Last updated: 18 June 2026 — This template must be reviewed by a licensed attorney before launch.
Soluna Privacy Policy
This Privacy Policy explains how Soluna ("Soluna," "we," "us," or "our") collects, uses, shares, and protects your personal data when you visit https://soluna.garden (the "Website"), browse our products, place an order for our Solar Mandala Projection Light, contact us, or receive our emails. It also explains your rights and how to exercise them.
Soluna sells and ships a single physical consumer product — the Solar Mandala Projection Light, a 100% solar-powered, IP65 weatherproof garden lantern that projects warm-gold mandala patterns and requires no wiring — to customers worldwide, including in the EU/EEA, the United Kingdom, the United States, Israel, and the UAE. We accept payment in several currencies (ILS, USD, EUR, GBP, AED). Because we serve customers in many countries, this Policy is designed to comply with the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and the Israeli Protection of Privacy Law (PPL), including Amendment 13 (effective 14 August 2025).
Please read this Policy together with our Terms of Service, Cookie Policy, and Returns & Refund Policy. Nothing in this Policy removes, limits, or waives any mandatory data-protection or consumer-protection right available to you under the laws of your country of residence, including the EU/EEA, the UK, and Israel. Where those laws grant you greater protection than this Policy, that law prevails to the extent it is mandatory.
1. Who We Are (Data Controller)
The data controller responsible for your personal data is:
- Trading name: Soluna
- Operator / legal entity: MATO, a sole proprietorship (Israeli osek murshe) based in Rehovot, Israel
- Contact email: hello@soluna.garden
We are the entity that determines the purposes and means of processing your personal data and that you may contact about this Policy or your privacy rights.
EU/UK Representative
Soluna is established in Israel. Because we offer goods to consumers in the EU/EEA and the UK and monitor their behaviour through analytics and advertising tools, where required by Article 27 of the GDPR and of the UK GDPR we will appoint a representative in the EU/EEA and in the UK. Once a representative is appointed, their contact details will be published here and EEA/UK data subjects may contact them directly on all matters relating to the processing of their personal data.
Data Protection Officer
We have not appointed a Data Protection Officer, as our processing does not meet the legal thresholds requiring one under the GDPR or the Israeli PPL (we do not carry out large-scale systematic monitoring or large-scale processing of special-category data, and our main activity is not data-brokering). All privacy questions and requests are handled by our team at hello@soluna.garden.
2. The Personal Data We Collect
We collect the following categories of personal data:
| Category | Examples | How collected |
|---|---|---|
| Identity data | First and last name | You provide it at checkout/contact |
| Contact data | Email address, shipping address, phone number | You provide it at checkout/contact |
| Order & transaction data | Items ordered, order value, currency, order history, delivery details, confirmations | Generated when you order |
| Payment data | Confirmation of payment; payment method type. We never store full card numbers — these are handled by our PCI-compliant payment processors (PayPal, Stripe) | Via PayPal / Stripe |
| Technical & device data | IP address, device type, browser and operating system, user-agent string | Automatically when you visit |
| Usage & behavioural data | Pages viewed, clicks, scrolls, add-to-cart and checkout events, session recordings, referral source | Automatically via analytics/advertising tools (where permitted) |
| Marketing & communications data | Newsletter subscription status, email engagement, your preferences and consents | You provide it / generated |
We do not intentionally collect special-category data. Please do not send us sensitive personal information (such as health, religious, or biometric data) through our forms or emails.
Providing identity, contact, shipping, and payment data is necessary to enter into and perform your purchase contract. If you do not provide it, we cannot process or deliver your order. Providing marketing data and consenting to non-essential trackers is entirely optional and is not a condition of purchase.
3. How and Why We Use Your Data (Purposes and Legal Bases)
Under the GDPR and the Israeli PPL, we must have a lawful basis for each processing activity. Our purposes and bases are:
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Process, fulfil, ship, and confirm your order; manage returns/refunds and the 30-day money-back guarantee and statutory withdrawal rights; provide customer support | Identity, contact, order, payment, shipping | Contract — Art. 6(1)(b) |
| Send transactional emails (order confirmation, shipping/status updates) | Contact, order | Contract — Art. 6(1)(b) |
| Comply with tax, accounting, consumer-protection, and other legal obligations | Order, transaction, invoice data | Legal obligation — Art. 6(1)(c) |
| Prevent fraud, secure the Website, and protect against misuse | Technical, transaction data | Legitimate interests — Art. 6(1)(f): keeping our store and customers secure and preventing fraudulent or abusive transactions |
| Maintain basic, privacy-preserving aggregate analytics and improve our service (e.g. cookieless Vercel Web Analytics) | Aggregated/technical data | Legitimate interests — Art. 6(1)(f): operating, measuring, and improving the store |
| Set advertising/analytics cookies and trackers — Meta Pixel, Meta Conversions API (including server-side sharing of hashed identifiers), and Microsoft Clarity session recording | Technical, usage, hashed identifiers | Consent — Art. 6(1)(a) |
| Send the newsletter and abandoned-cart reminder emails (marketing) | Contact, behavioural data | Consent — Art. 6(1)(a), with an easy opt-out at any time. Where permitted, abandoned-cart reminders to existing customers about a similar product may rely on the soft opt-in / legitimate interests (Art. 6(1)(f)) recognised under applicable law, always with an opt-out. |
Where we rely on legitimate interests, we have carried out a balancing test to confirm that our interests are not overridden by your rights and freedoms. You have the right to object to this processing (see Section 9), and you can require us to stop sending direct-marketing emails at any time. Where we rely on consent, you may withdraw it at any time, as easily as you gave it, without affecting the lawfulness of processing carried out before withdrawal.
We do not engage in automated decision-making that produces legal or similarly significant effects about you. Our fraud-prevention and advertising tools may involve limited profiling for security and measurement purposes; this does not make automated decisions with legal effects on you. You may object to profiling for direct-marketing purposes at any time.
4. Cookies and Tracking Technologies
We use cookies and similar technologies. Strictly necessary cookies are always active because the Website cannot function without them and are exempt from consent. All analytics and advertising trackers are non-essential and are loaded only after you give prior, opt-in consent through our cookie banner, where consent is required (EEA, UK, Switzerland, Israel, and other applicable jurisdictions).
Our cookie banner is designed to meet the EDPB/CNIL standard:
- "Accept" and "Reject" are presented with equal prominence and require the same minimal effort (the same number of clicks). You can refuse all non-essential trackers as easily as accepting them.
- Choices are granular — you can consent separately to "Analytics" and "Marketing" categories; there are no pre-ticked boxes and no default-on toggles.
- Continued browsing, scrolling, or swiping does not constitute consent.
- You can change or withdraw your choices at any time via the persistent "Cookie settings" link in our footer, as easily as you gave them.
- Refusing non-essential cookies does not block access to the store, and we keep records of consent to demonstrate compliance.
For California residents, an opt-out preference signal such as the Global Privacy Control (GPC) is treated as a valid request to opt out of the "sale"/"sharing" of personal information (see Section 11).
| Cookie / identifier | Provider | Purpose | Category | Duration |
|---|---|---|---|---|
_fbp | Meta (Facebook) | Browser-level identifier for Meta Pixel / Conversions API to measure ads and build audiences | Marketing | 90 days |
_fbc | Meta (Facebook) | Stores the ad-click identifier (fbclid) for conversion attribution | Marketing | 90 days |
_clck | Microsoft Clarity | Persists the Clarity user ID and preferences | Analytics | 1 year |
_clsk | Microsoft Clarity | Connects multiple page views into a single Clarity session | Analytics | 1 day |
CLID, MUID, ANONCHK, MR, SM | Microsoft Clarity | Third-party Clarity/Microsoft identifiers (user ID, operational/ad sync) | Analytics / Marketing | up to 1 year |
sln_aid | Soluna (first-party) | Stable anonymous visitor ID for first-party analytics; forwarded server-side to Meta as a hashed external_id (only where marketing consent is given) | Analytics | 1 year |
sln_sid | Soluna (first-party) | Session ID; detects new sessions via a 30-minute sliding window | Analytics | 30 minutes |
NEXT_LOCALE | Soluna (first-party) | Remembers your selected language | Essential (functional) | Session/persistent |
cur | Soluna (first-party) | Remembers your selected display currency for consistent pricing | Essential (functional) | 1 year |
soluna_session | Soluna (first-party) | Authenticated admin login session (HttpOnly, secure) | Essential | Admin session duration |
We do not load the Meta Pixel, transmit hashed identifiers via the Meta Conversions API, or load Microsoft Clarity until consent is given where consent is required. Vercel Web Analytics is cookieless and collects only aggregated, anonymous metrics. Please see Sections 5 and 6 for who receives data through these tools and the resulting international transfers.
5. Analytics and Advertising Tools (Full Disclosure)
Meta Pixel + Meta Conversions API (CAPI)
We use the Meta Pixel and the Meta Conversions API to measure and optimize our advertising. The browser-side Pixel sets the _fbp and _fbc cookies and sends event data (such as page views, add-to-cart, and purchase events), your IP address, and your browser user-agent to Meta. In addition, server-side, we share SHA-256-hashed customer identifiers — such as your email, phone number, first and last name, city, state, postal code, country, and a hashed external ID — directly from our server to Meta to match conversions, alongside your _fbp/_fbc values, IP address, and user-agent. These events are de-duplicated using a shared event identifier.
Hashed identifiers are still personal data (they are pseudonymous, not anonymous, because Meta can re-identify them by matching against its own datasets), and moving the call to the server does not remove the need for a lawful basis. We therefore share this data only where you have consented to marketing cookies/trackers. Our server independently checks your marketing-consent status before each transmission, and if marketing consent has not been given or has been withdrawn, the server strips the hashed identifiers from the payload (aligned with Meta's ad_user_data / ad_personalization signals). For this data, Meta acts as our processor for the hashed contact information and as a joint controller for the event data, under the Meta Business Tools Terms. Recipient: Meta Platforms Ireland Ltd. (EEA) / Meta Platforms, Inc. (US). This involves an international transfer to the US (see Section 6). You can withdraw consent at any time via "Cookie settings."
Microsoft Clarity (session recording + heatmaps)
We use Microsoft Clarity to record session replays and heatmaps — page rendering, mouse movements, clicks, scrolls, and on-page interactions — to understand how visitors use the Website and to identify friction points. Clarity records your on-page behaviour. We enable Clarity's masking so that form-input contents and sensitive on-screen text are redacted, as a data-minimisation and privacy-by-design measure. Clarity is a non-essential, higher-risk tracker and is loaded only after prior consent where required; it cannot be enabled on the basis of legitimate interest. Microsoft acts as a data controller for Clarity data and stores it in the Microsoft Azure cloud (US). Recipient: Microsoft Corporation. This involves an international transfer to the US (see Section 6).
Vercel Web Analytics
We use Vercel Web Analytics, a cookieless analytics tool that collects only aggregated, anonymous metrics (page URL/path, referrer, approximate location, device, OS, and browser type). It does not set cookies or store a persistent identifier; visitors are identified by a temporary request-based hash that is discarded after 24 hours. Recipient: Vercel Inc. (US).
First-party analytics (Google Firebase / Firestore)
We store first-party analytics events and visitor identifiers in Google Cloud Firestore (Firebase). This data is used to understand store performance and is processed by Google as our processor (see Section 7).
6. International Data Transfers
Soluna is based in Israel and serves customers worldwide. Your personal data is therefore transferred to, and processed in, countries outside your own — including Israel, the United States, the European Union, and, for order fulfilment, China (and other warehouse countries used by our fulfilment partner). These countries may have data-protection laws different from those in your jurisdiction.
We rely on the following safeguards for transfers out of the EEA/UK:
- Adequacy decisions where available. The European Commission recognizes Israel as providing an adequate level of data protection, so transfers from the EEA to Soluna in Israel are covered by adequacy. The UK maintains corresponding adequacy regulations for Israel.
- EU–US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs) for transfers to US-based recipients (e.g., Meta, Microsoft, Vercel, Google, Stripe), together with supplementary measures where needed.
- Standard Contractual Clauses plus a transfer-risk assessment for transfers to countries without an adequacy decision, in particular China, where your name, shipping address, phone, and email are transferred to our fulfilment partner CJ Dropshipping and its suppliers, warehouses, and carriers in order to manufacture, pack, and ship your order.
- For UK transfers, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs.
You may request a copy of the relevant safeguard, or details of where your data is transferred, by emailing hello@soluna.garden.
7. Who We Share Your Data With (Processors and Sub-Processors)
We do not sell your personal data for money. We share it only with the service providers below, each for the limited purpose described. We disclose exactly what each recipient receives:
| Recipient | Role | Data received | Location / transfer |
|---|---|---|---|
| CJ Dropshipping (fulfilment partner) | Order fulfilment and international shipping; forwards data to its suppliers, warehouses, and carriers (e.g., DHL) | Your name, full shipping address, postal code, phone number, and email | China and other warehouse countries — SCCs + transfer-risk assessment |
| PayPal | Payment processing (primary), fraud prevention, dispute resolution | Payment and contact/transaction details you provide directly to PayPal; PayPal returns transaction confirmation to us. Independent controller. | US/EU |
| Stripe | Card payment processing (when enabled), fraud prevention | Name, email, phone, billing/shipping address, card details, transaction amount/date. Acts as our processor for payments and as an independent controller for fraud/compliance | US/EU — DPF/SCCs |
| Meta Platforms (Ireland / US) | Advertising measurement and targeting | Event data, _fbp/_fbc, IP, user-agent, and SHA-256-hashed email/phone/name/address/external ID (consent-gated). Processor (hashed PII) / joint controller (events) | EEA/US — DPF/SCCs |
| Microsoft (Clarity) | Session recording and heatmap analytics | Session-replay and interaction data (form inputs masked); Clarity cookies. Independent controller | US (Azure) — DPF/SCCs |
| Vercel Inc. | Website hosting and cookieless web analytics | Aggregated, anonymous traffic metrics; technical request data needed to serve the site. Processor | US — DPF/SCCs |
| Google (Firebase / Firestore + Google Cloud) | Backend database and first-party analytics storage | Order records, customer details, and operational/analytics data. Processor under Google's Cloud Data Processing Addendum | Selected region — DPF/SCCs |
| Resend | Sending transactional, abandoned-cart, and newsletter emails | Your email address and the message content/metadata. Processor | US — DPF/SCCs |
| Upstash / Vercel KV | Caching, rate-limiting, and operational data store supporting the Website | Technical/session and operational data | US/EU — DPF/SCCs |
We may also disclose personal data to professional advisers, or to authorities and courts where required by law, to comply with a legal obligation, or to establish, exercise, or defend legal claims. If our business is transferred or merged, personal data may be disclosed to the relevant party subject to this Policy.
8. How Long We Keep Your Data (Retention)
We keep personal data only as long as necessary for the purposes for which it was collected:
- Order, invoice, and transaction records: retained for the statutory tax and accounting retention period that applies to us (commonly 7 years under Israeli law, and 6–10 years under various national laws, whichever applies). This is a legal obligation.
- Customer support correspondence: typically up to 24 months after your last contact.
- Marketing data (newsletter/abandoned cart): until you unsubscribe or withdraw consent, after which we suppress your details from active marketing (retaining a minimal suppression record so we do not contact you again).
- Analytics, advertising, and cookie data: retained per the durations in the cookie table (Section 4) and the retention periods of the relevant provider; aggregated/anonymous data may be kept longer.
- Consent records: retained for as long as needed to demonstrate compliance, and generally for the limitation period applicable to related claims.
When data is no longer needed, we delete or anonymize it. We apply data minimization and delete data that exceeds the purpose, consistent with the Israeli PPL.
9. Your Rights (GDPR / UK GDPR and Israeli PPL)
Subject to applicable law, you have the right to:
- Access — obtain confirmation of, and a copy of, the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — have your data deleted where there is no overriding legal basis to retain it.
- Restriction — ask us to limit processing in certain circumstances.
- Data portability — receive the data you provided in a structured, machine-readable format and have it transmitted to another controller.
- Object — object to processing based on legitimate interests, and object at any time to direct marketing.
- Withdraw consent — where we rely on consent, withdraw it at any time, as easily as you gave it, without affecting prior lawful processing.
- Not be subject to solely automated decisions that produce legal or similarly significant effects.
Under the Israeli Protection of Privacy Law (including Amendment 13), you have the right to review the data held about you, request its correction or deletion, and withdraw consent to direct marketing.
How to exercise your rights: email hello@soluna.garden with your request. We may need to verify your identity. We will respond within the timeframe required by law (within one month under the GDPR, extendable for complex requests; we will inform you if an extension is needed). Exercising your rights is free of charge in normal circumstances, and we will not discriminate against you for doing so.
Right to Lodge a Complaint
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with a supervisory authority:
- EEA: your local Data Protection Authority (a list is maintained by the European Data Protection Board at edpb.europa.eu).
- UK: the Information Commissioner's Office (ICO), ico.org.uk.
- Israel: the Privacy Protection Authority (PPA), gov.il.
We would, however, appreciate the chance to address your concerns first — please contact us at hello@soluna.garden.
10. Email Marketing (Newsletter and Abandoned-Cart Reminders)
We use Resend to send emails. Transactional emails (order confirmations and status updates) are sent on the basis of our contract with you. Marketing emails — our newsletter and abandoned-cart reminders — are sent only where you have consented, or where otherwise permitted by applicable law (including, for existing customers, a soft opt-in for messages about a similar product, always with an opt-out).
Every marketing email accurately identifies Soluna as the sender, uses a non-deceptive subject line, includes our physical postal address, and contains a clear, working unsubscribe link. You can opt out at any time by clicking "unsubscribe" or by emailing hello@soluna.garden. We honor opt-out requests promptly and, in any event, within the timeframes required by applicable law (no later than 10 business days under the US CAN-SPAM Act, and without undue delay under the GDPR). We do not charge a fee or require you to log in or provide information beyond your email address to unsubscribe, and we do not sell, transfer, or continue mailing addresses that have opted out. We remain responsible for marketing emails sent on our behalf by our email provider.
11. Your California Privacy Rights (CCPA/CPRA)
This section applies to California residents.
Categories of personal information we collect include: identifiers (name, email, phone, IP address, online identifiers); commercial information (purchase and browsing history); internet/network activity (interactions with our Website); approximate geolocation; and inferences. We collect these for order fulfilment, customer service, security, analytics, and advertising as described in this Policy. We disclose these categories at or before the point of collection in our notice at collection, which links to this Policy and to the "Do Not Sell or Share" page.
"Sale" and "Sharing." We do not sell your personal information for money. However, our use of advertising trackers — in particular the Meta Pixel and Conversions API — involves disclosing identifiers and internet/device activity to Meta Platforms for cross-context behavioral advertising. Under the CCPA/CPRA, this is treated as "sharing" (and may be deemed a "sale"). We disclose this transparently here and do not stay silent about it.
Your CCPA/CPRA rights:
- Right to know/access the categories and specific pieces of personal information we have collected.
- Right to delete personal information we hold about you.
- Right to correct inaccurate personal information.
- Right to opt out of the sale/sharing of personal information.
- Right to limit the use of sensitive personal information (we do not use sensitive PI beyond what is necessary to provide our service; if this changes we will provide a "Limit the Use of My Sensitive Personal Information" option).
- Right to non-discrimination for exercising your rights.
How to exercise — "Do Not Sell or Share My Personal Information." You can opt out of sharing for cross-context behavioral advertising at any time by:
- Using the "Do Not Sell or Share My Personal Information" link in our website footer (no account required); and/or
- Setting non-essential cookies to "reject" via our cookie banner / "Cookie settings"; and/or
- Emailing hello@soluna.garden.
We honor the Global Privacy Control (GPC) and other opt-out preference signals automatically as a valid request to opt out, at the browser/session level and without requiring any manual step. When you opt out or send a GPC signal, we stop firing the Meta Pixel and disable advertising data-sharing (including the server-side transmission of hashed identifiers) for your browser/session.
You may also designate an authorized agent to make requests on your behalf. We will verify your identity before fulfilling a request to know, delete, or correct. We provide at least two methods to submit requests (the footer link/webform and email). This section was last reviewed on the "Last updated" date above and is reviewed at least every 12 months.
12. Children's Privacy
The Website and our product are not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If you are under 16, please do not use the Website or provide us with any personal data. If you believe a child under 16 has provided us with personal data, please contact hello@soluna.garden and we will delete it.
13. Data Security
We maintain reasonable technical and organizational measures appropriate to the risk to protect your personal data, including encryption in transit, access controls, HttpOnly/secure cookies for admin sessions, masking of session-recording inputs, and the use of PCI-compliant payment processors so that we never store full card numbers. Consistent with the Israeli Data Security Regulations (2017) and Amendment 13, we maintain an internal database-definition and security document and apply controls proportionate to the volume and sensitivity of the data we hold. While no method of transmission or storage is completely secure, we work to protect your data and to handle any security incident in line with our legal obligations, including breach notification to regulators and affected individuals where required.
14. Marketing, Pricing, and Reviews Integrity
We are committed to truthful marketing. Any promotional, sale, or compare-at pricing reflects genuine offers, and any countdown timer or stock-scarcity indicator reflects a real, current limitation. Product reviews and testimonials we publish are from genuine customers; we do not create, buy, or publish fake reviews, we do not suppress or selectively hide honest negative reviews, and we disclose any material connection where a reviewer received compensation or a free product. Total prices, shipping (free worldwide), and any taxes or buyer-borne import duties are disclosed clearly before you complete your order.
15. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we will revise the "Last updated" date at the top. Material changes will be communicated where required by law. Please review this Policy periodically.
16. Contact Us
If you have any questions, requests, or complaints about this Policy or your personal data, contact us at:
- Email: hello@soluna.garden
- Operator: MATO, a sole proprietorship (Israeli osek murshe) based in Rehovot, Israel
Your use of the Website is also governed by our Terms of Service and Returns & Refund Policy (which describe our 30-day money-back guarantee, the EU/UK 14-day right of withdrawal, free worldwide shipping, and estimated 7–14 business-day dropshipping delivery times). Nothing in this Policy removes or limits any mandatory data-protection or consumer right available to you under the laws of your country of residence, including in the EU/EEA and the UK; those rights are not waived.