Uptimia
English

Legal Cookie Policy

Cookie Policy

Updated 27 May 2026

Last updated: 27 May 2026

Controlling language. This document is published in English and translated into one or more additional languages for convenience. In case of conflict or ambiguity between language versions, the English version prevails.

1. Introduction

This Cookie Policy explains how JJ Online GmbH ("we", "us", "our"), operating Uptimia at https://uptimia.com (the "Website"), uses cookies and similar tracking technologies on the Website itself.

This policy covers cookies and storage we set on uptimia.com — the marketing site, the blog, the free public availability / speed tools, Uptimia-hosted public status pages, and the authenticated control panel at uptimia.com/cp.

It does not cover storage written on third-party websites where you have deployed our Real User Monitoring (RUM) beacon, our server-agent scripts, or our language SDKs. Those execute on your infrastructure and are governed by your own Cookie Policy under your responsibility as the data controller of your visitors. See Privacy Policy § 7 for the role allocation.

This policy should be read alongside our Privacy Policy.

2. What counts as a "cookie" here

§ 25 TDDDG (the German implementation of the ePrivacy Directive (Directive 2002/58/EC), Art. 5 (3)) covers any "storage of information on a terminal equipment, or the gaining of access to information already stored on it". This policy therefore treats the following technologies equivalently:

  • HTTP cookies — text values written to your browser's cookie storage
  • Local storage (localStorage) — key-value data persisted in your browser until you clear it
  • Session storage (sessionStorage) — key-value data persisted only for the current tab session
  • Web beacons / pixels — transparent images embedded in pages (and, where applicable, emails) to detect opens or loads

We refer to all of these as "cookies" throughout this document.

Server-side reads of request metadata (IP address, User-Agent, headers the browser voluntarily transmits in the HTTP request) are not covered by this Cookie Policy. They are not "storage of information on, or access to information already stored on, terminal equipment" within the meaning of § 25 TDDDG. Their lawfulness is assessed under Art. 6 GDPR only and is described in § 8 below.

3. Categories we use

We classify cookies using the four categories applied by German Datenschutzaufsichtsbehörden (DPAs):

  • Strictly Necessary (Technisch notwendig) — required for the Website to function: authentication, session continuity, security, persisted UI state inside the authenticated control panel. Set without consent under § 25 Abs. 2 Nr. 2 TDDDG ("strictly necessary to provide the telemedia service expressly requested by the user").
  • Functional (Funktional) — UI preferences and opt-in convenience features beyond what is strictly necessary. Set only with consent (the "Remember me" tick at sign-in, or the matching category in the control-panel cookie preferences — see § 4).
  • Analytics (Analyse) — page-view or behavioural measurement. Set only with consent. (We do not currently use Analytics cookies on uptimia.com — see § 4.)
  • Marketing (Marketing) — affiliate attribution, advertising, remarketing. Set only with consent.

4. Cookies we use

The table below lists every cookie and localStorage / sessionStorage entry we set or read on this Website.

4.1 First-party cookies — set by the Uptimia backend

These four HTTP cookies are issued by the Uptimia control panel after sign-in. All are set with HttpOnly, Secure, SameSite=Lax, Path=/. All are cleared on sign-out (/cp/logout).

Name Purpose (plain language) Storage Duration Category Legal basis (§ 25 TDDDG / Art. 6 GDPR)
uptimia_sess_id Keeps you signed in to the control panel between visits; lets the server identify your account on every request. HTTP cookie (HttpOnly, Secure, SameSite=Lax) 30 days Strictly Necessary § 25 Abs. 2 Nr. 2 TDDDG · Art. 6 (1) (b) GDPR
uptimia_sess_2fa Records that you completed two-factor authentication in this session, so we do not re-prompt you on every request. HTTP cookie (HttpOnly, Secure, SameSite=Lax) 30 days Strictly Necessary § 25 Abs. 2 Nr. 2 TDDDG · Art. 6 (1) (b) GDPR
uptimia_remember_id The user-identifier half of the opt-in "Remember me" pair, set only if you actively ticked "Remember me" at sign-in. Without this pair you would have to sign in again every time the browser is closed. HTTP cookie (HttpOnly, Secure, SameSite=Lax) 30 days Functional § 25 Abs. 1 TDDDG · Art. 6 (1) (a) GDPR
uptimia_remember_token The opaque-token half of the "Remember me" pair. See uptimia_remember_id above. HTTP cookie (HttpOnly, Secure, SameSite=Lax) 30 days Functional § 25 Abs. 1 TDDDG · Art. 6 (1) (a) GDPR

The active tick of "Remember me" at sign-in is the affirmative consent act under § 25 Abs. 1 TDDDG and the Art. 6 (1) (a) GDPR consent for the persistent-login feature. The 30-day duration is the maximum interval before re-authentication is required; it is bounded by the same lifetime as the underlying session token so that "remembered" sign-ins do not outlive the session-integrity window.

We set no other HTTP cookies in normal operation. There is no separate framework session cookie (no PHPSESSID), and no separate cookie-borne CSRF token — CSRF protection is bound to the server-side session.

4.2 First-party storage in the authenticated control panel

These entries are written by the React control-panel application at uptimia.com/cp/… after you have signed in. They fall into two groups:

  • The four localStorage UI preferences below are Functional under § 25 Abs. 1 TDDDG (Art. 6 (1) (a) GDPR). They persist convenience settings across sessions; the control panel renders with sensible defaults without them. Consent for these is collected via a cookie-preferences toggle inside the control panel; they are not written until you opt in.
  • date_range_picker_state (sessionStorage) is Strictly Necessary under § 25 Abs. 2 Nr. 2 TDDDG: it carries the current dashboard date filter between pages within a single tab session, which is state continuity within the service you actively requested.
Name Purpose Storage Duration Category Legal basis (§ 25 TDDDG / Art. 6 GDPR)
theme Light/dark theme preference for the control panel. localStorage Until you clear browser storage Functional § 25 Abs. 1 TDDDG · Art. 6 (1) (a) GDPR
sidebar-collapsed Whether the control-panel sidebar is collapsed or expanded. localStorage Until you clear browser storage Functional § 25 Abs. 1 TDDDG · Art. 6 (1) (a) GDPR
dashboard_view_mode Whether the monitors dashboard is set to grid or list view. localStorage Until you clear browser storage Functional § 25 Abs. 1 TDDDG · Art. 6 (1) (a) GDPR
onboarding_skipped Records that you completed or skipped the onboarding wizard, so we do not re-prompt every sign-in. localStorage Until you clear browser storage Functional § 25 Abs. 1 TDDDG · Art. 6 (1) (a) GDPR
date_range_picker_state The start/end date and preset name selected in the dashboard date filter; carried between pages within the same tab session. sessionStorage Cleared when you close the tab or browser Strictly Necessary § 25 Abs. 2 Nr. 2 TDDDG · Art. 6 (1) (b) GDPR

The marketing site, blog, free public tools, and Uptimia-hosted public status pages do not write any first-party localStorage or sessionStorage entries.

4.3 Third-party scripts loaded on the marketing site

The following scripts are loaded on uptimia.com marketing pages. They are referenced here so you can identify them in browser developer tools.

Loaded on Provider What it does Category Storage / network exposure
Marketing pages (footer include) Datriva (operated by JJ Online GmbH — the same legal entity that operates Uptimia) Cookie-consent management platform — displays the consent banner, records your consent decision. We dogfood our own group's CMP. Because Datriva is operated by the same legal entity as Uptimia, there is no controller-to-processor or joint-controller relationship for this flow, and no Chapter V GDPR transfer arises (the asset is served from within JJ Online GmbH's own infrastructure inside the EEA). Strictly Necessary Writes a first-party consent record on uptimia.com. Script asset is loaded from datriva.com.
Marketing pages, only when the URL contains ?via=<code>; and the authenticated control panel on sign-up FirstPromoter (Igil Webs SRL, Romania) Affiliate / referral attribution. On a marketing page, when you arrive via a partner link, FirstPromoter records the partner code so a later sign-up can be attributed. In the control panel, it fires a single referral event on successful sign-up. Marketing fpr_* cookies and localStorage entries set by the FirstPromoter SDK on uptimia.com.
Marketing pages (footer include) HelpCanvas (a sister product of JJ Online GmbH) In-app chat widget for visitor support. Same controller. Functional Storage written by the HelpCanvas widget (e.g. an opaque conversation identifier, the widget's own consent flag).

The Datriva banner is loaded pre-consent on first visit, because the banner has to render to ask — its own storage of the meta-consent record is itself within the § 25 Abs. 2 Nr. 2 TDDDG strict-necessity carve-out (the Planet49 logic). FirstPromoter and the HelpCanvas widget are non-essential and are only loaded after you accept the matching consent category (Marketing for FirstPromoter; Functional for the HelpCanvas widget). See § 6.2 below on consent gating.

4.4 Public status pages

Uptimia-hosted public status pages (pages you publish through Uptimia to communicate your own service status to your visitors) are intentionally stripped of every analytics, error-tracking, and chat tag — verified against the production codebase on 2026-05-26. They render server-side as HTML + CSS + images only. No first-party storage, no third-party storage, no consent banner — because there is nothing requiring consent.

4.5 Authenticated control panel — third-party scripts

The control panel at uptimia.com/cp/… loads only one third-party script: FirstPromoter (see § 4.3). This is fired on successful sign-up and carries your sign-up email address to FirstPromoter for partner-attribution purposes.

Affiliate / referral attribution is Marketing, not contract performance — the user contracted for the monitoring service, not for partner payout. The legal layers are accordingly:

  • § 25 TDDDG layer. § 25 Abs. 1 TDDDG consent is required, because the attribution flow is not strictly necessary for the requested service. The sign-up event therefore fires only if you accepted the Marketing category in the Datriva banner on the marketing site before the sign-up. If you did not accept Marketing, the FirstPromoter SDK is not loaded and no referral event is dispatched, regardless of whether you arrived through a ?via=<code> link.
  • Art. 6 GDPR layer. The underlying processing rests on Art. 6 (1) (f) GDPR — our legitimate interest in operating the partner programme — bounded by the § 25 (1) consent above.

4.6 What we deliberately do not load

For the avoidance of doubt — and verified against the production codebase on 2026-05-26 — we do not load any of the following on uptimia.com:

Google Analytics / GA4 / Google Tag Manager (loaded), Meta / Facebook Pixel, LinkedIn Insight Tag, X (Twitter) Pixel, Reddit Pixel, TikTok Pixel; Plausible, Matomo, Fathom, Umami; PostHog, Mixpanel, Segment, Amplitude; Hotjar, FullStory, LogRocket, Microsoft Clarity, Smartlook; Sentry browser SDK; Intercom, Crisp, Drift, Tawk (HelpCanvas is our chat); Optimizely, VWO, LaunchDarkly, Google Optimize; Stripe.js on first-party pages (Stripe is used server-side only — see § 4.7).

No email open-tracking pixels. We do not embed open-tracking pixels in any transactional or newsletter email we send. Email open / click tracking is disabled at the sending-provider level.

4.7 Payments — Stripe is server-side only

When you subscribe to a paid Uptimia plan, you are redirected to checkout.stripe.com. Stripe sets its own first-party cookies on checkout.stripe.com during that checkout flow, governed by Stripe's own Cookie Notice. No Stripe.js loads on uptimia.com and no Stripe cookies are set on the uptimia.com domain.

4.8 Authentication — Auth0 hosted login

When you sign in to the Uptimia control panel, the sign-in form is hosted by Auth0 (Auth0 EMEA Limited, part of the Okta group) on a separate Auth0 domain. During the authentication flow Auth0 sets its own first-party cookies on the Auth0 domain — these may include a session cookie for the in-progress login, a device-identifier cookie used by Auth0's anomaly-detection / brute-force-protection logic, and a transient state cookie if you choose the "Sign in with Google" or "Sign in with GitHub" social-connection option (the OAuth state parameter is held in that cookie for the duration of the round-trip to the social provider).

These cookies are set on the Auth0 domain, not on uptimia.com, and are governed by Auth0 / Okta's own privacy and cookie disclosures. Once the login completes, the browser returns to uptimia.com and the Uptimia first-party session cookies described in § 4.1 take over.

Legal basis under § 25 TDDDG and Art. 6 GDPR. The Auth0 session cookie and the transient OAuth-state cookie are strictly necessary to carry out the sign-in that you requested — the authentication flow cannot complete without them. They are therefore exempt from consent under § 25 Abs. 2 Nr. 2 TDDDG. The underlying processing is grounded on Art. 6 (1) (b) GDPR (performance of the contract under which you access the Service).

The Auth0 device-identifier cookie used for anomaly detection and brute-force protection is closer to the edge of the strict-necessity test: it serves a security-of-the-service purpose rather than the literal delivery of the sign-in. We treat it as riding on the integrity-of-service rationale that German DPAs accept as part of "the telemedia service expressly requested" (§ 25 Abs. 2 Nr. 2 TDDDG), with Art. 6 (1) (f) GDPR (legitimate interest in account security and abuse prevention) as the GDPR layer. A regulator could alternatively view this cookie as Functional and require consent; we have taken the strict-necessity reading and accept that assessment risk in exchange for keeping sign-in protected by default.

No Auth0 cookies are set on uptimia.com itself. The Auth0 cookies live exclusively on the Auth0 domain and have no effect on the cookie state of the marketing site or the authenticated control panel.

Social-login buttons — click-to-load pattern. The "Sign in with Google" and "Sign in with GitHub" buttons that appear on the sign-in and sign-up pages do not load any third-party scripts or cookies until you actively click them. Specifically:

  • On page load, the social-login buttons are plain HTML links. No Auth0 SDK, no Google gsi/client library, no GitHub script, and no Google One Tap surface is loaded; no requests to cdn.auth0.com, accounts.google.com, or github.com are made; and no cookies are set by any of those domains on uptimia.com or on your terminal equipment in their own first-party context.
  • Only when you click the Google or GitHub button is the Auth0 SDK (auth0.min.js) dynamically loaded from cdn.auth0.com, after which you are immediately redirected to Auth0 — and from there to Google or GitHub — to complete the OAuth flow. Cookies set during that round-trip are set in the first-party context of Auth0, Google, or GitHub respectively, on their own domains, not on uptimia.com.
  • This click-to-load pattern means that the relevant § 25 Abs. 1 TDDDG trigger (storage or access of information on terminal equipment by a third party) does not occur on uptimia.com until your unambiguous click on a button labelled "Sign in with Google" / "Sign in with GitHub" — an act which itself communicates that you wish to invoke the social provider. We do not rely on the cookie banner to gate this load because the load is gated by your own click, and § 25 Abs. 2 Nr. 2 TDDDG covers the strictly-necessary cookies that Auth0/Google/GitHub set after that click to complete the sign-in you requested.

5. Third-party cookies — disclosure

The third parties named above process data under their own privacy policies in addition to acting on our instructions under written data-processing agreements where applicable. Their own privacy practices are governed by:

  • Datriva (sister product of JJ Online GmbH) — https://datriva.com/p/privacy/
  • FirstPromoter (Igil Webs SRL, Romania) — https://firstpromoter.com/privacy
  • HelpCanvas (sister product of JJ Online GmbH) — https://helpcanvas.com/p/privacy/
  • Auth0 / Okta (Auth0 EMEA Limited, Ireland — part of the Okta group) — https://www.okta.com/privacy-policy/ (cookies set on the Auth0 domain during the sign-in flow, see § 4.8)
  • Stripe (Stripe Payments Europe Ltd., Ireland) — https://stripe.com/privacy (cookies set on checkout.stripe.com during the paid-plan checkout flow, see § 4.7)

All transfers to recipients outside the EEA are governed by the appropriate Chapter V GDPR mechanism (adequacy decision, Standard Contractual Clauses) as described in Privacy Policy § 15.

6. How we obtain and manage cookie consent

6.1 Asking for consent

On your first visit to the marketing site, the Datriva cookie banner appears before any non-essential cookie or third-party network call is made. The banner:

  • presents the three consent-required categories (Functional, Analytics, Marketing) with each category unticked by default — no pre-ticked boxes (Planet49, CJEU C‑673/17); every non-essential category is opt-in;
  • offers three options with equal visual weight: Accept all, Reject all, and Customize — compliant with EDPB Guidelines 03/2022 on dark patterns and § 25 TDDDG; "Reject all" is reachable in the same number of clicks as "Accept all";
  • records your choice in a first-party consent record.

Strictly Necessary cookies (the Uptimia session cookies in § 4.1, the date_range_picker_state sessionStorage entry in § 4.2) and the Datriva banner script itself are set without consent on the basis of § 25 Abs. 2 Nr. 2 TDDDG.

6.2 Consent gating of third-party scripts

The Datriva banner gates non-essential scripts (FirstPromoter, HelpCanvas widget) so they do not load before you have accepted the matching consent category.

6.3 Withdrawing consent — as easy as giving it

Article 7 (3) GDPR requires that withdrawing consent be as easy as giving it. Per EDPB Guidelines 05/2020 on consent (§ 117), parity here means the same medium and the same number of steps as the original opt-in. The Cookie Preferences link in the marketing-site footer is therefore the sole route we offer as the Art. 7 (3) GDPR equivalent of giving consent; two further routes are listed below for your convenience but are not equivalent to the original opt-in.

  • Cookie Preferences link (Art. 7 (3) parity route). A persistent "Cookie Preferences" link is present in the footer of every marketing page. Clicking it reopens the Datriva banner so you can change any category — or reject all non-essential cookies — in the same number of clicks it took to accept them. This is the same medium as the original consent prompt and is what we rely on under Art. 7 (3).
  • Email to privacy@uptimia.com. Additional route, not equivalent. We will record and action the withdrawal manually within the Art. 12 (3) GDPR timeframe.
  • Clearing cookies in your browser. Additional route, not equivalent. Clearing also clears our locally-stored consent record, so the banner reappears on your next visit; the steps involved are not equivalent to the original opt-in mechanism.

6.4 Effect of withdrawal

Non-essential cookies stop being set immediately on withdrawal. Non-essential cookies already stored on your device are cleared at the next page load (or, for session cookies, when you close the tab). Our consent record is updated with a withdrawal timestamp so we can evidence the change under the controller's burden of proof at Art. 7 (1) GDPR.

Consent record retention. We retain the consent record (acceptance timestamp, category selections, and any subsequent withdrawal timestamp) for 3 years from the most recent of those events, as evidence of compliance with Art. 7 (1) GDPR. After that period the consent record is deleted; if you revisit the Website afterwards, the banner re-prompts you for fresh consent.

Withdrawal does not affect the lawfulness of processing carried out on the basis of your consent before withdrawal (Art. 7 (3) GDPR, second sentence).

6.5 Consent renewal

Where you have not used the Website for an extended period, or where we add new cookie purposes that fall outside your existing consent, we will ask you again. Consent is refreshed at most every 12 months in line with EDPB Guidelines 05/2020 on consent.

6.6 Global Privacy Control (GPC) and Do Not Track (DNT)

  • GPC is honoured. Where your browser transmits the Sec-GPC: 1 signal on its request to the marketing site, we treat it as a valid expressed refusal of consent for the Functional, Analytics, and Marketing categories — consistent with the CNIL's published position that GPC is a valid mechanism for refusing consent. The Datriva banner records this as a "Reject all" decision and does not load non-essential third-party scripts.
  • DNT is not honoured. The DNT: 1 header is deprecated and lacks a settled regulatory interpretation; we therefore do not treat it as an instruction either way and do not act on it.

7. Legal basis — § 25 TDDDG and Art. 6 GDPR

Two distinct legal layers apply to the cookies in this policy. Both must be satisfied:

Layer 1 — Setting / reading the cookie itself. Governed by § 25 TDDDG. Either:

  • the cookie is strictly necessary to provide the telemedia service you requested (§ 25 Abs. 2 Nr. 2 TDDDG) — no consent required; or
  • the cookie requires your prior, explicit consent (§ 25 Abs. 1 TDDDG) — collected via the banner.

Layer 2 — Processing the personal data the cookie touches. Governed by Art. 6 GDPR. The applicable basis is shown per cookie in §4 above and depends on what the data is used for: Art. 6 (1) (a) GDPR (consent), (b) (contract), (c) (legal obligation), or (f) (legitimate interest).

A single cookie therefore has a § 25 TDDDG basis for being set and an Art. 6 GDPR basis for the data processing that follows. Strict-necessity under § 25 Abs. 2 Nr. 2 TDDDG does not automatically give a GDPR basis for further processing — these are independent assessments.

8. Server-side logging of IP / User-Agent

Separate from browser-stored cookies, we read and in some cases persist server-side request metadata:

  • IP address is persisted on your account record as your registration IP (the IP from which you first signed up) and your most-recent sign-in IP, as an account-security audit trail. The IP is also read transiently — without persistent storage as a separate field — for sign-up rate limiting (3 attempts / 15 minutes / IP), sign-in protection, password-reset throttling, and form-token issuance.
  • User-Agent is read transiently at sign-in and on every authenticated request for session-integrity validation. The User-Agent is hashed into the session-integrity check and is not separately persisted for analytics.

These reads are processed under Art. 6 (1) (b) GDPR (contract performance — operating an authenticated service) and Art. 6 (1) (f) GDPR (legitimate interest in account security and abuse prevention), and are described in the Privacy Policy under "Server logs / security", not in this Cookie Policy.

The retention rule for the registration IP and most-recent sign-in IP is set out in the Privacy Policy.

9. Cookies on customer websites where you deployed our RUM script, server agent, or SDKs

A common point of confusion: when you (as an Uptimia customer) deploy our Real User Monitoring (RUM) beacon, our server-agent scripts, or our language SDKs on your own infrastructure, the cookies / localStorage entries / network calls they generate are governed by your own Cookie Policy and your relationship with your own visitors or users, not by this Cookie Policy.

Uptimia acts as your data processor for that flow under our DPA. It is your responsibility as data controller to:

  • obtain any required visitor consent under § 25 TDDDG (or the local equivalent) before our RUM beacon loads on your site;
  • disclose the RUM activity in your own Cookie Policy;
  • configure consent gating so the RUM beacon does not load before consent.

We provide documentation on integrating consent gating; the implementation is yours. This Cookie Policy covers only cookies set on uptimia.com itself.

10. Changes to this policy

We may update this Cookie Policy when we add new cookies, remove existing ones, change a third-party processor, or in response to legal developments. We will update the Last updated: date at the top of this document and bump the version. For material changes that affect the scope of consent already given (for example, adding a new Marketing cookie), we will re-prompt for fresh consent before activating the new cookie.

For an authoritative live view of the cookies we currently set, you may also inspect them via your browser's developer tools — the tables in § 4 are the documented inventory, but the live page is the ground truth.

11. Contact

For questions about cookies on this Website:

JJ Online GmbH (operating Uptimia)

Schönhauser Allee 163, 10435 Berlin

Germany

Email: privacy@uptimia.com