP request.
2. Local storage we use (strictly necessary)
Evestival uses localStorage only for items that are strictly necessary to deliver the service you request. These do not require your consent under Art. 5(3) ePrivacy Directive.
| Key (localStorage) | Purpose | Duration | Category |
|---|---|---|---|
evestival_token |
Your JSON Web Token (JWT) for authentication. Keeps you logged in between page loads. Never stored in a cookie. | Until you sign out or the token expires (~30 days) | Strictly necessary |
evestival_user |
Cached copy of your basic profile (name, email, role) to display in the navigation bar without a round-trip to the server. | Until sign-out | Strictly necessary |
evestival-theme |
Remembers your dark/light theme preference so the correct theme loads instantly on your next visit. | Persistent (until you clear browser data) | Functional preference |
evestival_cookie_consent |
Stores your cookie consent decision ("accepted" or "rejected") so we don't show the banner on every page. |
Persistent (until you clear browser data) | Consent management (necessary) |
No server-side session cookies. We use JWT tokens in localStorage instead of server-side session cookies. This means our server does not set any Set-Cookie headers for authentication purposes.
3. Analytics — Matomo (cookieless by default; cookies only with your consent)
We use Matomo for analytics. Matomo is self-hosted on our own server in Germany, so analytics data never leaves our infrastructure and is never sold or shared with third parties.
By default — and for everyone who has not accepted cookies — Matomo runs in cookieless mode:
- Matomo sets no cookies and stores no persistent identifier on your device (no localStorage, no IndexedDB).
- The last octet of your IP address is masked before storage.
- Because no information is stored on or read from your device, this mode falls outside Art. 5(3) ePrivacy Directive and relies on our legitimate interest in understanding aggregate site usage (Art. 6(1)(f) GDPR). It does not require your consent.
- The trade-off: in cookieless mode we cannot tell whether two visits come from the same person, so every visit is recorded as a new visitor.
If — and only if — you click "Accept" on the cookie banner, Matomo is permitted to set first-party analytics cookies. These let us recognise returning visitors — i.e. understand whether people come back to Evestival — which is how we judge whether the site is genuinely useful. These cookies are set by evestival.com itself, are never shared with any third party, and serve no purpose beyond our own self-hosted analytics. They contain a random identifier only — never your name, email, or any directly identifying information.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
_pk_id.* |
Stores a randomly generated visitor ID so a returning visit can be recognised as the same browser. Contains no directly identifying data. | 13 months | First-party, analytics |
_pk_ses.* |
Short-lived cookie that groups the requests of your current visit into a single session. | 30 minutes | First-party, analytics |
_pk_ref.* |
Remembers how you arrived at the site (e.g. a search engine or referring link) so the visit can be attributed correctly. | 6 months | First-party, analytics |
mtm_cookie_consent |
Records that you granted consent for analytics cookies, so we do not have to ask again on every page. | Long-lived (until you withdraw consent) | First-party, consent record |
Matomo records: page URL, referrer URL, approximate screen resolution, browser type, on-site interactions (such as which search and filter features you use), and anonymised IP. This data is used solely to improve Evestival. Raw visit data is retained for 180 days; aggregated statistics are kept indefinitely.
Legal basis: cookieless analytics rely on our legitimate interest (Art. 6(1)(f) GDPR); the optional analytics cookies above are set only on the basis of your consent under Art. 5(3) ePrivacy Directive and Art. 6(1)(a) GDPR.
You can opt out of Matomo entirely — even the cookieless mode — by enabling the "Do Not Track" (DNT) signal in your browser, which we honour. Declining cookies, or withdrawing consent (section 6), deletes the analytics cookies above and returns Matomo to cookieless mode.
4. Advertising cookies (optional — consent required)
We display advertisements via Google AdSense. This service is only activated after you explicitly accept cookies via our cookie consent banner. If you decline, Google AdSense is never loaded and no advertising cookies are set.
When you accept, Google may set advertising cookies on your device. These cookies allow Google to:
- Show you advertisements based on your browsing activity across sites.
- Measure ad performance.
- Prevent the same ad from being shown to you repeatedly.
You can review and control Google's advertising cookies via Google Ad Settings or opt out of interest-based advertising via the NAI opt-out tool. See also Google's Privacy Policy.
Legal basis: Art. 6(1)(a) GDPR — consent. You may withdraw consent at any time (see section 6).
5. Third-party technologies that do not use cookies
| Technology | Purpose | Cookies set? |
|---|---|---|
| Bunny Fonts | Delivers web fonts (Playfair Display, DM Sans) from fonts.bunny.net. EU-based CDN, no IP logging. | No |
| Cloudflare | DDoS protection and CDN for evestival.com. May set a __cf_bm cookie for bot management. |
Possibly 1 (security only) |
Note: Cloudflare's __cf_bm cookie is a security-essential cookie placed to detect automated bots. It is session-only and does not track browsing behaviour. It is exempt from consent under Art. 5(3) ePrivacy Directive as it is strictly necessary for network security.
6. Your choices & withdrawing consent
When you first visit Evestival, a cookie consent banner appears. You can:
- Accept — enables Matomo's first-party analytics cookies (so we can recognise returning visitors) and Google AdSense advertising cookies.
- Decline — no analytics or advertising cookies are ever set. Matomo continues in cookieless mode (your visit is counted in aggregate, but you are not recognised across visits), and Google AdSense is never loaded.
To withdraw or change your consent at any time, clear your browser's localStorage for evestival.com — the consent banner will reappear on your next visit, and Matomo's analytics cookies are deleted and tracking returns to cookieless mode. To clear localStorage:
- Chrome / Edge: F12 → Application → Local Storage → Right-click evestival.com → Clear.
- Firefox: F12 → Storage → Local Storage → Right-click evestival.com → Delete All.
- Safari: Preferences → Privacy → Manage Website Data → evestival.com → Remove.
You can also disable all cookies in your browser settings, though this may prevent certain features from working.
7. Changes to this Cookie Policy
We may update this Cookie Policy from time to time to reflect changes in the technologies we use or legal requirements. Material changes will be posted on this page with an updated "Last updated" date.
8. Contact
Questions about our use of cookies? Contact us at [email protected] or via our contact form.