Stonfa Privacy Policy

Updated: august 15, 2024

1. Introduction

Stonfa ("we," "us," or "our"), a product of BlueEcom FZ LLE, respects your privacy and is committed to protecting your personal data. This Privacy Policy outlines our practices regarding the collection, use, disclosure, and safeguarding of your information when you interact with our websites, applications, tools, and services (collectively, the "Services"). By accessing or using our Services, you consent to the practices described in this Privacy Policy.

2. Legal Basis for Processing

We process your personal data based on one or more of the following legal bases:

  • Contractual Necessity: To perform our contractual obligations to you, such as providing access to our Services and processing your payments.
  • Consent: Where you have provided explicit consent, particularly in relation to marketing communications or specific processing activities.
  • Legitimate Interests: To pursue our legitimate business interests, such as improving our Services, provided that your rights and interests do not override these interests.
  • Legal Obligation: To comply with legal obligations, such as tax reporting and compliance with regulatory requirements.

3. Information We Collect

a) Personal Information
We may collect the following personal data directly from you:

  • Identification Data: This includes, but is not limited to, your full name, email address, billing addresses, and any other contact information you provide to us.
  • Financial Data: Billing information, payment card details, and transaction history for processing payments.
  • Account Data: email, password (handled securely through Auth0), account preferences, and settings related to your use of the Services.

    • b) Sensitive Personal
    Data We generally do not collect sensitive personal data (e.g., health data, biometric data, etc.), unless explicitly required by specific services or as mandated by law. If we do process such data, it will be with your explicit consent or under another lawful basis permitted by applicable law.

    c) Technical Data
    We automatically collect certain technical data when you interact with our Services:

  • Log Data: IP address, browser type, operating system, device identifiers, and access times.
  • Usage Data: Information about how you use our Services, including the pages you visit, the time spent on those pages, and the links you click.
  • Cookies and Similar Technologies: Data collected through cookies, web beacons, and other tracking technologies to personalize your experience and analyze site usage.

    • d) Data from Third Parties
    We may receive information about you from third-party sources, including:

  • Auth0 User Management: We use Auth0, a third-party service provided by Auth0, Inc., for secure user authentication and management. Auth0 handles user credentials, including passwords, which are not stored on our servers. By using our Services, you consent to Auth0's handling of your authentication data in accordance with their Privacy Policy.
  • Payment Processors: Information from payment gateways like Stripe for transaction verification and fraud prevention.
  • Third-Party Service Providers: We may receive additional information from third-party service providers that assist us in providing our Services. This includes data from payment processors, marketing platforms, and analytics providers that help us enhance our offerings and user experience.

    • 4. Purpose of Processing

    We process your personal data for the following purposes:

    • Service Delivery: To deliver and maintain our Services, manage your account, and process transactions.
    • Personalization: To tailor content, features, and advertisements to your preferences and interests.
    • Customer Support: To provide customer service, respond to inquiries, and resolve issues related to our Services.
    • Security and Fraud Prevention: To protect our Services from unauthorized access, fraud, and other malicious activities.
    • Legal Compliance: To comply with legal obligations, including responding to legal requests and conducting audits.
    • Marketing and Advertising: To send you marketing communications, subject to your consent, and to conduct market research.

    5. Disclosure of Your Information

    We may disclose your personal data to the following categories of recipients:

    a) Service Providers
    We engage third-party service providers to perform various functions on our behalf, such as:

  • Cloud Hosting: Providers like AWS or Google Cloud, where your data may be stored and processed.
  • Payment Processors: Third-party payment gateways to process transactions securely.
  • Analytics Providers: Companies like Google Analytics to track and analyze user behavior on our Services.
  • Marketing Services: Third-party platforms that help us manage and execute marketing campaigns.

    • These providers are contractually bound to process your data only as instructed by us and to implement appropriate security measures.

    b) Legal and Regulatory Authorities
    We may disclose your personal data to regulatory bodies, law enforcement agencies, or other third parties where we believe disclosure is necessary to:

    • Comply with legal obligations: Such as responding to subpoenas, court orders, or other legal processes.
    • Protect rights and safety: To protect the rights, property, or safety of Stonfa, our users, or the public.

    c) Business Transfers
    In the event of a merger, acquisition, bankruptcy, or other sale of assets, your personal data may be transferred to the acquiring entity. You will be notified via email or a prominent notice on our website of any such transfer and your choices regarding your information.

    d) With Your Consent
    We may disclose your personal data to other third parties with your explicit consent, for example, when you participate in co-branded services or promotions.

    6. Data Sharing

    Internal Data Sharing:
    We may share your personal data internally within Stonfa and with our affiliated entities. This sharing is limited to what is necessary for the performance of our Services, to enhance your user experience, ensure platform security, and comply with legal obligations.

    External Data Sharing:

    a) Sharing with Service Providers (e.g., Auth0, Stripe, OpenSRS): We may share your personal data with third-party service providers, such as Auth0 for user management and Stripe for payment processing, to assist us in delivering our services. These providers are contractually bound to protect your data and use it only for the purposes we specify. We have data processing agreements in place with these service providers to ensure the proper handling of your information.

    Sharing with Third-Party Partners:
    We may share your personal data with third-party partners, such as marketing or advertising providers, to deliver personalized content and services. In these cases, we will obtain your explicit consent before sharing your data for these purposes.

    7. DATA SECURITY

    We employ a variety of technical and organizational measures to safeguard your personal data against unauthorized access, alteration, disclosure, or destruction. These include:

    • Encryption: Data is encrypted both at rest and in transit using industry-standard encryption protocols.
    • Access Controls: Access to personal data is restricted to authorized personnel only, based on the principle of least privilege.
    • Regular Audits: We conduct frequent and rigorous security assessments and audits to verify the effectiveness of our security measures, identify potential vulnerabilities, and implement corrective actions promptly."

    Despite these measures, no system can be completely secure. Therefore, we cannot guarantee the absolute security of your personal data.

    We encourage you to take responsibility for maintaining the security of your account credentials and to notify us immediately if you suspect any unauthorized access to your account.

    8. Data Retention

    We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Retention periods vary depending on the type of data and the purpose of processing. For example:

    • Account Data: Retained for as long as your account is active.
    • Transaction Data: Retained for the period required by tax laws and regulations.
    • Marketing Data: Retained until you opt-out or withdraw your consent.

    Once the retention period expires, we will take appropriate steps to securely delete, anonymize, or aggregate your personal data to ensure it can no longer be associated with you, except where we are required by law to retain the information for a longer period.

    9. Your Rights and Choices

    Depending on your jurisdiction, you may have the following rights regarding your personal data:

    a) Right to Access
    You have the right to request access to the personal data we hold about you, including information on how it is processed and shared.

    b) Right to Rectification
    You have the right to request and receive a copy of your personal data in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another data controller where technically feasible, provided this does not adversely affect the rights and freedoms of others.

    c) Right to Erasure (Right to be Forgotten)
    You have the right to request the deletion of your personal data when: It is no longer necessary for the purposes for which it was collected. You withdraw consent (where processing was based on consent). You object to processing and there are no overriding legitimate grounds. The data has been unlawfully processed.

    d) Right to Restrict Processing You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to its processing.

    e) Right to Data Portability
    You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller.

    f) Right to Object
    You have the right to object to the processing of your personal data for purposes such as direct marketing, profiling, or processing based on legitimate interests.

    g) Right to Withdraw Consent
    Where we process your personal data based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

    10. Automated Decision-Making and Profiling

    We may use automated decision-making processes, including profiling, to analyze user behavior, preferences, and performance for purposes such as personalized recommendations and targeted advertising. Where such processing has significant legal effects, you have the right to:

    • Request Human Intervention: Ask for the involvement of a human in decision-making.
    • Express Your Viewpoint: Contest decisions made solely based on automated processing.
    • Request an Explanation: Obtain an explanation of the decision reached after an assessment.

    11. Data Breach Notification

    In the event of a data breach that poses a risk to your rights and freedoms, we will promptly notify you and the relevant data protection authorities in accordance with applicable laws. Our notification will include:

    • Nature of the Breach: A description of the breach, including the categories and approximate number of data subjects and data records affected.
    • Impact Assessment: An assessment of the likely consequences of the breach for the data subjects involved.
    • Measures Taken: A description of the measures we have taken or propose to take to address the breach and mitigate its possible adverse effects.
    • Contact Information: Contact details for further information or assistance, such as a designated contact point.

    We will take immediate and appropriate actions to contain and remedy the breach, including recovering any lost data, mitigating potential harm, preventing further unauthorized access, and reinforcing our security measures to prevent future incidents. Our impact assessment will include both the potential and actual consequences for affected individuals, and we will keep you informed of ongoing mitigation efforts.

    12. International Data Transfers

    Given the global nature of our operations, your personal data may be transferred to and processed in countries outside of your country of residence. These countries may not have the same data protection laws as your home country. However, we have implemented the following safeguards to ensure the protection of your personal data:

    • Standard Contractual Clauses (SCCs): We use SCCs approved by the European Commission as a legal mechanism for transferring personal data to countries outside the European Economic Area (EEA).
    • Binding Corporate Rules (BCRs): Where applicable, we adhere to BCRs that provide a legally recognized framework for transferring personal data within our corporate group.
    • Adequacy Decisions: For certain countries, we may transfer your data based on an adequacy decision by the European Commission. This decision confirms that the specific country’s data protection laws are equivalent to those within the European Economic Area (EEA), ensuring your data receives a similar level of protection as it would under GDPR.
    • Explicit Consent: In some cases, we may rely on your explicit consent for specific data transfers, particularly where other legal mechanisms are not available.

    You have the right to request a copy of the safeguards we have in place for international data transfers.

    13. Children's Privacy

    Our Services are not directed at individuals under the age of 16, and we do not knowingly collect personal data from children under 16.

    If we become aware that we have inadvertently collected personal data from a child under 16 without verified parental consent, we will promptly take steps to delete this information in compliance with applicable laws, including COPPA in the United States and similar regulations globally. We may also implement additional measures, such as requiring age verification or parental consent mechanisms, to ensure compliance with relevant child protection laws.

    14. International Compliance

    General Data Protection Regulation (GDPR) Compliance
    For users located in the European Union or European Economic Area, Stonfa complies with the requirements of the GDPR. This includes providing you with the rights described in this Privacy Policy, obtaining your consent where required, and implementing appropriate technical and organizational measures to protect your personal data.

    California Consumer Privacy Act (CCPA) Compliance For users located in the state of California, United States, Stonfa complies with the requirements of the CCPA. This includes providing you with the rights described in this Privacy Policy, such as the right to access, delete, and opt-out of the sale of your personal information.

    Compliance with Other Jurisdictions (APAC, etc.) Stonfa also complies with data protection laws and regulations in other jurisdictions where we offer our services, such as the Asia-Pacific region. We ensure that our data processing activities adhere to the applicable privacy laws and regulations in each jurisdiction.

    15. Cookies and Tracking Technologies

    We use a variety of cookies and tracking technologies on our platform, including session cookies, persistent cookies, third-party cookies, web beacons, and pixel tags. These technologies serve multiple purposes: enabling core site functionality, remembering your preferences, analyzing website traffic, and delivering personalized content and advertisements. You can manage your cookie preferences through your browser settings or through our cookie consent management tool, which allows you to accept or reject different categories of cookies according to your preferences.

    a) Purpose of Cookies:
    The cookies and tracking technologies we use serve the following purposes:

    • Authentication: We use cookies to identify and authenticate you when you access our platform.
    • Site Navigation: Cookies help us understand how you navigate and interact with our website, which allows us to improve the user experience.
    • Website Analytics: We use cookies and other tracking technologies to collect information about your browsing behavior and device, which we use to analyze website usage and performance.
    • Personalization: Cookies enable us to personalize your experience and deliver content tailored to your interests and preferences.

    b) How to Manage Cookies:
    You can manage your cookie preferences through your browser settings. Most web browsers allow you to control cookies, including blocking or deleting them. However, please note that disabling cookies may affect the functionality and performance of our platform.

    c) Do Not Track Signals:
    We respect Do Not Track (DNT) signals transmitted by your browser. If you have enabled the DNT setting in your browser, we will not track your online activities across third-party websites.

    16. Third-Party Services

    Use of Auth0 for User Management:
    We use Auth0, a trusted third-party service provider, to manage user accounts and authentication. Auth0's privacy policy and data processing practices can be found at https://auth0.com/privacy.

    Payment Processing via Stripe:
    We use Stripe, a PCI DSS-compliant payment gateway, to handle all payment processing for our platform. Stripe's privacy policy and data processing practices can be found at https://stripe.com/privacy.

    Domain Registration via OpenSRS:
    For domain registration and management, we partner with OpenSRS, a trusted domain registrar. OpenSRS's privacy policy and data processing practices can be found at https://opensrs.com/privacy-policy/ When you purchase a domain through our platform, your domain-related information, such as your name and contact details, will be shared with OpenSRS to facilitate the domain registration and management process.

    Other Third-Party Integrations:
    In addition to Auth0, Stripe, and OpenSRS, we may integrate with other third-party services, such as analytics providers, to deliver our platform and services. We ensure that these third parties are contractually bound to protect your data and use it only for the purposes specified by Stonfa.

    Liability for Third-Party Services:
    While we take care to select reputable third-party service providers and require them to adhere to strict privacy and security standards, we cannot be held responsible for their independent actions or omissions. We encourage you to review the privacy policies of any third-party services you interact with through our platform to understand how they manage your data.

    17. Domain Registration Privacy

    Domain Registration via OpenSRS:
    For domain registration and management, we partner with OpenSRS, a trusted domain registrar. When you purchase a domain through our platform, your domain-related information, such as your name, contact details, and billing information, will be shared with OpenSRS to facilitate the domain registration and management process.

    Registrant Information Disclosure:
    As part of the domain registration process, certain registrant information, such as your name, address, and contact details, may be publicly accessible through domain name lookup services, as required by the Internet Corporation for Assigned Names and Numbers (ICANN) and applicable domain name registry policies. Stonfa has no control over this public disclosure of registrant information.

    Billing Information Protection:
    Your billing information, such as credit card details or payment method, will be securely processed by Stonfa in compliance with PCI DSS standards. Stonfa will not share your full payment details with any third parties, as we will be directly responsible for managing and protecting your payment information.

    User Rights and Obligations:
    As the domain registrant, you have certain rights and obligations regarding the privacy and management of your domain-related information. You should review OpenSRS's privacy policy and registrant agreement to understand your rights and responsibilities.

    18. Data Minimization and Accuracy

    We adhere to the principles of data minimization and accuracy in our data processing activities:

    • Data Minimization: We only collect and process the personal data that is necessary for the specific purposes outlined in this Privacy Policy. We adhere to the principle of data minimization by collecting only the personal data that is necessary to provide and improve our Services. For example, we may limit the data fields required during registration to the minimum necessary to create an account, and we regularly audit our data collection practices to identify and eliminate any superfluous data gathering.
    • Data Accuracy: We take reasonable steps to ensure that the personal data we hold is accurate, complete, and up-to-date. You have the right to request the correction of any inaccurate or incomplete personal data we hold about you.

    19. Your Privacy Choices

    You have several choices regarding how your personal data is used:

    • Marketing Communications: You can opt-out of receiving marketing communications from us by following the unsubscribe instructions included in our emails or by contacting us directly.
    • Cookie Preferences: You can manage your cookie preferences through your browser settings. However, disabling cookies may affect your ability to use certain features of our Services.
    • Account Settings: You can access, update, or delete your account information at any time by logging into your account and adjusting your settings.

    20. Third-Party Links

    Our Services may contain links to third-party websites, services, or applications that are not owned or controlled by Stonfa. We are not responsible for the privacy practices, security, or content of third-party websites or services that may be linked from our platform. These links are provided for your convenience, and we recommend reviewing the privacy policies of any third-party websites or services you visit to understand how they collect, use, and protect your data. Interacting with these third-party services is at your own risk.

    21. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this page and provide notice of significant changes through our website or by other means, such as email. Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the terms.

    22. Governing Law

    This Privacy Policy is governed by and construed in accordance with the laws of the United Arab Emirates, without regard to its conflict of laws principles. Any disputes arising from or related to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Dubai, United Arab Emirates.

    23. Contact Us

    If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us at:

    Stonfa by BlueEcom FZ LLE
    Address: Creative Tower, Fujairah, United Arab Emirates
    Email: legal@stonfa.com

    We are committed to addressing your privacy-related inquiries and will respond to your requests in a timely manner.

    Looking for something else?
    Visit our help center to find the answer to all your questions.
    Visit Help Center
    Get in touch