This Cookie Policy explains what cookies the Eco Heroes Academy uses, why we use them, and what choices you have. It complements the Privacy Policy and should be read alongside it.
1. What is a cookie?
A cookie is a small text file that a website stores on your device (computer, phone, tablet) when you visit it. On your next visit, the website can read the cookie and recognise your device.
The word "cookie" in this policy includes any similar technology with the same effect, such as local storage, session storage, and session tokens, to the extent any are used. The Spanish ePrivacy framework and Article 22.2 of Law 34/2002 (LSSI-CE) treat all of these together.
2. Categories of cookies
European law and AEPD guidance distinguish between:
- Strictly necessary cookies — cookies that are technically required to deliver a service the user explicitly asked for. For example: keeping you logged in after you typed your password. These do NOT require consent.
- Preference cookies — remember your language, theme, or similar preferences across visits. These require consent if they persist beyond the session.
- Analytics cookies — count visitors, measure page views, track journeys. These require consent.
- Advertising cookies — profile you for targeted advertising, typically via third parties. These require consent.
We only use the first category. The rest of this policy explains exactly what each cookie does.
3. Cookies we use
| Cookie | Type | Purpose | Duration | Party |
|---|---|---|---|---|
| PHPSESSID | Strictly necessary | Session cookie that keeps you logged in as you move between pages of the Academy. Without it, you would have to re-enter your password on every page. | Until browser close, OR 30 days if you ticked "Keep me signed in" on login | First-party (eco-heroes.org) |
| csrf_token | Strictly necessary | Anti-forgery token stored inside the session. Protects you against cross-site request forgery attacks when you submit forms (registration, login, settings). | Same as session | First-party (eco-heroes.org) |
Both cookies are set with the following security attributes:
Secure— only sent over HTTPS, never over plain HTTP.HttpOnly— not accessible to JavaScript, which protects them from being stolen via cross-site scripting attacks.SameSite=Strict— only sent on requests originating from the Academy itself, which prevents cross-site request forgery.
4. Cookies we do NOT use
We deliberately do not use:
- Google Analytics, Matomo, Plausible, or any third-party analytics service — we do not count visits using cookies. Basic server-side access logs are retained for 90 days for security and debugging (see Privacy Policy, Retention).
- Facebook Pixel, Google Ads conversion tags, LinkedIn Insight, TikTok Pixel, or any advertising tracking pixel — we do not advertise on third-party platforms and do not share your behaviour with them.
- Marketing-automation cookies — we do not send you marketing emails, so we do not need to track whether you opened one.
- Session replay tools (Hotjar, Mouseflow, FullStory, etc.) — we do not record your mouse movements or interactions.
- Cross-site profiling cookies — we do not share your identifier across different domains.
If we ever add any cookie in a category other than "strictly necessary", we will:
- Update this Cookie Policy with full disclosure before deploying the cookie.
- Present a cookie consent banner compliant with Article 22.2 LSSI-CE and the AEPD Guía sobre el uso de las cookies (October 2023 update), giving you a genuine, granular opt-in with "Accept all", "Reject all", and "Customise" options having equal visual prominence.
- Not set any non-essential cookie until you have given explicit consent.
5. Legal basis
Article 22.2 of Law 34/2002 (LSSI-CE) and Article 5(3) of Directive 2002/58/EC (ePrivacy) permit the use of strictly necessary cookies without consent, provided they are used exclusively to deliver a service the user has explicitly requested.
The two cookies listed in Section 3 fall squarely within this exception:
PHPSESSIDis required to deliver the logged-in experience you requested by signing in.csrf_tokenis required to protect the forms you submit from attack — a security measure that benefits you.
Under the guidelines issued by the European Data Protection Board (EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive) and the AEPD, both of these cookies qualify as strictly necessary and their use does not require consent.
6. Managing cookies in your browser
Even though our cookies are strictly necessary, you retain full control over what your browser accepts. You can block all cookies, delete existing cookies, or configure your browser to notify you before accepting a cookie.
Important: if you block the PHPSESSID cookie, you will not be able to log in or stay logged in to the Academy. The site will still load, but every page will behave as if you are a new visitor.
Direct links to cookie management in major browsers:
These links point to the respective vendors' help pages, which they may change without notice.
7. Changes to this policy
We may update this Cookie Policy when we change what cookies we use. When we do:
- We update the "Effective date" at the top of the page and bump the version number.
- If we introduce any cookie that requires consent (see Section 4), the change triggers a consent banner the next time you visit. You will have the opportunity to accept, reject, or customise before any new cookie is set.
- Material changes are announced at least thirty (30) days in advance on the Platform and, for registered Learners, by email.
Previous versions of this policy are retained internally so that you can always request to see the version you originally accepted.
8. Contact
If you have questions about cookies or about how the Academy handles your personal data more broadly, please write to:
Eco Heroes International SL
Girona, Spain
info@eco-heroes.org
You can also lodge a complaint with the Spanish Data Protection Authority (AEPD) — see the Privacy Policy for the full procedure.
This Cookie Policy was last updated on 22 April 2026 (version 1.0). The most current version is always available at learn.eco-heroes.org/legal/cookies.html.