Privacy Policy

Last updated: May 18, 2026

This Privacy Policy explains how Rona Labs processes personal data for Rona Cards. It is designed with Moroccan Law 09-08 principles in mind, including transparency and rights of access, rectification, and opposition. It does not replace any mandatory privacy notice or authorization requirement that may apply under Moroccan law.

1. Data controller and contact

Rona Cards is operated by Rona Labs, Morocco. For privacy questions or requests, contact cards@rona-labs.com.

2. Data we collect

We collect and process the following categories of data, depending on how you use Rona Cards:

Account data: name, username, email address, password hash, account type, role, plan, trial status, login/session data, and security information.
Profile data: public profile content such as photo, job title, company, phone numbers, email, biography, address text, social links, projects, experience, CTA links, files, background media, and language preferences.
Order and delivery data: selected product, quantity, card status, payment method, coupon, shipping name, address, city, phone, order notes, and delivery status.
Business and team data: company information, destination URLs, team members, employee names, titles, emails, roles, business analytics, and team import data.
Lead data: information submitted through lead/contact forms, such as name, email, phone, company, message, source, IP address, and user agent.
Analytics data: profile views, link clicks, VCF saves, card taps, visitor identifiers, approximate device/browser data, timestamps, and event metadata.
Uploaded files: avatars, PDFs, CVs, project images, CTA files, and eligible background media.
Support and communications: messages you send us, support requests, email delivery logs, and administrative notes.
Technical data: IP address, browser, operating system, request logs, security logs, cookies, local storage identifiers, and similar diagnostic data.

3. How we use data

We use personal data to:

create and secure accounts;
provide public profiles, NFC card links, QR codes, VCF contact cards, dashboards, analytics, and business redirect tools;
process orders, card production, delivery, support, coupons, invoices, and administrative workflows;
send account, verification, order, trial, delivery, support, and security emails;
process AI CV import when you choose to upload a CV;
detect fraud, abuse, security incidents, and unauthorized access;
improve, debug, measure, and maintain the platform;
comply with legal, tax, accounting, consumer protection, and data protection obligations.

4. Public profile visibility

Information you publish on a Rona profile is intended to be shared. Visitors may access it through NFC taps, QR scans, direct links, search engines, or social sharing. Do not publish information that you do not want others to see.

If you include third-party personal data on your profile, such as another person's phone number, image, email, or name, you are responsible for having a lawful basis or permission to publish it.

5. AI CV import

If you use AI CV import, your uploaded CV and extracted text may be processed by AI and infrastructure providers so we can generate structured profile content. You should not upload sensitive information that is not needed for your professional profile. You are responsible for reviewing and correcting AI output before publishing.

6. Cookies and local storage

We use cookies and local storage for authentication, session security, language preference, user display data, and application behavior. We do not currently use third-party advertising cookies on the legal pages. If advertising or retargeting cookies are introduced, this policy should be updated and any required consent mechanism should be implemented.

7. Sharing with service providers

We do not sell personal data. We may share data with providers that help us operate Rona Cards, including hosting, database, file storage, email delivery, AI processing, analytics, security, customer support, card production, and delivery/fulfillment providers.

Examples of infrastructure used by the platform may include Supabase, Resend, OpenAI, hosting providers, and delivery or operational partners. These providers may process data only as needed to provide their services to us, subject to their own security and legal obligations.

We may also disclose data when required by law, court order, competent authority, fraud investigation, security incident response, or to protect the rights and safety of Rona Cards, users, visitors, or the public.

8. International transfers

Some providers may store or process data outside Morocco. Where required, we will take steps intended to comply with applicable Moroccan data protection requirements for transfers, including contractual, technical, organizational, or authorization measures where appropriate.

9. Security

We use technical and organizational measures designed to protect personal data, including HTTPS, password hashing, httpOnly authentication cookies, access controls, input validation, rate limits, storage restrictions, and administrative controls. No system is perfectly secure, and we cannot guarantee absolute security.

If you believe your account or data has been compromised, contact us immediately at cards@rona-labs.com.

10. Retention

We keep data only as long as needed for the purposes described in this policy, including account operation, public profile hosting, order fulfillment, customer support, fraud prevention, legal compliance, accounting, backups, and dispute resolution.

When you delete your account or request deletion, some data may remain for a limited period where required for invoices, order records, security logs, legal obligations, backups, or legitimate dispute handling.

11. Your rights

Subject to applicable law, you may request access to your personal data, correction of inaccurate data, deletion where legally available, objection to certain processing, and withdrawal of consent where processing is based on consent.

To exercise privacy rights, contact cards@rona-labs.com. We may need to verify your identity before responding. You may also have the right to contact the Moroccan data protection authority, the CNDP, where applicable.

12. Children

Rona Cards is intended for professional and business use and is not directed to children. We do not knowingly collect data from children under 16. If you believe a child has provided data, contact us so we can take appropriate action.

13. Business users and leads

If you use Rona Cards to collect leads, manage employees, import team members, or process visitor data, you may have your own obligations as a data controller or responsible party. You are responsible for using exported leads, employee data, and profile visitor information lawfully and transparently.

14. Changes to this policy

We may update this Privacy Policy when our product, providers, legal obligations, or processing activities change. The updated date will show the latest version. Material changes may be announced by email, dashboard notice, or website notice where appropriate.

Resume en francais

Rona Labs traite les donnees personnelles necessaires a la creation de comptes, l'hebergement de profils publics, les commandes de cartes NFC, les analyses, le support, l'import CV par IA et les fonctionnalites business. Certaines donnees publiees sur votre profil sont visibles publiquement.

Conformement aux principes de la loi marocaine 09-08, vous pouvez nous contacter pour demander l'acces, la rectification ou l'opposition au traitement de vos donnees personnelles, sous reserve des conditions legales applicables. Contact: cards@rona-labs.com.