1. What are cookies?
Cookies are small text files that are stored on your device when you visit a website. They usually contain a random identifier and allow the server to recognize an ongoing session or a user preference. Cookies can be temporary (session) or permanent (persistent).
Similar technologies are local storage and session storage (browser-internal storage) as well as IndexedDB; in this policy we treat these collectively as “cookies”.
2. Marketing website castloop.de
Our public marketing site at castloop.de sets no cookies — neither technically necessary nor tracking/marketing cookies. No external analytics services (no Google Analytics, no Facebook Pixel, no Matomo) are embedded.
3. Application app.castloop.de
In the application at app.castloop.de we set exclusively technically necessary cookies that are indispensable for providing our service. Pursuant to § 25 (2) no. 2 TDDDG, no consent is required for these.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
castloop_rt |
Refresh token (HttpOnly, Secure, SameSite=Strict) — session extension without re-entering the password | 30 days, rotating | Required |
castloop_csrf |
CSRF protection (double-submit cookie pattern) | Session | Required |
oauth_state |
CSRF protection in the SSO OAuth flow (short-lived, only during the login redirect) | 10 minutes | Required |
theme (local storage) |
User preference for light/dark mode | Persistent, until removed by the user | Required (convenience) |
In addition, a short-lived CSP nonce value (Content Security Policy) is delivered via HTTP header with every page load. This is not a cookie, as it is not stored on the user's device.
4. Cookies set by SSO providers (only when logging in via Google / Microsoft / Apple)
If you decide to log in via an external identity provider,
you are briefly redirected to its login page. The
cookies set there reside exclusively in the domain
of the respective provider (google.com,
login.microsoftonline.com, appleid.apple.com)
and are subject to the respective privacy and cookie policy
of that provider:
- Google: session cookies of the Google sign-in — see policies.google.com/technologies/cookies.
- Microsoft: session cookies of
login.microsoftonline.com— see privacy.microsoft.com. - Apple: session cookies of
appleid.apple.com— see apple.com/legal/privacy.
CastLoop has no influence over these cookies and does not read them either. They are only set during the actual login redirect.
5. Consent & cookie banner
Pursuant to § 25 TDDDG, consent is required as soon as cookies or comparable storage access are used that are not strictly necessary (e.g. statistics, tracking, advertising). Technically necessary cookies (§ 25 (2) no. 2 TDDDG) run without consent.
On your first visit, castloop.de therefore shows a
consent banner with equivalent options
(“Accept all” / “Only necessary”) and a
per-category settings view. Optional categories (currently:
statistics) remain off until you actively consent; the selection is
stored locally in your browser (localStorage entry
cl_consent — itself strictly necessary, as it documents your
decision). At present we do not yet set any
statistics cookies; your choice takes effect as soon as such are used.
You can change or withdraw your consent at any time with effect for the future: the link “Cookie settings” in the footer opens the banner again.
6. Controlling & deleting cookies
You can view and delete the cookies that have been set at any time via your browser settings. Disabling the required cookies, however, prevents the use of the application (app.castloop.de) — login and persistent sessions then no longer work. Deleting the refresh token cookie leads to being logged out; you can log in again at any time afterwards.