Mezantic Cookie Policy
Version: 1.0
Effective date: 2026-05-15
Contact: hello@mezantic.com
This Cookie Policy implements the information obligations under Article 5(3) of Directive 2002/58/EC (ePrivacy Directive) as transposed in the user's Member State (including, for Poland, Article 173 of the Act of 12 July 2024 — Electronic Communications Law, "PKE"), and under Article 13 of Regulation (EU) 2016/679 ("GDPR"). Consent for non-strictly-necessary cookies is collected under Article 5(3) ePrivacy Directive together with Articles 4(11) and 6(1)(a) GDPR.
1. Scope
1.1. This Policy explains how Mezantic uses cookies, browser local storage (localStorage, sessionStorage, IndexedDB), pixel tags, and other similar technologies in the Mezantic application, on information pages, and in public forms where Mezantic controls the technology layer.
1.2. Cookie consent does not replace separate marketing consents (in particular consent for electronic commercial communications under Article 398 PKE in Poland), which are collected independently. This Policy supplements the Privacy Policy at mezantic.com/en/legal/privacy.
2. Cookie Categories
- Strictly necessary — required for service operation, used without consent under Article 5(3) ePrivacy Directive (and Article 173(3) PKE in Poland), strictly to provide the service explicitly requested by the user (authentication, session, security, language preference, form submission, rate limiting). Legal basis for associated personal-data processing: Article 6(1)(b) or 6(1)(f) GDPR.
- Functional — optional user preferences or embedded third-party content; loaded only after consent (Article 6(1)(a) GDPR).
- Analytics — measure product usage to improve the service; loaded only after consent (Article 6(1)(a) GDPR).
- Marketing — campaign attribution, ad measurement, remarketing; loaded only after consent (Article 6(1)(a) GDPR).
3. Cookie Inventory
| Name / identifier | Provider | Category | Purpose | Retention | Transfer outside EEA |
|---|---|---|---|---|---|
sb-[project-ref]-auth-token, sb-[project-ref]-auth-token-code-verifier | Supabase, Inc. (Supabase Auth) | Necessary | Authenticated session token; PKCE code verifier for OAuth | Session or until logout | EEA (eu-west-1, Dublin); administrative-support transfers to Singapore — SCCs (Module 3) |
__Host-csrf | Mezantic | Necessary | CSRF protection | Session | n/a |
NEXT_LOCALE | Mezantic / next-intl | Necessary | UI language preference | up to 12 months | n/a |
mezantic_consent / c15t_* | Mezantic (c15t client/runtime in custom mode with Mezantic-owned consent endpoints) | Necessary | Consent choice, policy version, timestamp | up to 12 months | EEA (Mezantic infrastructure) |
__cf_bm, cf_clearance | Cloudflare / Vercel | Necessary | Bot management, edge security | 30 minutes – 30 days | US — DPF / SCCs |
__vercel_*, _vercel_* | Vercel, Inc. | Necessary | Edge routing, region identification | up to 1 year | US — DPF (Vercel is DPF-certified) |
| Vercel Speed Insights script / event beacon | Vercel, Inc. | Analytics | Web Vitals and performance measurement — after consent | provider dashboard retention | US — DPF / SCCs |
_ga, _ga_[ID] | Google Ireland Limited (GA4) | Analytics | Traffic and behavior measurement — after consent | up to 24 months | EEA (Ireland); US — DPF / SCCs |
_gcl_au | Google Ireland Limited (Google Ads) | Marketing | Google Ads conversion attribution — after consent | 90 days | EEA (Ireland); US — DPF / SCCs |
_fbp | Meta Platforms Ireland Limited | Marketing | Meta ads measurement — after consent | 90 days | EEA (Ireland); US — DPF / SCCs |
ph_* | PostHog, Inc. (EU instance) | Analytics | Product analytics — after consent | up to 12 months | EEA (Germany); US — DPF / SCCs |
Retention periods reflect provider defaults. Exact cookie names may vary across provider software versions.
4. Consent Choices
4.1. Non-essential categories are off by default. Mezantic does not use pre-checked boxes or implied consent.
4.2. The first consent layer offers clearly labeled "Accept all" and "Customize" options. The customization layer lets users leave all optional categories disabled and save that choice.
4.3. Refusing non-essential cookies does not block access to the core service; some optional features (e.g., embedded third-party content) may be unavailable.
4.4. Consent can be changed or withdrawn at any time — as easily as it was given — via the consent management panel available in the application. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
5. Managing Cookies In The Browser
Independently of the Mezantic consent panel, users can control cookies via their browser settings (Chrome, Firefox, Safari, Edge). Disabling cookies may limit features requiring login. Third-party opt-out mechanisms: Google Analytics — https://tools.google.com/dlpage/gaoptout; PostHog — https://posthog.com/privacy.
6. Public Forms
Mezantic public forms do not load Respondent-side analytics or marketing scripts before consent and do not support customer-added tracking scripts.
7. Providers And Transfers
The current list of providers (processors, subprocessors, and joint controllers) is published at mezantic.com/en/legal/service-providers. Non-essential providers are activated only after the required consent. For EEA traffic, GA4 requires Google Consent Mode v2 with ad_storage, analytics_storage, ad_user_data, and ad_personalization defaulted to denied. Transfers outside the EEA are based on the adequacy decision (DPF) or 2021 standard contractual clauses (SCCs) — details on the Service Providers page.
8. Retention
Maximum cookie lifetimes are stated in the table in § 3. Consent and withdrawal records are kept for the period needed to demonstrate accountability under Articles 5(2) and 7(1) GDPR, no longer than 6 years from the end of the calendar year in which the account was closed or consent was withdrawn.
9. Contact And Right To Complain
9.1. Questions about this Policy: hello@mezantic.com or to the Controller's registered address as stated in the Privacy Policy.
9.2. Data subjects have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, https://uodo.gov.pl) or — for breaches of Articles 173 and 398 PKE in Poland — with the President of the Electronic Communications Office (ul. Giełdowa 7/9, 01-211 Warsaw). Users habitually resident in the United Kingdom may contact the Information Commissioner's Office (https://ico.org.uk).
10. Language And Changes
10.1. This is the English-language Cookie Policy of Mezantic, a standalone document for English-speaking users. A parallel Polish-language version is maintained in substantive alignment and updated simultaneously. Each version is the primary information notice for its intended audience under Article 12 GDPR.
10.2. Mezantic may update this Policy when providers, consent tooling, technology, or law change. Material changes are communicated via the product interface or by email associated with the account.
10.3. Current Cookie Policy: mezantic.com/en/legal/cookies. Polish version: mezantic.com/pl/legal/cookies.