EN DE NL FR ES PT IT FI SV DA CS PL RO BG
Home Shop About us FAQ Video Gallery Blog Contacts
Your cart (0) Your cart 0

Privacy policy

Last updated: 1 October 2025

Controller: Cubik.one (“we”, “us”, “our”)

1) Who we are

Cubik.one is the controller of your personal data when you visit our website, create an account, purchase products, or interact with our services and marketing.

Contact: [email protected]

Postal address: Bulgaria, 4230 Asenovgrad, str. Zavodska 1, entry 14

Our products and services are intended for users aged 14+.

2) What data we collect

Identity & contact: name, email, phone, billing/shipping addresses, account username.

Account data: password (hashed), settings, order history.

Transactions: purchase amounts, currency, items, limited payment metadata (we do not store card numbers; Stripe processes payments).

Technical/usage: IP address, device and browser data, cookies, pages viewed, events (clicks, scrolls), referral sources, session IDs.

Marketing preferences: consents, opt-in/opt-out status.

Communications: messages you send via forms, chat (Zoho SalesIQ), or email.

Lead generation: company identification derived from IP (Leadfeeder/Dealfront) where possible.

User-generated info: content you submit in forms.

3) Where your data comes from

Directly from you: checkout, account sign-up, contact forms, chat (Zoho SalesIQ).

Automatically: cookies, SDKs, pixels, server logs (e.g., GA, GTM, Meta Pixel, Yandex Metrica).

Third-party providers: payment confirmations (Stripe), lead-gen signals (Leadfeeder/Dealfront).

4) Why we process your data (purposes & legal bases)

We only process your data when a legal basis applies under Articles 6 & 9 GDPR.

Purpose

Examples

Legal basis

Account & site functionality

Registration, login, remembering preferences

Contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) for essential cookies

Orders & payments

Checkout, invoicing, delivery

Contract; Legal obligation (tax/records)

Customer support

Email, forms, Zoho SalesIQ chat

Contract; Legitimate interests to respond effectively

Analytics & product improvement

Google Analytics, Yandex Metrica (if consented), A/B tests

Consent (non-essential cookies); Legitimate interests for aggregated metrics where permitted

Marketing & retargeting

Google Ads, Meta (Facebook) Ads/Pixel, email campaigns

Consent (cookie/ads); Legitimate interests for direct B2B outreach where compliant

Security & fraud prevention

Log files, abuse monitoring

Legitimate interests; Legal obligation where applicable

Legal compliance

Accounting, tax, law-enforcement requests

Legal obligation

5) Cookies & tracking technologies

We use a Consent Management approach that loads non-essential tools only after you opt-in. You can change your preferences at any time via the site’s cookie settings.

Categories we use

Strictly necessary (no consent): core site functions, security, load balancing.

Analytics (consent): Google Analytics, Yandex Metrica.

Marketing/retargeting (consent): Google Ads, Meta Pixel, Leadfeeder/Dealfront cookies where applicable.

Functionality (consent): chat/CRM widgets (Zoho SalesIQ).

Tool-specific notes

Google Tag Manager (GTM): a container that deploys tags; it should respect your consent choices.

Google Analytics: we configure IP-anonymization where available and limit data retention.

Meta Pixel (Facebook/Instagram): used for conversion tracking and retargeting. For certain events, we and Meta Platforms Ireland may be joint controllers (e.g., matching website events with Meta accounts).

Yandex Metrica: used for session analytics/heatmaps; loads only with consent. We implement safeguards for international transfers.

Leadfeeder (Dealfront): identifies company visits based on IP and enriches visit data; used mainly for B2B lead qualification and only after consent where cookies are set.

6) Payments (Stripe)

Payments are processed by Stripe. We share only what’s necessary to complete a transaction. We do not store full card details on our servers. Stripe is a separate controller for certain processing and complies with PCI-DSS and PSD2/SCA requirements.

7) Disclosures to third parties (processors & partners)

We share data with trusted providers under Data Processing Agreements (DPAs) and confidentiality safeguards, strictly for the purposes above:

Infrastructure & analytics: Google (GTM, GA), Yandex (Metrica), Dealfront/Leadfeeder.

Advertising: Google Ads, Meta Platforms (Facebook/Instagram).

CRM & support: Zoho CRM (form capture & pipeline), Zoho SalesIQ (live chat).

Payments: Stripe.

Logistics/fulfilment: delivery and warehousing partners when needed for shipping.

Professional services: accountants, auditors, legal counsel.

Authorities: where required by law or to protect our rights/users (e.g., fraud prevention).

We do not sell your personal data.

8) International data transfers

Some recipients are located outside the EEA (e.g., the US; possibly other locations for global cloud providers). Where such transfers occur, we implement appropriate safeguards such as EU Standard Contractual Clauses (SCCs), transfer risk assessments, and supplementary measures (encryption, access controls). For Yandex Metrica, data may be processed across multiple regions. We only activate Yandex after consent and rely on SCCs and contractual safeguards. You can refuse consent to prevent any Yandex data flow.

9) Data retention

Accounts & orders: up to 10 years for statutory accounting/tax records (jurisdiction-dependent).

Support/chat records (Zoho SalesIQ): typically 24 months unless longer is needed for disputes.

Analytics: GA default 14 months (or stricter where configured); Yandex Metrica typical 12–24 months; we aim for the shortest practical window.

Marketing audiences (Google/Meta): according to campaign lifetimes and platform limits, generally 180–540 days.

Leadfeeder/Dealfront: up to 24 months for B2B visit identification.

Cookies: per cookie life shown in the cookie banner/details.

When retention ends, we delete or irreversibly anonymize the data.

10) Security

We use administrative, technical, and organizational measures appropriate to risk, including HTTPS/TLS, access controls, least-privilege principles, staff confidentiality commitments, and vendor due diligence.

11) Your rights (EU/EEA)

Access your data.

Rectify inaccurate data.

Erase data (“right to be forgotten”).

Restrict processing.

Object to processing based on legitimate interests or to marketing (including profiling for such marketing) at any time.

Data portability (receive your data in a structured, commonly used format).

Withdraw consent at any time without affecting prior lawful processing.

To exercise rights: [email protected]. We may verify identity before fulfilling requests.

You also have the right to lodge a complaint with your local supervisory authority. For our registered address, the authority is the Bulgarian Commission for Personal Data Protection (CPDP). You can also contact your EU/EEA authority.

12) Children’s privacy

Our services are for 14+. We do not knowingly collect data from children under 14. If you believe a child has provided data, contact us to delete it.

13) Automated decision-making & profiling

We do not make decisions with legal or similarly significant effects based solely on automated processing. We use profiling for advertising (e.g., interest-based audiences) only with your consent for marketing cookies, and you can withdraw it at any time.

14) Third-party links & social media

Our site may include links or integrations with third-party services and social networks. Their processing is governed by their own privacy policies. Please review those providers’ notices.

15) Changes to this Policy

We may update this Policy to reflect changes in law, technology, or our operations. We’ll post updates here and revise the “Last updated” date. If changes materially affect you, we will provide additional notice (e.g., banner or email).

Annex A – Key vendors & purposes (summary)

Google Tag Manager (GTM): tag loading based on consent; EU/US processing with SCCs where applicable.

Google Analytics: site usage measurement; IP anonymization where available; cookie consent required.

Google Ads (incl. remarketing): ad delivery and measurement; consent required for marketing cookies.

Meta Pixel (Facebook/Instagram): conversion tracking and audiences; consent required; certain events under joint controllership with Meta Ireland.

Yandex Metrica: session analytics/heatmaps; consent required; SCCs and safeguards for international transfers.

Leadfeeder / Dealfront: B2B visitor identification and lead qualification; consent required for cookies; retention up to ~24 months.

Zoho CRM: storing form submissions and customer records; EU/US processing with SCCs.

Zoho SalesIQ: live chat and engagement; stores chat transcripts; consent required to load the widget in some jurisdictions.

Stripe: payment processing as an independent controller/processor (context-dependent); PCI-DSS compliant; we don’t store card numbers.

Implementation checklist (internal use)

CMP / Cookie Banner: block GA/Yandex/Meta/Leadfeeder/Ads until consent; provide granular categories and a “Reject all” option.

Consent Records: store timestamp, categories, and country.

Tagging: use GTM with consent mode; fire tags only after consent.

DSAR channel: add a visible “Privacy Requests” link or email ([email protected]).

DPA/SCCs: keep signed DPAs/SCCs with all vendors.

Policies: link this Privacy Policy in footer + show a concise Cookies Notice page.