Cookie Policy

1. Overview

PAINTSESSIONS.COM currently uses only necessary cookies and browser storage for login, security, account and session continuity, paint-app preferences, local saves, multiplayer operation, and technical platform operation.

In Germany, storing information on your device and accessing information already stored on your device, including cookies, localStorage and IndexedDB, are governed by § 25 TDDDG. We use these technologies without separate consent only where they are strictly necessary to transmit communications, provide a digital service expressly requested by you, or provide requested security, login, session, local-save or app-functionality features.

PAINTSESSIONS.COM does not currently use non-essential analytics cookies, advertising cookies, third-party tracking cookies, Google Analytics, Google Ads, or similar tracking technologies.

2. Necessary Authentication Cookies

paintsessions_refresh is a first-party, necessary authentication cookie provided by PAINTSESSIONS.COM. It stores the refresh token used to continue a logged-in session without exposing that token to JavaScript.

• Provider: PAINTSESSIONS.COM.
• Purpose: account login, session continuity, token refresh, OAuth login completion, and logout.
• Path: /auth/v1/auth.
• Security settings: HttpOnly, SameSite=Lax, and Secure in production.
• Duration: max age is set from the refresh token expiry returned by the authentication service. The cookie is rotated when the server issues a new refresh token and cleared on logout with a zero max age.
• Strictly necessary: yes, for secure login, refresh-token handling, session continuity and logout.

The authentication service creates, rotates, and clears this cookie during password token, refresh, OAuth complete, and logout flows.

During /sso login and social-login broker flows, the self-hosted authentication provider may set its own necessary authentication cookies to complete the login process, keep the provider session consistent, protect redirects, and return the user to PAINTSESSIONS.COM. Cookie names can vary by provider version and configuration, so this policy describes those cookies by purpose rather than by fixed names.

• Name: authentication-provider login, session, state and redirect-protection cookies used during /sso flows; names may vary by provider version and configuration.
• Provider: PAINTSESSIONS.COM self-hosted authentication system.
• Purpose: account login, social-login broker completion, redirect protection, authentication-session consistency and return to PAINTSESSIONS.COM.
• Duration: normally session-limited or limited by the authentication-provider login/session configuration. OAuth state records expire after 5 minutes and OAuth handoff tokens expire after 2 minutes by default.
• Strictly necessary: yes, for requested login and social-login flows.

OAuth redirect state and handoff records are stored server-side. The OAuth state token may appear briefly in browser redirect URLs during the provider redirect, and the handoff token may appear briefly on the hub callback URL so the hub can finish the social-login flow.

3. Hub Browser Storage

The hub uses local browser storage only for necessary authentication coordination and session restoration:

• paintsessions.auth.loginProvider: localStorage. Provider: PAINTSESSIONS.COM. Purpose: remembers the last successful login provider so the hub can restore the correct session flow. Duration: written after login and removed when the stored provider is cleared or the user signs out. Strictly necessary: yes, for restoring the requested account/session flow where used.
• paintsessions.auth.refreshLock: localStorage. Provider: PAINTSESSIONS.COM. Purpose: short-lived cross-tab refresh lock so multiple open tabs do not refresh the session at the same time. Duration: 10-second time-to-live and removed after the refresh tab releases it. Strictly necessary: yes, for secure and stable session refresh across tabs.

4. Paint App Storage

The paint app uses browser storage to keep local saves, preferences, rendering choices, and multiplayer identity available on the same device:

• graff-factory-db: IndexedDB database with a sessions object store. Provider: PAINTSESSIONS.COM. Purpose: local paint-session saves by level. Duration: remains on the device until overwritten, replaced, or cleared through browser or app actions. Strictly necessary: yes, for the requested local-save feature.
• graff.networkMode: localStorage. Provider: PAINTSESSIONS.COM. Purpose: selected network mode, such as singleplayer or multiplayer. Duration: until changed, overwritten or cleared through browser/app actions. Strictly necessary: yes, for the requested network-mode behavior.
• graff.playerId: localStorage. Provider: PAINTSESSIONS.COM. Purpose: stable local paint player identity for multiplayer and related paint-app behavior. Duration: until replaced or cleared through browser/app actions. Strictly necessary: yes, for multiplayer identity and related requested paint-app behavior.
• graff.rendererPreference: localStorage. Provider: PAINTSESSIONS.COM. Purpose: paint renderer mode, such as automatic selection, WebGPU, or WebGL. Duration: until changed or cleared through browser/app actions. Strictly necessary: yes, for the requested renderer preference.
• graff.qualityMode: localStorage. Provider: PAINTSESSIONS.COM. Purpose: graphics quality mode and the resolved quality tier. Duration: until changed, overwritten or cleared through browser/app actions. Strictly necessary: yes, for requested rendering-quality behavior.
• graff.soundEnabled: localStorage. Provider: PAINTSESSIONS.COM. Purpose: remembers whether paint-app sound is enabled or muted. Duration: until changed, overwritten or cleared through browser/app actions. Strictly necessary: yes, for the requested sound preference.
• graff.flareAssistLastShapes: localStorage. Provider: PAINTSESSIONS.COM. Purpose: last flare-assist shape choices used by the paint interface. Duration: until overwritten or cleared through browser/app actions. Strictly necessary: yes, for requested paint-tool continuity.
• graff.devOverlayState: localStorage. Provider: PAINTSESSIONS.COM. Purpose: developer and diagnostic overlay settings in the paint app. Duration: until overwritten or cleared through browser/app actions. Strictly necessary: yes, for requested diagnostic overlay functionality where used.
• graff.lastPlayerTransform:<levelId>: localStorage. Provider: PAINTSESSIONS.COM. Purpose: last local player position and view transform for a specific level. Duration: until overwritten or cleared through browser/app actions. Strictly necessary: yes, for requested level/session continuity.
• paintsessions.pressureDynamics.v1: localStorage. Provider: PAINTSESSIONS.COM. Purpose: brush and stylus pressure dynamics settings. Duration: until changed or cleared through browser/app actions. Strictly necessary: yes, for requested brush/stylus behavior.

These paint-app values are local to the browser and are used for functionality, continuity, preferences, and device-specific app behavior.

5. Cloudflare Edge And Security Cookies

Where Cloudflare edge, CDN or security features are active for PAINTSESSIONS.COM, Cloudflare may set strictly necessary security or routing cookies on visitor devices.

• Names: may include __cf_bm for bot-management or bot-fight features, cf_clearance or cf_chl_* for challenge flows, and _cflb where Cloudflare load balancing is active. The exact names depend on the Cloudflare features enabled.
• Provider: Cloudflare.
• Purpose: DDoS protection, bot and abuse detection, security challenges, routing, service availability and protection of PAINTSESSIONS.COM.
• Duration: depends on the active Cloudflare feature and configuration. These cookies are normally short-lived or limited to the configured security challenge, bot-management or routing period.
• Strictly necessary: yes, where used for security, abuse prevention, service availability or completing a security challenge required to access the service.

PAINTSESSIONS.COM does not use Cloudflare cookies for advertising or non-essential analytics.

6. Social Login, Payments, And External Providers

Google, Discord, and Stripe may use their own cookies or browser storage when you leave PAINTSESSIONS.COM, use Google or Discord social login, or use Stripe payment flows. Those provider cookies and storage are controlled by the relevant provider, not by PAINTSESSIONS.COM.

Provider names, purposes, durations and strict-necessity or consent classifications are determined by the relevant provider. Social-login and payment-provider cookies may be necessary for the external login or checkout flow you request, but they are not set or managed by PAINTSESSIONS.COM.

For links to provider privacy information, see the Privacy Policy.

7. Managing Storage

Signing out asks the PAINTSESSIONS.COM server to clear the first-party paintsessions_refresh cookie. Your browser settings can also be used to clear cookies, localStorage, and IndexedDB data for PAINTSESSIONS.COM.

Disabling or clearing necessary storage may break login, session continuity, paint saves, app preferences, renderer choices, local player identity, or multiplayer operation.

8. Changes To This Policy

If PAINTSESSIONS.COM adds optional analytics, advertising, or tracking storage in the future, we will update this cookie information and, where required, consent controls before enabling those technologies.

For broader privacy information, see the Privacy Policy. You can contact us at [email protected].