Legal
Privacy Policy
Bonding Key® — bondingkey.com · Effective date: 20 April 2026
1. Data Controller
Soulbond Oy, VAT: FI33721656
Uudenkaupungintie 7 B 26, 00350 Helsinki, Finland
johanna@bondingkey.com
2. Contact Person for Data Protection
Johanna Valkonen — johanna@bondingkey.com
3. Name of the Register
Soulbond Oy Customer and Marketing Register for the Bonding Key® service.
4. Legal Basis and Purpose of Processing
We process personal data on the following legal bases under GDPR (EU 2016/679):
- Contract performance — to deliver the Bonding Key® Toolkit you have purchased and to manage your customer relationship
- Consent — for newsletter subscriptions and marketing communications (documented, voluntary, specific, informed and unambiguous)
- Legitimate interest — for maintaining and developing the service and customer relationship
Personal data is processed for: delivering the purchased product, managing access to the Bonding Key® Toolkit, sending transactional emails (magic link authentication, purchase confirmation, receipt), sending newsletters to subscribers who have given consent, and developing the service.
You have the right to withdraw consent and opt out of direct marketing at any time.
5. Data We Collect
- Email address (required for purchase and authentication)
- Purchase information (product, amount paid, currency, date)
- Authentication data (magic link sessions, session tokens)
- Newsletter subscription status and consent timestamp
- Analytics data (page views, traffic source — collected without cookies via Plausible Analytics)
We do not collect names, phone numbers, postal addresses, or payment card details. Payment card data is processed exclusively by Stripe and never stored by Soulbond Oy.
6. Sources of Data
Data is collected directly from you when you purchase the Bonding Key® Toolkit, sign in using a magic link, subscribe to the newsletter, or use the bondingkey.com service.
7. Retention Period
- Purchase records — retained for 7 years in accordance with Finnish accounting law (Kirjanpitolaki 1336/1997)
- Authentication session data — deleted upon session expiry
- Newsletter subscriber data — retained until you unsubscribe
- Analytics data — aggregated and anonymised, no individual retention
8. Data Processors and Third-Party Services
| Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, user data storage | EU (Ireland, eu-west-1) |
| Stripe Payments Europe Ltd | Payment processing | EU (Ireland) |
| Resend Inc. | Transactional email delivery | EU (Ireland, eu-west-1) |
| Vercel Inc. | Hosting and content delivery | EU region |
| Plausible Analytics | Privacy-friendly website analytics (cookieless, no consent required) | EU (Germany) |
| Meta Platforms Ireland Limited | Meta Pixel — marketing conversion measurement, active only after your explicit consent via the cookie banner | EU (Ireland); Meta may transfer to the US under EU-US Data Privacy Framework |
We do not transfer personal data outside the European Economic Area except where the processors above maintain EU-based infrastructure as listed. Meta Platforms Ireland Limited is the EU-based data controller for Meta Pixel data; Meta may transfer pseudonymous behavioural data to its parent company in the United States under the EU-US Data Privacy Framework adequacy decision.
9. Security
- All data in transit is encrypted using TLS/HTTPS
- Supabase Row Level Security (RLS) restricts data access per authenticated user
- Authentication is handled via magic links — no passwords are stored
- Service role keys are stored securely as environment variables and never exposed client-side
- Access to personal data is limited to Johanna Valkonen (Soulbond Oy)
10. Your Rights Under GDPR
- Right of access — request a copy of your personal data
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion ("right to be forgotten")
- Right to restriction — request restricted processing in certain circumstances
- Right to data portability — request your data in machine-readable format
- Right to object — object to processing based on legitimate interest, including direct marketing
- Right to withdraw consent — withdraw at any time without affecting prior processing
Contact: johanna@bondingkey.com — we respond within one month as required by GDPR.
Supervisory authority: Finnish Data Protection Ombudsman (tietosuoja.fi)
11. Cookies and Tracking Technologies
bondingkey.com uses two categories of cookies and tracking technologies:
- Strictly necessary — authentication session cookie (keeps you signed in) and your cookie-preference choice (stored in local storage). Always active. No consent required under GDPR article 5(3) of the ePrivacy Directive.
- Cookieless analytics — Plausible Analytics collects aggregated page-view and traffic-source data without cookies and without personally identifiable information. Always active. No consent required.
- Marketing (consent required) — Meta Pixel (Facebook/Instagram conversion tracking). Loaded only after you click "Accept all" in the cookie banner. If you decline or have not yet chosen, the Meta Pixel script is never loaded and no data is transmitted to Meta.
What Meta Pixel collects when active: page URL, page title, a pseudonymous advertising ID (fbp cookie), purchase amount at the checkout confirmation step, and aggregated browser information. It does not receive your name, email address or payment details.
You can change or withdraw your consent at any time by clicking Cookie Preferences in the page footer. Withdrawal takes effect immediately for all future page loads; data already sent to Meta before withdrawal cannot be recalled but will be retained by Meta according to their policy (see Meta Privacy Policy).
12. Changes to This Policy
We may update this Privacy Policy periodically. The effective date reflects the most recent revision. Registered users will be notified of material changes by email.