Rivalio Cookies Policy
⚠️ This is a template, not legally binding advice. Prior to deployment, the Operator recommends review by a lawyer. This template was generated by AI and may not reflect the latest legislative changes nor the actual technical implementation.
Controller: Rivalio s.r.o., Company ID 29509751, with its registered office at Nové sady 988/2, Staré Brno, 602 00 Brno, Czech Republic.
Version: 1.0 · Effective from: [TO FILL IN] · Related: Privacy Policy v1.1
Contact for queries: privacy@rivalio.cz
1. Introduction
1.1. This Policy describes which cookies and similar technologies Rivalio uses, what they do, and how the Data Subject can manage them. It complements the Privacy Policy (/privacy-policy), which it relies on for legal bases and retention.
1.2. "Data Subject" means any visitor to the Rivalio website — whether signed in or anonymous.
2. What cookies and similar technologies are
2.1. Cookies are small text files stored by the website in your browser. They remember choices, keep you signed in, and may measure visitor behaviour.
2.2. Beyond classic HTTP cookies, Rivalio uses a few related technologies:
localStorage/sessionStorage— browser-local storage, never auto-sent to the server. Used mainly to remember cookie banner choices.- Web pixels in e-mails — not used.
- Fingerprinting — not used.
2.3. "Cookies" in this document covers all of the above.
3. Legal framework
3.1. The use of cookies is governed by:
- Section 89(3) of Czech Act No. 127/2005 Coll. on electronic communications (in the wording effective from 1 January 2022) — opt-in regime: non-essential cookies may be stored only with the visitor's demonstrable consent.
- Regulation (EU) 2016/679 (GDPR) Article 6(1)(a) — consent as a legal basis; Article 7 — conditions for consent.
- Directive 2002/58/EC (ePrivacy) Article 5(3).
- EDPB Guidelines 03/2022 on deceptive design patterns — no dark patterns.
4. Categories of cookies
Cookies fall into 4 categories. The first category is always active; the rest require consent that you can change at any time (see Section 7).
4.1 Essential
Required for the site to function — signed-in sessions, CSRF protection, language preference, and remembering your cookie choices. Consent is not required (Section 89(3) ZEK); these cookies are stored on the basis of the Controller's legitimate interest in providing the Service.
4.2 Functional
For advanced features that load third-party content — typically embedded YouTube video playback and bot protection (Google reCAPTCHA). Consent required.
4.3 Statistical
For traffic measurement, user behaviour, A/B testing. Consent required.
The Controller does not currently use any statistical cookies. The category is reserved for future activation (typically Google Analytics 4 or an alternative). If activated, the Policy will be updated and the Data Subject re-informed.
4.4 Marketing
For advertising targeting, remarketing, conversion tracking. Consent required.
The Controller does not currently use any marketing cookies. The category is reserved for future activation (Google Ads, Meta Pixel, etc.). If activated, the Policy will be updated.
5. Specific cookie list
5.1 Essential
| Cookie / key | Provider | Purpose | Expiry | Type |
|---|---|---|---|---|
rivalio_session (per config/session.php) |
rivalio.cz | Sign-in / app state | 2 hours | HTTP, HttpOnly, Secure, SameSite=Lax |
XSRF-TOKEN |
rivalio.cz | CSRF protection | Session | HTTP, Secure |
cookie_consent_v3 |
rivalio.cz | Stores your cookie banner choices | persistent (until you change them) | localStorage |
locale (when you change language) |
rivalio.cz | Language preference | 12 months | HTTP |
5.2 Functional (consent required)
| Cookie / key | Provider | Purpose | Expiry | Type |
|---|---|---|---|---|
_GRECAPTCHA (only if admin enables recaptcha_enabled) |
google.com | Bot protection on public registration forms | 6 months | 3rd-party |
YSC, VISITOR_INFO1_LIVE, PREF (only after a "Load video" click) |
youtube-nocookie.com / youtube.com | Playback preferences and view counts | session / 6 months | 3rd-party |
YouTube embeds default to a placeholder with a "Load video" button. Cookies are only set after the visitor explicitly clicks Load video or accepts Functional consent.
5.3 Statistical (consent required) — currently empty
No statistical cookies are currently used.
5.4 Marketing (consent required) — currently empty
No marketing cookies are currently used.
6. Third parties
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Google LLC (reCAPTCHA, YouTube) | Bot protection, video playback | https://policies.google.com/privacy |
Whenever you accept a non-essential category, data is sent directly to the third party, which processes it as its own controller (or joint controller). See Privacy Policy Section 7 for details.
Note: Inter (typeface) has been self-hosted from rivalio.cz/fonts/inter/* since version 1.3 — no requests reach Google, regardless of consent.
7. How to manage cookies
7.1 Cookie banner
On your first visit, a banner is shown with three buttons of equal visual weight:
- Accept all — enables all four categories,
- Reject all — keeps only Essential, disables the rest,
- Customise — opens a per-category toggle modal.
7.2 "Manage cookies" in the footer
Every Rivalio page has a Manage cookies link in the footer that reopens the banner / modal and lets you change your decision. The change applies immediately and is written to the audit trail (see Section 8).
7.3 Browser settings
You can also manage cookies in your browser directly:
- Chrome:
chrome://settings/cookies - Firefox:
about:preferences#privacy - Safari: Preferences → Privacy → Cookies and website data
- Edge:
edge://settings/content/cookies
Clearing cookies in the browser also clears localStorage, so the banner will reappear on the next visit.
8. Consent audit trail
To meet the burden of proof in case of an ÚOOÚ inspection, the Controller stores every consent given or withdrawn in an internal audit log (cookie_consents table). Each record contains:
- a unique consent identifier (
consent_id), - a snapshot of category choices at the moment of consent,
- a snapshot of the category text you saw,
- the site language and schema version,
- an anonymised IP address (IPv4 truncated to
/24, IPv6 to/48), - the User-Agent string,
- a server-side timestamp.
The record is immutable — if you change your choice, a new row is created and linked to the previous one. Retention: 24 months from the last consent (or withdrawal), then automatically cleaned up.
9. Consequences of refusal
| What you refuse | What you lose |
|---|---|
| Functional | YouTube embeds show a placeholder with a "Load video" button; reCAPTCHA does not load, anti-spam falls back to honeypot + rate limiting. |
| Statistical | Currently nothing — the category is not in use. |
| Marketing | Currently nothing — the category is not in use. |
| Essential | Cannot be refused — Rivalio would not work (sign-in, CSRF). |
Remember: the Service must work even with all non-essential cookies refused. If refusing breaks something, that is a bug — please contact us at info@rivalio.cz.
10. Changes and contact
10.1. This Policy may be updated at any time. We will inform you of material changes pursuant to Section 16 of the Privacy Policy (e-mail, in-app notice, at least 30 days before the effective date).
10.2. If a change affects the categories of cookies, we invalidate existing consents (via cookie_schema_version in the configuration) and ask you to decide afresh.
10.3. Questions and complaints: privacy@rivalio.cz. A complaint with the supervisory authority may be lodged at the Office for Personal Data Protection (https://www.uoou.cz) or the supervisory authority of your country of habitual residence.
End of Cookies Policy. Version 1.0, effective from [TO FILL IN].