Privacy Policy

Rabona Ltd. (Рабона ООД, EIK: 208640431, registered at Zheko Voivoda 8, Sofia 1756, Bulgaria) ("we", "our", or "us") operates rabona.cards (the "Site"). This page informs you of our policies regarding the collection, use, and disclosure of personal information when you use the Site.

1. Information We Collect

1.1 Analytics Data

We use Google Analytics to collect usage data including:

Pages visited and time spent on pages
Geographic location (country/city level)
Device type, browser, and operating system
How you found the site (referral source)
Language preferences

This data is collected only with your explicit consent through the cookie banner.

Lawful basis: Consent (GDPR Article 6(1)(a)).

1.2 Technical Data

The hosting provider (Cloudflare) automatically collects:

IP addresses (for security and performance)
Access logs and timestamps
Error logs

This data is necessary for site operation and security.

Lawful basis: Legitimate interest in site security and operation (GDPR Article 6(1)(f)).

Provision of data: These data are required for site security and cannot be opted out of.

1.3 Marketing and Advertising Data

With your explicit Marketing consent, the Meta Pixel collects browsing behaviour on this Site (page views, clicks, items added to cart, purchases) and identifiers including the Meta browser cookie (_fbp), the click identifier (_fbc), your IP address, and basic device information. For signup and purchase events, your email address is hashed (SHA-256) before transmission so Meta cannot read it in plain text.

This data is collected only with your explicit consent through the Marketing category in the cookie banner. See section 4.3 for full details.

Lawful basis: Consent (GDPR Article 6(1)(a)).

1.4 Subscriber Data

When you sign up for our waitlist via the early-access form, we collect your email address, language preference, and subscription status. We also temporarily process your IP address to enforce rate limits and prevent abuse.

Purpose: To notify you when The International Archive deck is available for purchase, and to send occasional updates about its launch. We send these emails through Resend (see section 4.4).

You can unsubscribe at any time using the link in every email we send, or via the unsubscribe page on our site. Once you unsubscribe, your email address will be deleted within 12 months.

Lawful basis: Consent (GDPR Article 6(1)(a)).

Provision of data: Providing your email is voluntary, but required if you wish to join the waitlist.

1.5 Order Data

When you place an order through the Site, we collect: first name, last name, email address, shipping address (street, city, postal code, country), billing address if different, order details (product, quantity, total, currency, order reference, order status), and a Stripe session identifier that links your order to the payment record.

Categories of data collected:

Identity: first name and last name
Contact: email address
Shipping address: street, city, postal code, country
Billing address, if you indicate that it differs from your shipping address
Order details: product, quantity, total, currency, order reference, order status
Stripe session identifier linking your order to the payment record

Card payment details (card number, expiration date, security code) are entered directly into Stripe's secure hosted form. They are never transmitted to or stored on our servers. For the card data itself, Stripe acts as a separate data controller and handles PCI DSS compliance.

Source of data: We collect part of this data directly from you when you complete the checkout form. The rest we receive from Stripe via a server-to-server notification (webhook) once your payment has been confirmed, namely the payment status, the billing details Stripe captured during checkout, and the Stripe session identifier. This is the source of personal data within the meaning of Article 14 GDPR.

Purposes:

To process and fulfil your order, including sending confirmation and shipping emails
To handle returns, refunds and warranty claims
To comply with our accounting and tax obligations under Bulgarian law
To defend against potential legal claims within applicable statutes of limitation

Recipients:

Stripe (payment processor) – see section 4.5
Resend (order confirmation and shipping emails) – see section 4.4
Strapi content-management system, where order records are stored – see section 4.6
Cloudflare (hosting and content delivery) – see section 4.2
The courier service delivering your parcel within Bulgaria, such as Econt, Speedy or Bulgarian Posts
Bulgarian National Revenue Agency (НАП) and other public authorities, only where required by law, audit, or court order

Lawful basis: Performance of the sale contract you concluded with us (GDPR Article 6(1)(b)) for fulfilling the order, and compliance with our legal obligations under the Bulgarian Accounting Act and the Bulgarian VAT Act (GDPR Article 6(1)(c)) for keeping the resulting records.

Provision of data: Providing this data is required to place and fulfil an order. We cannot ship goods or comply with our accounting obligations without it.

Retention: Order records, including the personal data they contain, are retained for 10 years from the end of the calendar year in which the transaction took place, in line with Article 12 of the Bulgarian Accounting Act. This statutory retention period applies regardless of consent and overrides the general GDPR storage-limitation principle for these specific records.

2. How We Use Your Information

We use the collected information to:

Understand how visitors use the Site
Improve content and user experience
Analyze traffic patterns and trends
Detect and prevent technical issues
Ensure site security and prevent abuse
Process payments for purchases made through the Site
Measure the effectiveness of advertising campaigns and reach relevant audiences (with your Marketing consent)

3. Cookies

3.1 What Are Cookies?

Cookies are small text files stored on your device when you visit the Site.

3.2 Types of Cookies Used

Strictly Necessary Cookies (No consent required)

locale_redirected: Remembers whether you have already been redirected to your language version. Expires after 24 hours (1 year for Bulgarian users).
cookie-consent: Stores your cookie preferences in browser local storage (not an HTTP cookie). Persists until you clear site data.
_stripe_mid / _stripe_sid (Stripe): Set by Stripe for fraud detection and security. Strictly necessary; _stripe_mid expires after 1 year, _stripe_sid expires at session end.

Lawful basis: Legitimate interest in providing the requested service (GDPR Article 6(1)(f)).

Provision of data: These cookies are required for basic site functionality and cannot be disabled.

Analytics Cookies (Requires consent)

Google Analytics cookies (_ga, _gid, _gat): Track usage statistics

Marketing Cookies (Requires consent)

_fbp (Meta): Identifies your browser to Meta. Expires after 90 days.
_fbc (Meta): Stores the Facebook click identifier when you arrive from a Facebook ad. Expires after 90 days.

3.3 Local Storage

In addition to HTTP cookies, we use browser local storage – a similar technology that stores small amounts of data directly on your device. Unlike cookies, this data is not transmitted with every request to our servers.

Booklet access credential: A credential stored on your device to verify that you have been granted access to QR-code-restricted Booklet content. It contains no personal data and is used solely to avoid requiring you to re-scan the QR code on every visit. Cleared when you clear your browser's site data.

3.4 Managing Cookies and Local Storage

You can change your cookie preferences at any time by:

Using the Cookie Settings link in the site footer
Clearing your browser's cookies and site data (local storage)
Adjusting your browser settings to block cookies

Note: Blocking necessary cookies may affect site functionality.

4. Third-Party Services

4.1 Google Analytics

We use Google Analytics, a service provided by Google LLC. Google Analytics uses cookies to analyze how you use the Site.

The information generated about your use (including your IP address) is transmitted to and stored by Google on servers in the United States and other countries. Google will use this information to evaluate your use of the Site and compile reports on website activity.

Google Analytics operates under its own privacy policy. Learn more: Google Privacy Policy

4.2 Cloudflare

The Site is hosted on Cloudflare Pages. Cloudflare may collect technical data for performance, security, and analytics purposes. Learn more: Cloudflare Privacy Policy

4.3 Meta Pixel and Conversions API

With your explicit consent (Marketing category), we use the Meta Pixel and the Meta Conversions API, services provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (the controller for European users).

What is collected: Pages viewed, buttons clicked, items added to cart, purchases completed, and identifiers including the Meta browser cookie (_fbp), the click identifier (_fbc), your IP address, browser and device information, and for signup and purchase events a hashed (SHA-256) version of your email address. Hashing is irreversible, so Meta cannot read your email in plain text.

Why: To measure the effectiveness of advertising campaigns we run on Facebook and Instagram, build audiences for re-marketing, and reduce the cost of customer acquisition.

Server-side tracking (Conversions API): In addition to events sent from your browser, the same conversion events (signup, purchase) are sent directly from our server to Meta. This is technically required to compensate for browser-side data loss (ad blockers, iOS privacy features) and to deduplicate events. The Conversions API only fires when you have given Marketing consent.

Joint controllership: For the data collected through the Pixel and transmitted to Meta, we act as a joint controller with Meta within the meaning of Article 26 GDPR. The respective responsibilities are set out in the Meta Controller Addendum and the Meta Business Tools Terms . In summary: we are responsible for obtaining your consent and informing you about this processing. Meta is responsible for the further processing of the data once received and for responding to data-subject requests concerning that further processing.

International transfers: Meta Platforms Ireland may transfer data to Meta Platforms, Inc. in the United States. These transfers rely on the European Commission's adequacy decision for the EU-U.S. Data Privacy Framework of 10 July 2023 (Meta is certified under the DPF), supplemented by Standard Contractual Clauses where applicable.

Your control: You can withdraw Marketing consent at any time through the Cookie Settings link in the site footer. After withdrawal, no new Pixel or Conversions API events will be sent. You can also opt out of Meta's ads personalisation directly in your Facebook and Instagram Ads Preferences.

Meta's privacy policy: https://www.facebook.com/privacy/policy/

4.4 Resend (Email Service)

We use Resend, a service provided by Resend, Inc., to send confirmation and update emails. When you provide your email address through our waitlist form, it is processed by Resend to deliver our messages.

Resend is based in the United States. Transfers to Resend are based on Standard Contractual Clauses (SCCs) included in our Data Processing Agreement with Resend.

Resend operates under its own privacy policy. Learn more: Resend Privacy Policy

4.5 Stripe (Payment Processing)

We use Stripe, a payment processing service provided by Stripe, Inc. (United States) and Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland (the entity responsible for processing payments from European customers). Stripe processes your payment card information and billing details to fulfil your purchase.

Card data is handled entirely within Stripe's PCI DSS-certified infrastructure and never passes through or is stored on our servers. We share your name and email address with Stripe solely to create a payment record.

Stripe may collect additional technical information – including your IP address, browser fingerprint, and device data – for fraud prevention and security purposes. Stripe sets strictly necessary cookies (_stripe_mid and _stripe_sid) in your browser for fraud detection; these do not require your consent.

International transfers: Stripe Payments Europe, Ltd. (Ireland) acts as the data controller for payments from European customers and may transfer data to Stripe, Inc. in the United States. These transfers rely on the EU-U.S. Data Privacy Framework (Stripe, Inc. is certified under the DPF) and Standard Contractual Clauses.

Stripe's privacy policy: Stripe Privacy Policy

4.6 Content Storage (Strapi)

Subscriber data and other site content is stored in a Strapi content management system. The system is access-controlled and protected by API token authentication. We are currently finalizing the specific hosting arrangements; this section will be updated to identify the host and processing location.

5. Data Retention

Analytics data: Retained by Google Analytics for 26 months, then automatically deleted
Marketing data: Retained by Meta according to its policies (typically up to 2 years for advertising-related data)
Subscriber data: Email retained while you are subscribed; deleted within 12 months after you unsubscribe
Order data: Retained by us for 10 years from the end of the calendar year of the transaction, as required by Article 12 of the Bulgarian Accounting Act. Stripe also retains payment data under its own policies (typically up to 7 years for financial records)
Email delivery logs: Retained by Resend per their policy (typically up to 30 days)
Cookie preferences: Stored locally on your device until you clear browser data
Booklet access credential: Stored locally on your device until you clear browser site data
Server logs: Retained by Cloudflare for a short period (typically a few days), then automatically deleted

6. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the right to:

Access: Request a copy of your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data ("right to be forgotten")
Restriction: Request limitation of processing
Portability: Receive your data in a portable format
Objection: Object to processing of your data
Withdraw Consent: Withdraw cookie consent at any time, using the Cookie Settings link in the site footer

To exercise these rights, use the Cookie Settings link in the site footer, clear your browser cookies and local storage, or contact us using the information below.

Automated decision-making: We do not make any automated decisions, including profiling, that produce legal effects concerning you or similarly significantly affect you (Article 22 GDPR). Marketing audiences built via Meta Pixel are used only for ad targeting and do not affect your legal rights or access to our services.

7. Data Transfers

Your information may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. We rely on the following lawful transfer mechanisms under the GDPR:

EU-U.S. Data Privacy Framework: For transfers to Google LLC, Meta Platforms, Inc., and Stripe, Inc. (all certified under the DPF), the European Commission has determined that the United States provides an adequate level of data protection (Adequacy Decision of 10 July 2023, upheld by the EU General Court on 3 September 2025).
Standard Contractual Clauses (SCCs): For transfers to Resend, Inc. (United States) for email delivery, in line with Commission Implementing Decision (EU) 2021/914. Also used as a supplementary safeguard where the DPF does not apply.

8. Children's Privacy

The Site is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided personal data, please contact us.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For non-material changes (such as clarifications or address updates), continued use of the Site constitutes acceptance. For changes that introduce new processing purposes or new categories of personal data, we will obtain your fresh consent before applying them.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your GDPR rights, please contact us at:

Company: Rabona Ltd. (Рабона ООД)

EIK: 208640431

Address: Zheko Voivoda 8, Sofia 1756, Bulgaria

Email: [email protected]

For data protection inquiries, you may also contact your local data protection authority.

We have not appointed a Data Protection Officer, as it is not required for the scale of processing on this Site.

Supervisory Authority: If you are in the EU, you have the right to lodge a complaint with a data protection authority if you believe we have not handled your personal data appropriately. The lead supervisory authority for this Site is:

Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни / КЗЛД)

2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria

Email: [email protected]

Website: https://www.cpdp.bg

If you reside in another EU/EEA member state, you may also lodge a complaint with your local data protection authority.