COOKIE POLICY
Version 1.0 – 2025-07-14
1 Scope and controller
This Cookie Policy explains how Jaden Data GmbH (trading as 'FlowhiveAI', 'we', 'our'), Goethestraße 67 a, 10625 Berlin, Germany (HRB 236369 B – Amtsgericht Charlottenburg, VAT DE 349 098 543, e‑mail info@jadendata.com), uses cookies and comparable technologies on https://www.flowhiveai.io (the "Service").
Unless stated otherwise, Jaden Data GmbH is the controller within the meaning of Art 4 No 7 GDPR.
2 Cookies and similar technologies
"Cookies" are small text files that a website stores on a visitor’s device and that the browser returns on subsequent visits. Technologies such as localStorage, sessionStorage, tracking pixels, web beacons and tags serve comparable purposes. In this notice, "cookie" is shorthand for all such technologies.
Legal framework. Reading or writing information on end‑user devices is governed by Art 5 (3) ePrivacy Directive, transposed in Germany via § 25 TTDSG. Where a cookie involves processing of personal data, the GDPR applies in parallel.
3 Why we use cookies
| Category | Purpose | Legal basis (GDPR) | Default state |
|---|---|---|---|
| Strictly necessary | Provide the Service and keep it secure (authentication, CSRF‑protection, load balancing) | Art 6 (1)(b) contract or Art 6 (1)(f) legitimate interest | Always active – § 25 (2) TTDSG |
| Analytics | Understand and improve how visitors interact with the Service (PostHog, Google Analytics 4) | Art 6 (1)(a) consent | Disabled until opt‑in |
| Session Recording | May record certain user interactions to improve website usability and identify potential issues (PostHog session recording) | Art 6 (1)(a) consent | Disabled until opt‑in |
| Marketing / Advertising | Measure campaign performance, build audiences and serve relevant ads (LinkedIn Insight Tag, X Pixel, Google Ads Tag) | Art 6 (1)(a) consent | Disabled until opt‑in |
Non‑essential cookies are never set before you give consent. 'Accept all' and 'Reject all' are equally prominent. The banner is implemented with vanilla‑cookieconsent.
4 Detailed cookie list
Audit date: 2025‑07‑14 – we re‑scan quarterly and update this table as required.
4.1 Strictly necessary
| Name | Provider / Domain | Purpose | Expiry | HttpOnly | Secure | SameSite |
|---|---|---|---|---|---|---|
_cfuvid | Cloudflare – *.flowhiveai.io | Distinguishes visitors behind a shared IP so Cloudflare’s WAF rules do not over‑block traffic | Session | – | ✔︎ | None |
appSession.0 | FlowhiveAI – www.flowhiveai.io | Keeps the user logged‑in (encrypted Auth0 token) | 24 h | ✔︎ | ✔︎ | Lax |
appSession.1 | FlowhiveAI – www.flowhiveai.io | Silent token refresh paired with appSession.0 | 24 h | ✔︎ | ✔︎ | Lax |
flowhive_session | FlowhiveAI – www.flowhiveai.io | Maintains session state & CSRF token | Session | ✔︎ | ✔︎ | Lax |
cookie_consent | FlowhiveAI – www.flowhiveai.io | Stores your banner choice | 12 mo | – | ✔︎ | Strict |
docs_current_tenant | Auth0 – .auth0.com | Selects the correct Auth0 tenant for docs | Session | – | ✔︎ | Lax |
wclang | Auth0 – .auth0.com | Stores interface language | Session | – | ✔︎ | Lax |
docs_current_tenant and wclang only appear after you log in to the dashboard.
4.2 Analytics – loaded only after consent
| Name | Provider | Purpose | Default expiry |
|---|---|---|---|
ph_<project_api_key>_posthog | PostHog | Distinct ID, session ID, feature‑flag state | 12 mo |
_ga | Google Analytics 4 | Distinguishes users | 24 mo |
_ga_<container-id> | Google Analytics 4 | Persists session state | 24 mo |
_gid | Google Analytics 4 | Distinguishes users per day | 24 h |
PostHog also writes to localStorage for feature‑flags. LocalStorage is cleared when you withdraw consent.
4.3 Session Recording – loaded only after consent
| Technology | Provider | Purpose | Data collected |
|---|---|---|---|
| Session Recording | PostHog | May record user interactions to improve website usability and identify potential issues | Mouse movements, clicks, scrolling patterns (text input is masked) |
| Heatmaps | PostHog | May generate heatmaps showing popular areas of the website | Aggregated click and scroll data |
Session recording data is stored for up to 12 months and may be used solely for website improvement purposes. Text input fields are automatically masked to protect your privacy.
4.4 Marketing / Advertising – loaded only after consent
| Name | Provider | Purpose | Default expiry |
|---|---|---|---|
personalization_id | X (Twitter) | Ad personalisation & analytics | 24 mo |
guest_id_ads | X (Twitter) | Identifies devices for ads when logged‑out | 24 mo |
bcookie | LinkedIn Insight Tag | Browser ID for fraud detection & ads | 12 mo |
lidc | LinkedIn Insight Tag | Datacentre selection & load balancing | 24 h |
li_gc | LinkedIn Insight Tag | Stores guest consent for non‑essential cookies | 6 mo |
li_fat_id | LinkedIn Insight Tag | Member indirect identifier for conversions | 30 d |
IDE | Google Ads (doubleclick.net) | Stores ad preferences & user ID | 13 mo |
__gads | Google Ads | Measures interactions with ads & prevents duplicate displays | 13 mo |
_gcl_au | Google Ads / Tag Manager | Stores Google Click ID (GCLID) for conversion tracking | 90 d |
test_cookie | Google Ads (doubleclick.net) | Tests if the browser supports cookies | 15 min |
5 Consent mechanism & withdrawal
Our banner:
- Loads only strictly necessary cookies by default.
- Shows “Accept all” and “Reject all” with equal prominence, plus category toggles and a “Save preferences” button.
- Stays visible until you make a choice.
- Stores decisions in the
cookie_consentcookie for 12 months. - Can be reopened at any time via Cookie Settings in the footer.
Withdrawing consent deletes analytics/marketing cookies and blocks the associated scripts.
6 International data transfers
- PostHog EU Cluster is hosted in Frankfurt/Stockholm – no data leaves the EEA.
- Google LLC, X Corp. and LinkedIn Corp. may process data in the United States. Transfers rely on:
- certification under the EU–US Data Privacy Framework (DPF),
- Standard Contractual Clauses (SCCs), and
- documented Transfer Impact Assessments.
Copies of the SCCs are available on request.
7 Storage duration & deletion
We keep personal data derived from cookies no longer than necessary. Analytics events are truncated or aggregated after 25 months at the latest. Marketing identifiers are deleted once a campaign ends or after 30 days of inactivity, whichever comes first.
8 Your rights
You may exercise the rights in Art 15–22 GDPR (access, rectification, erasure, restriction, portability, objection, automated decision‑making) at any time. See our Privacy Policy for details.
9 Changes to this policy
We review this notice at least quarterly. Material changes (e.g. adding a new marketing pixel) trigger a renewed consent request.
Last update: 2025‑07‑14
10 Contact
Data Protection Officer
Jaden Data GmbH
Goethestraße 67 a
10625 Berlin, Germany
privacy@jadendata.com
You may also lodge a complaint with the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).