Cookie policy
Version 2.0 · Last updated: 2026-06-05
This page lists every cookie and similar storage technology that VitaminDB may set in your browser, who sets it, what it does, and how to control it. It is published in compliance with the EU ePrivacy Directive (2002/58/EC as amended), §25 of the German Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TTDSG), the UK Privacy and Electronic Communications Regulations (PECR), Article 7 of the GDPR (consent requirements), and ePrivacy guidance issued by the European Data Protection Board (EDPB Guidelines 05/2020 and 03/2022).
Table of contents
- Categories
- Full cookie + storage table
- Storage technologies we use (and ones we do not)
- Fingerprinting policy
- Cookie-wall prohibition
- Do Not Track and Global Privacy Control
- How to change your choice
- Browser-level controls
- Third-party cookies (when present)
- Related policies
1. Categories
- Essential. Required to deliver the service you requested: authentication, security, abuse prevention, language preference, currency. No legal basis is required to set these (ePrivacy Art. 5(3) “strictly necessary” exemption).
- Preference. Remember a choice you actively expressed (language, currency, density). Treated as essential because triggered by user action.
- Analytics. Help us measure aggregate traffic and improve content. Set only after you opt in. Lawful basis: GDPR Art. 6(1)(a) consent.
- Affiliate. Set by merchant partners when you click an outbound deal link, to credit us with the referral. Set only after you opt in. Lawful basis: GDPR Art. 6(1)(a) consent.
We do not pre-tick boxes (EDPB 05/2020 §7.3). We do not use scroll, continued browsing, or implicit interaction as a substitute for consent.
2. Full cookie + storage table
| Name | Category | Purpose | Set by | Provider | Duration | Lawful basis |
|---|---|---|---|---|---|---|
| authjs.session-token | essential | Authenticated session (signed JWT in cookie) | first-party | VitaminDB | 30 days sliding window | ePrivacy Art. 5(3) strictly necessary |
| authjs.csrf-token | essential | Cross-site request forgery protection | first-party | VitaminDB | Session | ePrivacy Art. 5(3) strictly necessary |
| authjs.callback-url | essential | Post-auth redirect target | first-party | VitaminDB | Session | ePrivacy Art. 5(3) strictly necessary |
| NEXT_LOCALE | preference | Language preference selection | first-party | VitaminDB | 1 year | ePrivacy Art. 5(3) strictly necessary (user-requested) |
| vdb-currency | preference | Display currency preference (EUR / USD / GBP / etc.) | first-party | VitaminDB | 1 year | ePrivacy Art. 5(3) strictly necessary (user-requested) |
| vdb-consent-v1 (localStorage, not a cookie) | essential | Record your consent choices (essential / analytics / affiliate) | first-party | VitaminDB | Until you clear it | ePrivacy Art. 5(3) + GDPR Art. 7(1) record of consent |
| vdb-chunk-reload-once (sessionStorage) | essential | Prevent reload loops after a stale-chunk recovery | first-party | VitaminDB | Browser session | ePrivacy Art. 5(3) strictly necessary |
| _pk_id, _pk_ses (Plausible/Umami if enabled) | analytics | Self-hosted analytics — page view counts with anonymized IP | first-party | VitaminDB (self-hosted) | 13 months / 30 minutes | GDPR Art. 6(1)(a) consent |
| Amazon affiliate cookie (ubid-*, session-*) | affiliate | Affiliate attribution after click-through to Amazon | third-party | Amazon.com Inc. | 24 hours | GDPR Art. 6(1)(a) consent + Amazon Associates terms |
| iHerb referral cookie (rcode / pcode) | affiliate | Affiliate attribution after click-through to iHerb | third-party | iHerb LLC | 14 days | GDPR Art. 6(1)(a) consent |
| AwinChannelCookie | affiliate | Affiliate attribution across Awin-managed merchants | third-party | Awin AG | 30 days | GDPR Art. 6(1)(a) consent |
| CJ affiliate cookie (sid / aid) | affiliate | Affiliate attribution across Commission Junction merchants | third-party | Commission Junction LLC | 30 days | GDPR Art. 6(1)(a) consent |
| Cloudflare __cf_bm | essential | Bot-management protection on our edge | third-party | Cloudflare, Inc. | 30 minutes | ePrivacy Art. 5(3) strictly necessary (security) |
| Cloudflare _cfuvid | essential | Rate-limiting per visitor on our edge | third-party | Cloudflare, Inc. | Session | ePrivacy Art. 5(3) strictly necessary (security) |
3. Storage technologies we use (and ones we do not)
- HTTP cookies — used as listed above.
- localStorage — used for the consent record (
vdb-consent-v1) and minor UI state. Counts as “similar technology” under ePrivacy Art. 5(3). - sessionStorage — used for one-shot recovery flags (
vdb-chunk-reload-once). - IndexedDB — used by the offline service worker to queue pending votes when you lose connectivity (
vdb-bgdatabase, storevote-queue). - Service worker — used for offline-first navigation, push notifications (opt-in), and asset caching; see
/sw.jsfor the source. - Cache Storage — static assets cached by the service worker for offline operation.
- Web Push API — used only after you explicitly enable push notifications; subscriptions are stored on our server and revoked when you turn the feature off.
- Beacon API — used for navigator.sendBeacon at page unload to flush analytics events only when analytics consent is present.
- NOT used: Flash LSOs, ETags as tracking identifiers, HSTS supercookies, font enumeration, audio context fingerprinting, canvas fingerprinting, WebGL fingerprinting, battery API tracking, ambient-light tracking, ultrasonic cross-device tracking, IDFA / GAID.
4. Fingerprinting policy
VitaminDB does not engage in browser fingerprinting or device fingerprinting for any purpose, including bot detection. Cloudflare may apply standard bot-protection techniques on our edge, governed by Cloudflare’s policy and limited to the essential category. We do not load any third-party fingerprinting library.
5. Cookie-wall prohibition
We do not use a cookie wall. Access to VitaminDB and its Content is not conditioned on consent to analytics or affiliate cookies (EDPB Guidelines 03/2022 §3.1). The consent banner offers symmetrical “Accept all” and “Reject non-essential” choices and a third “Customize” option for granular toggles.
6. Do Not Track and Global Privacy Control
We honour the Global Privacy Control (GPC) browser signal: requests carrying GPC are treated as opting out of analytics and affiliate categories regardless of any prior choice in the consent banner. We do not act on the legacy DNT header because it lacks a clear legal definition and was deprecated by the W3C.
7. How to change your choice
Your current consent is stored under the vdb-consent-v1key in your browser’s local storage. To change it:
- Clear site data for vitamindbc.com in your browser settings — the consent banner will reappear on the next visit.
- Or email [email protected] and we will reset it server-side for your account.
- Or, where supported in your browser, send a GPC signal (Firefox supports it natively, Brave has it on by default, Chrome via the “Privacy Badger” extension or the GPC extension by DuckDuckGo).
8. Browser-level controls
You can block or delete cookies in any modern browser: Chrome, Firefox, Safari, Edge, Brave. Blocking essential cookies will break authentication; analytics and affiliate cookies can be blocked without affecting site functionality.
9. Third-party cookies (when present)
Third-party cookies are set on your browser only after explicit consent and only after you take an action that triggers a third-party request (e.g. clicking an affiliate link to Amazon). We do not load any cross-site tracker at page load time. The third parties listed in the table act as independent data controllers for the cookies they set; their privacy policies govern what they do with the data:
- Amazon: amazon.com privacy notice
- iHerb: iherb.com privacy policy
- Awin: awin.com privacy policy
- CJ Affiliate: cj.com privacy policy
- Cloudflare: cloudflare.com privacy policy
10. Related policies
See our privacy policy for full data-processing details, the lawful basis for each category, and your GDPR/CCPA rights. See our affiliate disclosure for the merchant relationships behind affiliate cookies.