Cookies & Local Storage
Overview
DUO ROYALE uses strictly-necessary cookies only, plus one local browser storage area (IndexedDB) for recovering in-progress recordings. We do not use any tracking, analytics, or marketing cookies. No third-party trackers (Google Analytics, Meta Pixel, Hotjar, or equivalents) are embedded. Processing is based on § 25 (2) TDDDG and Art. 6 (1) (b) and (f) GDPR (contract performance and legitimate interest in secure operation).
What we store
Every cookie and browser-storage item we write is listed below. If we add anything new, this page is updated in the same release.
| Name | Type | Purpose | Lifespan | Category |
|---|---|---|---|---|
| sb-access-token | Cookie · HttpOnly · Secure · SameSite=Lax | Supabase authentication token (JWT) for logged-in users. | Session; auto-refreshed on every request. | Strictly necessary |
| sb-refresh-token | Cookie · HttpOnly · Secure · SameSite=Lax | Supabase refresh token for silent access-token renewal. | Up to 30 days; cleared on logout. | Strictly necessary |
| NEXT_LOCALE | Cookie · plain · 1 year | Language preference (DE/EN) for the interface. | 1 year; user-changeable via the language toggle. | Strictly necessary |
| invitation | Cookie · HttpOnly · signed (HMAC) | Hands a beta invitation code from the invite page to the registration form. | 30 minutes; cleared after successful registration. | Strictly necessary |
| duo_cookies_acknowledged | localStorage | Remembers that the cookie notice banner has been dismissed. | Persistent until browser data is cleared. | Strictly necessary |
| duo-capture-drafts | IndexedDB | Local backup of in-progress video/photo recordings so an accidental tab close does not lose work. | Until submitted, discarded, or manually cleared in the browser. | Strictly necessary |
sb-access-tokenStrictly necessary- Type
- Cookie · HttpOnly · Secure · SameSite=Lax
- Purpose
- Supabase authentication token (JWT) for logged-in users.
- Lifespan
- Session; auto-refreshed on every request.
sb-refresh-tokenStrictly necessary- Type
- Cookie · HttpOnly · Secure · SameSite=Lax
- Purpose
- Supabase refresh token for silent access-token renewal.
- Lifespan
- Up to 30 days; cleared on logout.
NEXT_LOCALEStrictly necessary- Type
- Cookie · plain · 1 year
- Purpose
- Language preference (DE/EN) for the interface.
- Lifespan
- 1 year; user-changeable via the language toggle.
invitationStrictly necessary- Type
- Cookie · HttpOnly · signed (HMAC)
- Purpose
- Hands a beta invitation code from the invite page to the registration form.
- Lifespan
- 30 minutes; cleared after successful registration.
duo_cookies_acknowledgedStrictly necessary- Type
- localStorage
- Purpose
- Remembers that the cookie notice banner has been dismissed.
- Lifespan
- Persistent until browser data is cleared.
duo-capture-draftsStrictly necessary- Type
- IndexedDB
- Purpose
- Local backup of in-progress video/photo recordings so an accidental tab close does not lose work.
- Lifespan
- Until submitted, discarded, or manually cleared in the browser.
What we do not do
- No third-party cookies. No ad networks, no analytics platforms, no social-media pixels.
- No cross-session or cross-device user tracking.
- No profiling for advertising purposes.
Error telemetry (Sentry) is enabled server-side; cookies are stripped from every error event before transmission. Session replay is not used.
Browser settings
You can delete or block cookies at any time via your browser settings. Note: blocking the authentication cookies will prevent login. Blocking the language cookie will fall back to the default language.
Contact
Controller per Art. 4 (7) GDPR: Rebrained Consulting, owner Dejan Čivša, Bruno-Walter-Ring 22, 81927 Munich, Germany. Enquiries to dejan@rebrained.de.
See also our Privacy Policy and Legal Notice.
Last updated: 27 April 2026
The German version of this notice is legally authoritative. This English translation is provided for convenience.