Cookie Policy

Last updated: March 1, 2026

This page explains how we use cookies and similar technologies on our website, what choices you have, and how you can manage your preferences.

You can change your preferences at any time using "Cookie settings" in the banner or footer.

Data Controller

Man Andrei-Catalin Persoana Fizica Autorizata

Tax Reg. No. (CUI): 48124283

EU VIES VAT: RO48248311

Cluj-Napoca, Cluj Romania

Email: office@manandrei.ro

1. What cookies are

Cookies are small text files stored on your device. They help the website work properly, support security, and, with your consent, enable analytics/marketing features.

2. Legal basis

Strictly necessary cookies are used to provide the service requested by you and to ensure security and core functionality, in line with GDPR and EU ePrivacy rules (including Article 5(3) of Directive 2002/58/EC). For users in Romania, these ePrivacy requirements are implemented through national law (Law no. 506/2004). For non-essential cookies (analytics/marketing), we request prior consent.

Essential cookies cannot be disabled in the preference panel.
Analytics and marketing cookies are disabled by default.
You can withdraw consent as easily as you gave it.
Refusing non-essential cookies does not block access to core website functions.

3. Categories used on this website

We currently use the following categories:

Essential: required for security, consent preference storage, and core functionality.
Analytics: used to measure usage and improve services (consent required; currently not active by default).
Marketing: used for content/campaign personalization (consent required; currently not active by default).

4. Analytics and marketing deployment status

Analytics and Marketing categories are available in the consent mechanism, but third-party analytics/marketing tools are not permanently enabled by default in the current production baseline.

If additional tools are enabled (for example, Google Analytics or Microsoft/Bing integrations), this policy will be updated before activation.
Any such update will include provider, purpose, retention, and transfer safeguards.

5. Managing your preferences

You have multiple control options:

From the cookie banner: Allow all / Decline non-essential / Cookie settings.
From the footer: open Cookie settings at any time.
From your browser: you can block or delete cookies, but some features may not work properly.

6. Recipients and transfers

If non-essential cookies are enabled, some data may be processed by technical providers (processors or joint controllers, as applicable). Where transfers outside the EEA occur, appropriate GDPR safeguards are applied and documented in the relevant privacy information.

7. Your rights

You have GDPR rights, including access, rectification, erasure, restriction, objection, and data portability (where applicable), plus the right to lodge a complaint with the Romanian supervisory authority (ANSPDCP).

8. Policy updates

We may update this policy when legal or operational changes occur. The current version is available on this page with the latest update date. For controller/contact details, please consult the Privacy Policy page.

9. Complete cookie inventory used by the application

The table below reflects current live behavior. It separates cookies used by public users from cookies that exist only in internal authentication scenarios.

A. Active for current public users

These cookies are relevant for the current public website experience.

Cookie name	Purpose	Duration	Type	Attributes	When used	Applicability / user impact
cookie-consent	Stores selected consent options (essential, analytics, marketing).	365 days	First-party, essential preference cookie	Path=/; SameSite=Lax; JS-readable (not HttpOnly); Secure attribute not explicitly forced in this writer	Set when user accepts, declines, or saves cookie settings	Used for all visitors
PreferredCulture	Stores preferred locale for routing and localization continuity.	365 days	First-party, essential functional cookie	Path=/; SameSite=Lax; JS-readable (not HttpOnly); Secure in HTTPS contexts	Set when language preference is selected or updated	Used for all visitors
PreferredTheme	Stores UI theme preference (dark/light).	365 days	First-party, essential functional cookie	Path=/; SameSite=Lax; JS-readable (not HttpOnly); Secure in HTTPS contexts	Set when theme preference is selected or updated	Used for all visitors
isLoggedIn	Client-side sign-in state indicator used for sign-in status and logout handling.	Up to 365 days (default retention)	First-party, essential session-state helper	Path=/; SameSite=Lax; JS-readable (not HttpOnly); Secure in HTTPS contexts	Set during sign-in, two-step verification sign-in, logout, and unauthorized session handling	Used only when login flow is used

cookie-consent

Purpose: Stores selected consent options (essential, analytics, marketing).
Duration: 365 days
Type: First-party, essential preference cookie
Attributes: Path=/; SameSite=Lax; JS-readable (not HttpOnly); Secure attribute not explicitly forced in this writer
When used: Set when user accepts, declines, or saves cookie settings
Applicability / user impact: Used for all visitors

PreferredCulture

Purpose: Stores preferred locale for routing and localization continuity.
Duration: 365 days
Type: First-party, essential functional cookie
Attributes: Path=/; SameSite=Lax; JS-readable (not HttpOnly); Secure in HTTPS contexts
When used: Set when language preference is selected or updated
Applicability / user impact: Used for all visitors

PreferredTheme

Purpose: Stores UI theme preference (dark/light).
Duration: 365 days
Type: First-party, essential functional cookie
Attributes: Path=/; SameSite=Lax; JS-readable (not HttpOnly); Secure in HTTPS contexts
When used: Set when theme preference is selected or updated
Applicability / user impact: Used for all visitors

isLoggedIn

Purpose: Client-side sign-in state indicator used for sign-in status and logout handling.
Duration: Up to 365 days (default retention)
Type: First-party, essential session-state helper
Attributes: Path=/; SameSite=Lax; JS-readable (not HttpOnly); Secure in HTTPS contexts
When used: Set during sign-in, two-step verification sign-in, logout, and unauthorized session handling
Applicability / user impact: Used only when login flow is used

B. Internal authentication cookies (not active for public users at this moment)

These cookies belong to internal authentication features. They are not part of the currently exposed public user flow.

Cookie name	Purpose	Duration	Type	Attributes	When used	Applicability / user impact
auth	Identity authentication cookie for cookie-based user sessions.	14 days with sliding expiration	First-party, essential authentication cookie	HttpOnly=true; Secure=Always; SameSite=None (development) / Lax (non-development); IsEssential=true	Set only when internal cookie-based authentication is used	Configured but currently not applicable to public users
xsrf	Antiforgery cookie used with request token (X-XSRF-TOKEN header) for CSRF protection.	Session-style, automatically managed by the system (no explicit max-age configured)	First-party, essential security cookie	HttpOnly=true; Secure=Always; SameSite=None (development) / Lax (non-development); IsEssential=true	Set only when antiforgery endpoint/token flow is used	Configured for authenticated internal scenarios
.AspNetCore.Identity.TwoFactorUserId (default system name, not explicitly overridden)	Temporary identity linkage between password login step and 2FA verification.	Short-lived, automatically managed by the system	First-party, essential authentication-flow cookie	HttpOnly=true; Secure=Always; SameSite=None (development) / Lax (non-development); IsEssential=true	Only when 2FA login flow is active	Not applicable to public users unless 2FA flow is exposed
.AspNetCore.Identity.TwoFactorRememberMe (default system name, not explicitly overridden)	Remembers trusted browser/device for 2FA where applicable.	Automatically managed by the system	First-party, essential authentication-flow cookie	HttpOnly=true; Secure=Always; SameSite=None (development) / Lax (non-development); IsEssential=true	Only when remember-machine behavior is used in 2FA flow	Not applicable to public users unless 2FA flow is exposed
.AspNetCore.Identity.External (default system name, not explicitly overridden)	Temporary external authentication principal during OAuth challenge/callback.	Short-lived, automatically managed by the system	First-party, essential authentication-flow cookie	HttpOnly=true; Secure=Always; SameSite=None (development) / Lax (non-development); IsEssential=true	Only when external provider login/linking is enabled and used	Feature exists, currently not used
.AspNetCore.Correlation.* (system-generated pattern)	OAuth correlation/CSRF protection in external login handshakes.	Short-lived, automatically managed by the system	First-party, essential security cookie	Automatically generated by the external authentication flow; security-oriented defaults	Only during external authentication challenge/callback	Feature exists, currently not used

auth

Purpose: Identity authentication cookie for cookie-based user sessions.
Duration: 14 days with sliding expiration
Type: First-party, essential authentication cookie
Attributes: HttpOnly=true; Secure=Always; SameSite=None (development) / Lax (non-development); IsEssential=true
When used: Set only when internal cookie-based authentication is used
Applicability / user impact: Configured but currently not applicable to public users

xsrf

Purpose: Antiforgery cookie used with request token (X-XSRF-TOKEN header) for CSRF protection.
Duration: Session-style, automatically managed by the system (no explicit max-age configured)
Type: First-party, essential security cookie
Attributes: HttpOnly=true; Secure=Always; SameSite=None (development) / Lax (non-development); IsEssential=true
When used: Set only when antiforgery endpoint/token flow is used
Applicability / user impact: Configured for authenticated internal scenarios

.AspNetCore.Identity.TwoFactorUserId (default system name, not explicitly overridden)

Purpose: Temporary identity linkage between password login step and 2FA verification.
Duration: Short-lived, automatically managed by the system
Type: First-party, essential authentication-flow cookie
Attributes: HttpOnly=true; Secure=Always; SameSite=None (development) / Lax (non-development); IsEssential=true
When used: Only when 2FA login flow is active
Applicability / user impact: Not applicable to public users unless 2FA flow is exposed

.AspNetCore.Identity.TwoFactorRememberMe (default system name, not explicitly overridden)

Purpose: Remembers trusted browser/device for 2FA where applicable.
Duration: Automatically managed by the system
Type: First-party, essential authentication-flow cookie
Attributes: HttpOnly=true; Secure=Always; SameSite=None (development) / Lax (non-development); IsEssential=true
When used: Only when remember-machine behavior is used in 2FA flow
Applicability / user impact: Not applicable to public users unless 2FA flow is exposed

.AspNetCore.Identity.External (default system name, not explicitly overridden)

Purpose: Temporary external authentication principal during OAuth challenge/callback.
Duration: Short-lived, automatically managed by the system
Type: First-party, essential authentication-flow cookie
Attributes: HttpOnly=true; Secure=Always; SameSite=None (development) / Lax (non-development); IsEssential=true
When used: Only when external provider login/linking is enabled and used
Applicability / user impact: Feature exists, currently not used

.AspNetCore.Correlation.* (system-generated pattern)

Purpose: OAuth correlation/CSRF protection in external login handshakes.
Duration: Short-lived, automatically managed by the system
Type: First-party, essential security cookie
Attributes: Automatically generated by the external authentication flow; security-oriented defaults
When used: Only during external authentication challenge/callback
Applicability / user impact: Feature exists, currently not used

C. Not currently used in the active public flow (legacy/historical)

The entries below were identified in legacy/historical areas that are not active in the current public flow and are listed for transparency.

Cookie name	Purpose	Duration	Type	Attributes	When used	Applicability / user impact
cookie_consent	Legacy consent storage variant in older component path.	Varies by legacy implementation	First-party, legacy	Legacy path-dependent	Not active in the current consent flow	Legacy only, no public user impact
is-dark-mode	Legacy theme preference cookie variant.	365 days in legacy service	First-party, legacy	Path=/; SameSite=Lax; JS-readable	Not active in the current public flow that uses PreferredTheme	Legacy only, replaced by the current theme preference cookie
Identity.StatusMessage	Temporary status message transport for legacy identity redirect patterns.	Very short (seconds) in legacy helper	First-party, legacy	HttpOnly=true; SameSite=Strict; IsEssential=true	Not part of the active public flow	Legacy only, no public user impact

cookie_consent

Purpose: Legacy consent storage variant in older component path.
Duration: Varies by legacy implementation
Type: First-party, legacy
Attributes: Legacy path-dependent
When used: Not active in the current consent flow
Applicability / user impact: Legacy only, no public user impact

is-dark-mode

Purpose: Legacy theme preference cookie variant.
Duration: 365 days in legacy service
Type: First-party, legacy
Attributes: Path=/; SameSite=Lax; JS-readable
When used: Not active in the current public flow that uses PreferredTheme
Applicability / user impact: Legacy only, replaced by the current theme preference cookie

Identity.StatusMessage

Purpose: Temporary status message transport for legacy identity redirect patterns.
Duration: Very short (seconds) in legacy helper
Type: First-party, legacy
Attributes: HttpOnly=true; SameSite=Strict; IsEssential=true
When used: Not part of the active public flow
Applicability / user impact: Legacy only, no public user impact

Exact cookie behavior can differ by deployment environment.
Device/session tracking in authentication is handled mainly through internal session records and request identifiers; a dedicated public DeviceId cookie is not part of the current public flow.
External authentication functionality exists internally but is currently disabled/not used.
This inventory is based on active behavior and should be reviewed whenever authentication or consent behavior changes.