Cookie Policy
Last updated: 7 March 2026Kaiilu uses cookies and local storage technologies to ensure the platform functions correctly, to remember your preferences, and — only with your express prior consent — to improve the service with usage metrics.
This policy is governed by Directive 2002/58/EC (ePrivacy), the GDPR (EU) 2016/679, and Estonian data protection law. Non-essential cookies require your prior, informed consent before being activated.
1. What Are Cookies and Similar Technologies?
Cookies: small text files that a website stores on your device. They can be session cookies (deleted when you close the browser) or persistent cookies (remaining until they expire or you delete them manually).
localStorage / sessionStorage: browser mechanisms for storing data locally. Kaiilu uses localStorage to save interface preferences (e.g., local "Continue Watching" history) and sessionStorage for temporary playback session data. This storage is not automatically transmitted to the server with each request.
Device fingerprinting: Kaiilu does not use browser or device fingerprinting techniques. We only use the standard mechanisms described in this document.
2. First-Party Cookies — Essential
Required for the platform's basic operation. These do not require consent (Art. 5.3 ePrivacy Directive) and cannot be disabled without disrupting the service. The legal basis is legitimate interest and performance of contract.
| Name | Purpose | Flags | Duration |
|---|---|---|---|
kaiilu_session | Maintains your authenticated session after login. | HttpOnly, Secure | Session (browser close) |
kaiilu_csrf | Protection token against cross-site request forgery (CSRF) attacks. | HttpOnly, Secure | Session |
kaiilu_cookie_consent | Stores your cookie preferences (which categories you have accepted or declined). | SameSite=Lax | 12 months |
kaiilu_refresh | Session renewal token to maintain access without requiring a new login. | HttpOnly, Secure | 30 days |
cf_clearance | Cloudflare security verification certificate after passing the anti-bot challenge (Turnstile). | Secure | 30 min – 1 year |
__cf_bm | Real-time bot traffic management by Cloudflare Bot Management. | HttpOnly, Secure | 30 minutes |
3. First-Party Cookies — Preferences
These remember settings you have configured to personalise your experience. They require your prior consent. Legal basis: consent (Art. 6.1.a GDPR).
| Name | Purpose | Duration |
|---|---|---|
kaiilu_locale | Language and region preferences selected by the user. | 12 months |
kaiilu_theme | Display mode (light/dark/automatic). | 12 months |
kaiilu_player_prefs | Player preferences: quality, volume, subtitles. | 12 months |
Kaiilu also uses localStorage to store the "Continue Watching" history and content bookmarks locally on your device. This data is not transmitted to the server except for synchronisation if you have an active session.
4. Analytics Cookies — Currently Not in Use
Kaiilu does not currently use any third-party analytics tools (Google Analytics, Mixpanel, Plausible, etc.) that set cookies on your device.
The usage metrics we collect are generated internally from server logs (without cookies) and are aggregated and anonymised before any analysis. If we implement analytics tools with cookies in the future, we will update this policy and explicitly request your consent before activating them.
5. Marketing Cookies — Not Used
Kaiilu does not use behavioural advertising cookies, retargeting, or third-party advertising networks. We do not share Kaiilu behaviour data with external advertisers.
6. Third-Party Integrated Cookies
Some services we integrate into Kaiilu may set their own cookies when you interact with them. Kaiilu does not control these cookies; they are governed by each provider's own privacy policies. They are only activated when you use the corresponding feature.
| Provider | Cookie(s) | When activated | Policy |
|---|---|---|---|
| Stripe, Inc. | __stripe_mid (1 year), __stripe_sid (30 min) | Only when accessing the Passes or KC payment screen. | stripe.com/privacy |
| Google LLC | g_state, g_csrf_token (session) | Only if you use "Sign in with Google". | policies.google.com/privacy |
| Apple Inc. | Apple ID session cookies (session) | Only if you use "Sign in with Apple". | apple.com/legal/privacy |
| Cloudflare, Inc. | cf_clearance, __cf_bm (see section 2) | Across the entire platform (network security). These are essential cookies. | cloudflare.com/privacypolicy |
7. How We Obtain and Manage Your Consent
- Prior, informed consent: non-essential cookies are only activated after your explicit choice in the cookie banner shown on your first visit. The initial state is essential cookies only — we do not default to "accept all".
- Granularity: you may accept or decline each category of cookies independently.
- Withdrawal of consent: you may change your preferences at any time from the platform settings. Withdrawal does not affect processing carried out prior to withdrawal.
- Consent validity: your choice is stored for 12 months. After this period, we will ask you to confirm your preferences again.
- Proof of consent: we record the date, policy version, and choices made as proof of your consent, in accordance with Art. 7.1 GDPR.
8. Browser-Level Management
In addition to Kaiilu's preference panel, you can manage and delete cookies directly from your browser. Please note that blocking essential cookies may prevent login and other basic features:
9. Retention and Expiry
Session cookies are automatically deleted when you close the browser. Persistent Kaiilu cookies have a maximum duration of 12 months. localStorage data remains on your device until you delete it manually or until you delete your account, at which point we will clear local storage on your next visit.
10. Changes to This Policy
If we add new cookies or materially modify existing ones, we will update this policy, change the "last updated" date, and — if new cookies require consent — request it again before activating them.
11. Contact
For any enquiry about this policy, write to [email protected].