Cookie Policy — WhiteKnight Academy
Effective date: 2026-07-02
1. What this page covers
This Cookie Policy explains what cookies and similar browser storage we use across our websites — the public marketing site at https://whiteknight.academy and the learning platform at https://analytics.whiteknight.academy — why, and how you can control them. It supplements the Privacy Policy, which remains the primary document governing our handling of your personal data.
2. A quick definition
- Cookie — a small text file a website stores in your browser and reads back on each request.
- localStorage / sessionStorage — browser storage available to websites, held on your device and not transmitted automatically with every request. We use these mainly to remember UI preferences.
- Third-party cookie — a cookie set by a different domain than the one you visited.
3. What we use — and why
We classify storage into three groups:
3.1. Strictly necessary (no consent required)
These are set without asking, because without them the Service does not work. Under ePrivacy Art 5(3) second sentence they fall inside the "strictly necessary" carve-out; under CCPA §1798.140(e)(2)–(3) they are "service provider" processing.
| Name (or pattern) | Set by | Purpose | Expiry |
|---|---|---|---|
sb-access-token, sb-refresh-token |
Supabase | Keeps you signed in. Without these you would be logged out on every page. | Session + refresh lifecycle (up to 1 hour access, longer refresh) |
wk-consent |
Us | Remembers your cookie-banner choice so we do not ask again on every visit | 12 months |
wk-csrf |
Us | CSRF token for authenticated form submissions | Session |
cf_chl_* |
Cloudflare Turnstile (set on challenges.cloudflare.com, not on our domain) |
Short-lived challenge token written only when a visible CAPTCHA is shown on the parent-with-child registration form. Used to prevent automated mass-registration. The default "managed" mode skips this cookie when the visitor is judged human without a challenge. | 30 minutes |
3.2. Functional localStorage (no consent required — UI state only)
These items never leave your device (except when you explicitly click "Sync across devices" in settings, which we do not yet offer). They exist only to make the UI remember what it looked like last time.
| Key | Purpose |
|---|---|
wk-sidebar-collapsed |
Whether you had the sidebar collapsed or expanded |
wk-layout-* |
Persisted dashboard layout choices |
wk-filter-* |
Last-used filter values on report pages |
wk-cache-* |
Short-lived client caches for heavy charts (invalidated automatically) |
wk-onboarding-progress |
Where you left off in onboarding |
3.3. Analytics (requires your consent)
We use analytics to understand how our site is used — which pages are visited, from which referral source, on which device families — so we can improve the product. Analytics cookies are not set until you opt in through our cookie banner or preferences page (ePrivacy Art 5(3); Polish ustawa Prawo komunikacji elektronicznej 2024).
| Name (or pattern) | Set by | Purpose | Expiry |
|---|---|---|---|
_ga |
Google Analytics 4 | Distinguishes unique browsers; client identifier used by GA4 | 2 years |
_ga_<container-id> |
Google Analytics 4 | Session state for this property | 2 years |
_gid |
Google Analytics 4 (legacy) | Distinguishes users within a 24-hour window | 24 hours |
We have configured Google Analytics 4 with:
- IP anonymisation on by default;
- Data-retention set to the shortest option supported by GA4 (currently 2 months for event data);
- Consent mode v2 — no
_ga/_ga_*cookies are written until consent is granted; before consent, GA4 operates in cookieless "consent denied" mode and sends only aggregate, non-identifying ping data.
Our tags are loaded through Google Tag Manager (container ID GTM-5TF7QK4N). GTM itself does not set tracking cookies; it is a tag-management layer that decides which vendor tags to load based on your consent choices.
3.4. Advertising and marketing (requires your consent)
We run paid-acquisition campaigns on the platforms below and use their conversion / retargeting pixels to measure campaign effectiveness and to reach people with similar interests to our existing users. These cookies are not set until you opt in through our cookie banner or preferences page.
| Provider | What the cookies do | Default expiry |
|---|---|---|
| Google Ads | Conversion tracking and remarketing audience membership (e.g., _gcl_au, NID) |
Up to 2 years |
| Meta (Facebook / Instagram) | Meta Pixel conversion and custom-audience cookies (e.g., _fbp, fr) |
Up to 90 days |
| TikTok for Business | TikTok Pixel conversion and audience cookies (e.g., _ttp) |
Up to 13 months |
| X (formerly Twitter) Ads | X Pixel conversion tracking (e.g., muc_ads, personalization_id) |
Up to 2 years |
Specific cookie names, durations, and data points are controlled by each provider and may change; the current-state table is maintained by Google Tag Manager and reviewed quarterly.
We do not use session-replay or behaviour-watching tools (no Hotjar, Clarity, FullStory, LogRocket). We do not sell or share your personal data for cross-context behavioural advertising within the meaning of CCPA/CPRA §1798.120–.121; the retargeting described above uses our own events sent to the ad platform under each platform's data-processor terms, not data-sharing for a third party's own purposes.
3.5. Children's accounts — analytics and advertising are blocked
When a user is logged in as a Child (under 16 — see Privacy Policy § 6), all analytics and advertising tags are blocked on every page of the session, regardless of consent banner choice. This is enforced at our tag-management layer (GTM trigger conditions) and is not dependent on user input. It aligns with:
- California AADC §22675(d) — no profiling by default.
- COPPA §312.2 "child-directed service" rules.
- ICO Children's Code principle 7 (use of children's data for profiling).
Analytics and advertising therefore run only on (a) the public marketing pages, and (b) adult-authenticated dashboards.
4. Third-party cookies — only while you sign in with Google
If you choose "Sign in with Google" (optional), Google sets its own cookies on its domain during the sign-in flow. These are governed by Google's cookie policy at https://policies.google.com/technologies/cookies and are outside our control. After sign-in completes, Google cookies are no longer read from our site.
If you use email/password sign-in instead, no third-party cookies are set by us.
5. How we ask for consent
Our cookie banner appears on your first visit and offers three actions:
- Accept all — enables the strictly-necessary set (§ 3.1), analytics cookies (§ 3.3), and advertising/marketing cookies (§ 3.4).
- Essential only — keeps the strictly-necessary set on and blocks both analytics and marketing. This is the default if you do nothing or dismiss the banner.
- Customise — opens
https://whiteknight.academy/legal/cookie-preferenceswhere you can toggle each non-essential category individually.
Your response is stored in a first-party browser item called wk-consent, which records:
- which categories you granted or denied,
- the version of the policy at the time of the choice,
- the timestamp.
You can change your preferences at any time on the same /legal/cookie-preferences page. When you withdraw consent for a category, we push gtag('consent', 'update', …) through our tag manager, which stops new cookies in that category from being written and instructs browsers to clear existing ones on the next visit.
The banner respects the Global Privacy Control browser signal (CPRA §1798.135(b)) and any Do-Not-Track header by treating them as a denial of analytics and marketing consent, without showing the banner.
6. Children and cookies
The full child-protection rules are in § 3.5 above. In short: analytics and advertising cookies are blocked entirely on pages served to logged-in Child accounts. This is enforced at the tag-management layer, not at the banner layer.
7. How to reject or delete cookies in your browser
You can always control cookies at the browser level:
- Chrome / Edge: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Settings → Privacy
- Mobile: browser settings → cookies
Blocking the strictly-necessary cookies listed in § 3.1 will break sign-in and cause the Service to stop working for you. Blocking wk-consent will cause the banner to re-appear each visit.
8. Do we fingerprint?
No. We do not use device fingerprinting, canvas fingerprinting, audio fingerprinting, or similar browser-identification techniques. Our telemetry stores only coarse device/browser family (e.g., "Chrome on Windows desktop") as described in Privacy Policy § 3.6; it does not contain identifiers that could uniquely track you across sessions.
9. Changes to this Cookie Policy
If we add any cookie or similar technology beyond the list in § 3, we will update this page, refresh the cookie banner for a re-consent, and — where required — email active account holders at least 15 days in advance.
10. Contact
- Privacy questions: privacy@whiteknight.academy
- General: contact@whiteknight.academy
- Post: TheBroda sp. z o.o., ul. Wierna 12, Warszawa, Poland
11. Version history
2026-07-02— v1 (initial publication, accompanies Privacy Policy v1).