Privacy Policy

Last Updated: 20/03/2025

1. Important Information & Who We Are

Controller: CardBun is the “controller” of your personal data when you interact with our Site or purchase products from us. This means we are responsible for deciding how we hold and use your personal data.

Contact Details

Email: support@cardbun.com

Complaints: If you are unhappy with our response to any privacy-related complaint, you have the right to contact the Irish Data Protection Commission (DPC), our lead supervisory authority in Ireland. Please see https://www.dataprotection.ie for more information. We would appreciate the opportunity to address your concerns directly before you contact the DPC, so please feel free to reach out to us first.

2. The Data We Collect About You

Data Categories

  • Identity Data - Name, username, or similar identifier
  • Contact Data - Email address, Billing and shipping addresses, Phone number
  • Financial Data - Payment card details (processed via Stripe—we do not store full card details on our servers)
  • Transaction Data - Details about payments to/from you, Details of products/services you have purchased from us
  • Technical Data - Internet Protocol (IP) address, Browser type and version, Time zone setting and location, Operating system and platform, Information about how often you use the Site (e.g., usage logs)
  • Profile Data - Username and password (if you create an account), Purchase history, Your interests, preferences, feedback, and reviews
  • Usage Data - Information about how you use our website, products, and services, Pages viewed, links clicked, time spent on each page, etc.
  • Marketing & Communications Data - Your preferences in receiving marketing messages, Your communication preferences

Special Categories

We do not intentionally collect any special categories of personal data (e.g., health information, religious or philosophical beliefs, etc.) through our Site.

3. How We Collect Your Personal Data

We use different methods to collect data from and about you, including:


Direct interactions:

  • When you fill in forms, create an account, or purchase a product.
  • Correspondence by email, phone, social media, or otherwise.

Automated technologies or interactions:

  • As you interact with our Site, we may automatically collect Technical Data about your equipment, browsing actions, and patterns via cookies, server logs, and similar technologies.

Third parties or publicly available sources:

  • Stripe (our payment processor) may provide us with partial financial information to confirm payments.
  • Nextcup (our hosting provider) may store server logs containing your Technical Data.
  • Medusa.js (our storefront framework) may help collect and store order information.

4. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Commonly, we rely on one or more of the following legal bases:

Performance of a contract:

  • When we need to process your data to provide goods/services to you or to take steps at your request before entering into such a contract..

Legitimate interests:

  • When processing is necessary for our (or a third party’s) interests and your fundamental rights do not override those interests (e.g., to maintain network security or prevent fraud).

Compliance with a legal obligation:

  • When we need to comply with a statutory or regulatory requirement.

Consent:

  • Where you have expressly given us your consent (e.g., to receive marketing emails). You can withdraw your consent at any time.

Purposes of Use

  • Account Creation & Management- Legal basis: Performance of a contract; Legitimate interests.
  • Order Processing & Delivery - Legal basis: Performance of a contract.
  • Payment Processing (via Stripe) - Legal basis: Performance of a contract; Legitimate interests (fraud prevention).
  • Customer Support - Legal basis: Performance of a contract; Legitimate interests (to improve services).
  • Marketing & Promotions - Legal basis: Consent (if required); Legitimate interests (to grow our business).
  • Site Analytics & Improvements - Legal basis: Legitimate interests; Consent (for certain analytics cookies).
  • Security & Fraud Prevention - Legal basis: Legitimate interests; Legitimate interests; Compliance with legal obligations.

5. Marketing Communications

Promotional Offers

We may use your Identity, Contact, Technical, Usage, and Profile Data to form a view on what we think you may want or need, or what may be of interest to you.

You will receive marketing communications from us if you have:

  • Requested information from us;
  • Purchased goods or services from us;
  • Provided us with your details when you registered for a promotion; and
  • In each case, you have not opted out of receiving that marketing.

Opting Out

You can request us or third parties to stop sending you marketing messages at any time by clicking on the “unsubscribe” link in any marketing message or by contacting us at: support@cardbun.com

Third-Party Marketing

We will get your express opt-in consent before we share your personal data with any company outside CardBun for marketing purposes.

6. Cookies & Similar Technologies

What Are Cookies?

Cookies are small text files placed on your computer or device when you visit a website. They help websites remember your actions and preferences (such as login and region selection) and gather usage and analytics data.

How We Use Cookies

We use cookies and similar tracking technologies (such as pixels and tags) to:

  • Recognize you on our Site.
  • Save your preferences for future visits.
  • Conduct analytics and improve Site performance.
  • Show relevant ads or promotions (where applicable).

Types of Cookies We May Use

  • Strictly Necessary Cookies: Enable core functionality (e.g., security, network management).
  • Functional Cookies: Remember choices you make (e.g., language, region).
  • Performance/Analytics Cookies: Collect information about how you use the Site (e.g., pages visited, time spent).
  • Advertising/Targeting Cookies: Track browsing habits to serve targeted ads (if applicable).

How to Manage Cookies

Most browsers allow you to refuse some or all cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, some parts of the Site may become inaccessible or not function properly.

7. Disclosure of Your Personal Data

We may share your personal data with the parties set out below for the purposes described in this policy:


Service Providers:

  • Hosting: Nextcup hosts our Site and stores certain server logs that may include your IP address or other Technical Data.
  • Payment Processing: Stripe handles card payments. We do not store your full payment details on our servers; that information is encrypted and securely processed by Stripe.
  • Other Vendors: Marketing platforms, email service providers, analytics services, and couriers/shipping providers.

Legal or Regulatory Requirements

We may disclose your personal data to comply with applicable laws, regulations, court orders, or government requests and to protect our rights, property, or safety.


Business Transfers

If we sell or merge our business or assets, personal data may be transferred to a new owner. We will notify affected users if such a transfer materially affects the processing of your personal data.

8. Data Security

Security Measures:

We have implemented appropriate security measures (such as encryption, access controls, and secure servers) to protect your personal data from unauthorized access, use, or disclosure.


Third-Party Security

Where we share personal data with third-party service providers, we require them to implement appropriate security standards to ensure your personal data is safeguarded.


Data Breach Response

We have procedures in place to handle any suspected personal data breach. We will notify you and any applicable regulator when legally required to do so.

9. Data Retention

Retention Period:

We will only retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for satisfying any legal, accounting, or reporting requirements.


Criteria for Determining Retention Period

  • The amount, nature, and sensitivity of the data.
  • The potential risk of harm from unauthorized use or disclosure.
  • The purposes for which we process your data and whether we can achieve those purposes through other means.
  • Legal requirements.

Deletion

In some circumstances, you can ask us to delete your personal data (see “Your Legal Rights” below).

10. Your Legal Rights

Under the General Data Protection Regulation (GDPR) and Irish data protection laws, you have the following rights:


  • Right to Access - Request a copy of the personal data we hold about you.
  • Right to Rectification - Request correction of incomplete or inaccurate data we hold about you.
  • Right to Erasure - Ask us to delete or remove personal data where there is no legal reason for us to continue processing it.
  • Right to Object - Object to processing of your personal data where we are relying on a legitimate interest and there is something about your situation which makes you want to object; Object to direct marketing at any time.
  • Right to Restrict Processing - Ask us to suspend the processing of your personal data in certain scenarios (e.g., if you want us to establish its accuracy).
  • Right to Data Portability - Request the transfer of your personal data to you or a third party in a structured, commonly used, machine-readable format.
  • Right to Withdraw Consent - Where we rely on your consent, you may withdraw this consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.

How to Exercise Your Rights

Contact us at support@cardbun.com

We try to respond to all legitimate requests within one month. Occasionally, it may take us longer if your request is particularly complex or if you have made multiple requests.

11. Children’s Data

Our Site is not intended for individuals under the age of 18.


We do not knowingly collect personal data relating to children under 18. If you believe a child has provided us with personal data, please contact us at support@cardbun.com so we can delete that information.

12. Do Not Track

Some browsers offer a “Do Not Track” (DNT) feature. Since there is no industry or legal standard on how websites should respond to DNT signals, we currently do not respond to DNT signals.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or other operational reasons.


The most recent version will always be posted on our Site with the “Last Updated” date.


We encourage you to review this Policy periodically.

Contact Us

Email: support@cardbun.com

For questions about your data rights or this policy