Privacy Policy

Rabona Ltd. (Рабона ООД, EIK: 208640431, registered at Zheko Voivoda 8, Sofia 1756, Bulgaria) ("we", "our", or "us") operates rabona.cards (the "Site"). This page informs you of our policies regarding the collection, use, and disclosure of personal information when you use the Site.

1. Information We Collect

1.1 Analytics Data

We use Google Analytics to collect usage data including:

• Pages visited and time spent on pages
• Geographic location (country/city level)
• Device type, browser, and operating system
• How you found the site (referral source)
• Language preferences

This data is collected only with your explicit consent through the cookie banner.

Lawful basis: Consent (GDPR Article 6(1)(a)).

1.2 Technical Data

The hosting provider (Cloudflare) automatically collects:

• IP addresses (for security and performance)
• Access logs and timestamps
• Error logs

This data is necessary for site operation and security.

Lawful basis: Legitimate interest in site security and operation (GDPR Article 6(1)(f)).

Provision of data: These data are required for site security and cannot be opted out of.

1.3 Marketing and Advertising Data

With your explicit Marketing consent, the Meta Pixel collects browsing behaviour on this Site (page views, clicks, items added to cart, purchases) and identifiers including the Meta browser cookie (_fbp), the click identifier (_fbc), your IP address, and basic device information. For signup and purchase events, your email address is hashed (SHA-256) before transmission so Meta cannot read it in plain text.

This data is collected only with your explicit consent through the Marketing category in the cookie banner. See section 4.3 for full details.

Lawful basis: Consent (GDPR Article 6(1)(a)).

1.4 Subscriber Data

When you sign up for our waitlist via the early-access form, we collect your email address, language preference, and subscription status. We also temporarily process your IP address to enforce rate limits and prevent abuse.

Purpose: To notify you when The International Archive deck is available for purchase, and to send occasional updates about its launch. We send these emails through Resend (see section 4.4).

You can unsubscribe at any time using the link in every email we send, or via the unsubscribe page on our site. Once you unsubscribe, your email address will be deleted within 12 months.

Lawful basis: Consent (GDPR Article 6(1)(a)).

Provision of data: Providing your email is voluntary, but required if you wish to join the waitlist.

2. How We Use Your Information

We use the collected information to:

• Understand how visitors use the Site
• Improve content and user experience
• Analyze traffic patterns and trends
• Detect and prevent technical issues
• Ensure site security and prevent abuse
• Measure the effectiveness of advertising campaigns and reach relevant audiences (with your Marketing consent)

3. Cookies

3.1 What Are Cookies?

Cookies are small text files stored on your device when you visit the Site.

3.2 Types of Cookies Used

Strictly Necessary Cookies (No consent required)

• locale_redirected: Remembers whether you have already been redirected to your language version. Expires after 24 hours.
• cookie-consent: Stores your cookie preferences

Lawful basis: Legitimate interest in providing the requested service (GDPR Article 6(1)(f)).

Provision of data: These cookies are required for basic site functionality and cannot be disabled.

Analytics Cookies (Requires consent)

• Google Analytics cookies (_ga, _gid, _gat): Track usage statistics

Marketing Cookies (Requires consent)

• _fbp (Meta): Identifies your browser to Meta. Expires after 90 days.
• _fbc (Meta): Stores the Facebook click identifier when you arrive from a Facebook ad. Expires after 90 days.

3.3 Managing Cookies

You can change your cookie preferences at any time by:

• Using the Cookie Settings link in the site footer
• Clearing your browser's cookies
• Adjusting your browser settings to block cookies

Note: Blocking necessary cookies may affect site functionality.

4. Third-Party Services

4.1 Google Analytics

We use Google Analytics, a service provided by Google LLC. Google Analytics uses cookies to analyze how you use the Site.

The information generated about your use (including your IP address) is transmitted to and stored by Google on servers in the United States and other countries. Google will use this information to evaluate your use of the Site and compile reports on website activity.

Google Analytics operates under its own privacy policy. Learn more: Google Privacy Policy

4.2 Cloudflare

The Site is hosted on Cloudflare Pages. Cloudflare may collect technical data for performance, security, and analytics purposes. Learn more: Cloudflare Privacy Policy

4.3 Meta Pixel and Conversions API

With your explicit consent (Marketing category), we use the Meta Pixel and the Meta Conversions API, services provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (the controller for European users).

What is collected: Pages viewed, buttons clicked, items added to cart, purchases completed, and identifiers including the Meta browser cookie (_fbp), the click identifier (_fbc), your IP address, browser and device information, and for signup and purchase events a hashed (SHA-256) version of your email address. Hashing is irreversible, so Meta cannot read your email in plain text.

Why: To measure the effectiveness of advertising campaigns we run on Facebook and Instagram, build audiences for re-marketing, and reduce the cost of customer acquisition.

Server-side tracking (Conversions API): In addition to events sent from your browser, the same conversion events (signup, purchase) are sent directly from our server to Meta. This is technically required to compensate for browser-side data loss (ad blockers, iOS privacy features) and to deduplicate events. The Conversions API only fires when you have given Marketing consent.

Joint controllership: For the data collected through the Pixel and transmitted to Meta, we act as a joint controller with Meta within the meaning of Article 26 GDPR. The respective responsibilities are set out in the Meta Controller Addendum and the Meta Business Tools Terms . In summary: we are responsible for obtaining your consent and informing you about this processing. Meta is responsible for the further processing of the data once received and for responding to data-subject requests concerning that further processing.

International transfers: Meta Platforms Ireland may transfer data to Meta Platforms, Inc. in the United States. These transfers rely on the European Commission's adequacy decision for the EU-U.S. Data Privacy Framework of 10 July 2023 (Meta is certified under the DPF), supplemented by Standard Contractual Clauses where applicable.

Your control: You can withdraw Marketing consent at any time through the Cookie Settings link in the site footer. After withdrawal, no new Pixel or Conversions API events will be sent. You can also opt out of Meta's ads personalisation directly in your Facebook and Instagram Ads Preferences.

Meta's privacy policy: https://www.facebook.com/privacy/policy/

4.4 Resend (Email Service)

We use Resend, a service provided by Resend, Inc., to send confirmation and update emails. When you provide your email address through our waitlist form, it is processed by Resend to deliver our messages.

Resend is based in the United States. Transfers to Resend are based on Standard Contractual Clauses (SCCs) included in our Data Processing Agreement with Resend.

Resend operates under its own privacy policy. Learn more: Resend Privacy Policy

4.5 Content Storage (Strapi)

Subscriber data and other site content is stored in a Strapi content management system. The system is access-controlled and protected by API token authentication. We are currently finalizing the specific hosting arrangements; this section will be updated to identify the host and processing location.

5. Data Retention

• Analytics data: Retained by Google Analytics for 26 months, then automatically deleted
• Marketing data: Retained by Meta according to its policies (typically up to 2 years for advertising-related data)
• Subscriber data: Email retained while you are subscribed; deleted within 12 months after you unsubscribe
• Email delivery logs: Retained by Resend per their policy (typically up to 30 days)
• Cookie preferences: Stored locally on your device until you clear browser data
• Server logs: Retained by Cloudflare for a short period (typically a few days), then automatically deleted

6. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the right to:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request limitation of processing
• Portability: Receive your data in a portable format
• Objection: Object to processing of your data
• Withdraw Consent: Withdraw cookie consent at any time, using the Cookie Settings link in the site footer

To exercise these rights, use the Cookie Settings link in the site footer, clear your browser cookies and local storage, or contact us using the information below.

Automated decision-making: We do not make any automated decisions, including profiling, that produce legal effects concerning you or similarly significantly affect you (Article 22 GDPR). Marketing audiences built via Meta Pixel are used only for ad targeting and do not affect your legal rights or access to our services.

7. Data Transfers

Your information may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. We rely on the following lawful transfer mechanisms under the GDPR:

• EU-U.S. Data Privacy Framework: For transfers to Google LLC and Meta Platforms, Inc. (both certified under the DPF), the European Commission has determined that the United States provides an adequate level of data protection (Adequacy Decision of 10 July 2023, upheld by the EU General Court on 3 September 2025).
• Standard Contractual Clauses (SCCs): For transfers to Resend, Inc. (United States) for email delivery, in line with Commission Implementing Decision (EU) 2021/914. Also used as a supplementary safeguard where the DPF does not apply.

8. Children's Privacy

The Site is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided personal data, please contact us.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For non-material changes (such as clarifications or address updates), continued use of the Site constitutes acceptance. For changes that introduce new processing purposes or new categories of personal data, we will obtain your fresh consent before applying them.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your GDPR rights, please contact us at:

For data protection inquiries, you may also contact your local data protection authority.

We have not appointed a Data Protection Officer, as it is not required for the scale of processing on this Site.

---