Last updated: 18 June 2026 — This template must be reviewed by a licensed attorney before launch.
⚠️ ATTORNEY / OPERATOR ACTION REQUIRED BEFORE LAUNCH — read first.
Cookie Policy
This Cookie Policy explains how Soluna ("Soluna", "we", "us", "our") uses cookies, similar tracking technologies, and local identifiers on our website at https://soluna.garden (the "Site"). It tells you what these technologies are, which ones we use, why we use them, who else receives data through them, the international transfers involved, and how you can control or withdraw your consent.
Soluna is the brand under which we sell a single consumer product, the Solar Mandala Projection Light, worldwide. The Site is operated by MATO, a sole proprietorship (Israeli osek murshe) based in Rehovot, Israel, which acts as the data controller for the personal data processed through these technologies:
- Contact email: hello@soluna.garden
This Cookie Policy should be read together with our Privacy Policy. If anything in this document conflicts with the mandatory data-protection or consumer-protection rights you have under the laws of your country of residence — in particular the EU/EEA (GDPR and ePrivacy rules), the United Kingdom, Switzerland, the United States (including California), or Israel (Protection of Privacy Law, including Amendment 13) — those mandatory rights prevail and are NOT waived. Choosing Israeli law as the governing law of our Terms does not remove any consumer or data-protection right that cannot be derogated from by agreement in your jurisdiction.
1. What Are Cookies and Similar Technologies?
A cookie is a small text file that a website places on your device (computer, tablet, or phone) when you visit. Cookies allow the website to recognise your device, remember your preferences, keep you logged in, and understand how you use the Site. We also use related technologies that work in a similar way, including:
- Local identifiers / first-party storage — values we set in your browser to recognise a returning visitor or maintain a session.
- Pixels and tags (such as the Meta Pixel) — small pieces of code that record actions you take and can read or write cookie values.
- Server-side event sharing (such as the Meta Conversions API) — information sent directly from our server to a third party. This does not always rely on a cookie, but it is closely linked to the same advertising purpose and, where it involves your personal data (including data derived from cookie identifiers), it is treated as non-essential and is subject to the same consent requirement as the cookie-based trackers. Moving a tracking call from the browser to the server does not remove the need for consent.
- Session-recording and heatmap tools (such as Microsoft Clarity) — which record on-page behaviour such as mouse movement, clicks, scrolling, and page interactions.
Cookies are described as first-party (set by Soluna) or third-party (set by another company, such as Meta or Microsoft), and as session cookies (deleted when you close your browser) or persistent cookies (which remain for a set period).
2. Categories of Cookies We Use
We group the technologies on our Site into the following categories:
2.1 Strictly Necessary / Essential
These are required to deliver a service you have explicitly requested — for example, maintaining your session, remembering your chosen language and currency so pages display and price correctly, and securing administrator login. Without them, core parts of the Site would not function. Under EU/UK ePrivacy rules, these are exempt from the consent requirement, and they cannot be switched off, as the Site cannot function without them.
2.2 Analytics / Statistics
These help us understand how visitors use the Site — which pages are viewed, where visitors come from, and where they experience friction — including session recordings and heatmaps via Microsoft Clarity, and our first-party visitor/session analytics. These are not essential and require your prior consent in the EU/EEA, UK, and Switzerland before they are set or activated.
2.3 Marketing / Advertising
These are used to measure and optimise our advertising and to build audiences — primarily through the Meta Pixel and the Meta Conversions API, including the server-side sharing of hashed personal data with Meta described in Section 4. They involve disclosing data to third parties for advertising and require your prior consent in the EU/EEA, UK, and Switzerland before they are set or activated. In California, this disclosure of personal information for cross-context behavioural advertising is a "sale"/"share" that you may opt out of (see Section 6).
3. Full List of Cookies and Trackers
The table below lists each cookie or local identifier we use, its provider, purpose, category, and duration. Durations for third-party cookies are the provider's documented defaults and may change; we update this table as needed.
| Cookie / identifier | Provider | Purpose | Category | Duration |
|---|---|---|---|---|
_fbp | Meta Platforms (Facebook) | Stores a browser-level identifier used by the Meta Pixel and Conversions API to measure advertising performance and build audiences. | Marketing | 90 days |
_fbc | Meta Platforms (Facebook) | Stores the advertising click identifier (fbclid) so a visit can be attributed to a Meta ad, via the Pixel and Conversions API. | Marketing | 90 days |
_clck | Microsoft (Clarity) | Persists a Clarity user ID and preferences so session-recording and heatmap analytics map to the same user. | Analytics | 1 year |
_clsk | Microsoft (Clarity) | Connects multiple page views into a single Clarity session recording. | Analytics | 1 day (session) |
CLID, MUID, ANONCHK, MR, SM | Microsoft (Clarity / Microsoft) | Third-party Microsoft user and operational identifiers (first-seen user ID, identifier sync, advertising/operational signals). | Analytics (some also serve Marketing) | up to 1 year |
sln_aid | Soluna (first-party) | Stable anonymous visitor ID used for our first-party analytics. Its value is also forwarded server-side to the Meta Conversions API as a hashed external_id for conversion de-duplication, subject to marketing consent (see Sections 4–5). | Analytics (marketing when forwarded to Meta) | 1 year |
sln_sid | Soluna (first-party) | Session ID that detects a new visit using a 30-minute sliding window, for first-party analytics. | Analytics | 30 minutes |
NEXT_LOCALE | Soluna (first-party, via next-intl) | Remembers your selected language so pages are displayed in the correct localisation. | Essential (functional) | Session / persistent (no fixed maximum age set in middleware) |
cur | Soluna (first-party) | Remembers your selected display currency (ILS, USD, EUR, GBP, or AED) for consistent server-rendered pricing. | Essential (functional) | 1 year (SameSite=Lax) |
soluna_session | Soluna (first-party) | Authenticated administrator login session (Firebase session cookie); HttpOnly and secure. Used only by store administrators, not customers. | Essential | Administrator session login duration (configurable; default ~5 days) |
Notes:
- The Meta
_fbp/_fbc90-day lifetime is Meta's documented default; the exact value depends on the current Pixel configuration. sln_aid,sln_sid, andcurare first-party identifiers set withSameSite=Lax;soluna_sessionis server-set andHttpOnly. The cookie values themselves are not transmitted to third parties via the cookie, but thesln_aidvalue is forwarded server-side to the Meta Conversions API in hashed form, which is subject to your marketing consent (see Sections 4–5). Where consent is refused or withdrawn, this identifier and any other personal data must not be sent to Meta.- We also use Vercel Web Analytics, a cookieless tool that sets no cookies and stores no persistent identifier; it therefore does not appear in the table above (see Section 4).
4. Third Parties Who Receive Data Through These Technologies
Some of the technologies above transmit data to third parties, which may involve transferring your data outside your country, including to the United States and to China. Where transfers occur, we rely on appropriate safeguards such as an applicable adequacy decision (e.g., the EU–US Data Privacy Framework / UK Extension for certified recipients) and/or the European Commission's Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Agreement / Addendum), together with a transfer-risk assessment and supplementary measures where required. For transfers to China (via our fulfilment partner, see 4.3), there is no adequacy decision, so we rely on SCCs plus a transfer-risk assessment. You may request information about the safeguard relied on for a given transfer by emailing hello@soluna.garden.
4.1 Meta Platforms (Meta Pixel + Conversions API)
We use the Meta Pixel (client-side) and the Meta Conversions API (server-side) to measure and optimise our advertising. The Pixel sets the _fbp and _fbc cookies and sends event data to Meta. In addition, our server shares hashed (SHA-256) customer details — such as your email, phone number, first and last name, city, state, postcode, country, and a hashed visitor identifier (external_id) — directly with Meta to match conversions, alongside your IP address, browser user agent, and the _fbp/_fbc identifiers (sent un-hashed), all keyed to a shared event ID for de-duplication. Hashed identifiers remain personal data, because they can be re-identified when matched against records Meta already holds; hashing therefore does not remove the need for consent. For this data, Meta acts as our processor for the hashed contact information you instruct it to match, and as a joint controller with us for the event data, under the Meta Business Tools Terms. In the EEA, the relevant entity is Meta Platforms Ireland Ltd.; for other regions, Meta Platforms, Inc. (United States). This involves an international transfer to the United States.
4.2 Microsoft (Microsoft Clarity)
We use Microsoft Clarity to make session recordings and heatmaps — it records page rendering, mouse movement, clicks, scrolls, and on-page interactions. Form-input contents are automatically masked, and we configure Clarity's masking to redact form fields and on-screen personal data as a data-minimisation measure; however, session recording is a higher-risk technology because it can otherwise capture personal data shown on screen. Microsoft acts as a data controller for Clarity data and stores it in the Microsoft Azure cloud (United States), constituting an international transfer.
4.3 CJ Dropshipping (order fulfilment) and shipment of personal data to China
We operate on a dropshipping model. To fulfil and ship your order, our server shares your name, full shipping address, postcode, phone number, and email with our fulfilment partner CJ Dropshipping, which in turn forwards this information to its suppliers, warehouses, and carriers — including in China — to manufacture, pack, and deliver your product. This is an international transfer of your personal data to China, a country without an EU/UK adequacy decision; we rely on SCCs and a transfer-risk assessment for it. (This sharing is necessary to perform your purchase contract and is not a tracking technology; it occurs whether or not you consent to cookies.)
4.4 Other recipients
Our store data and order records are stored in Google Cloud Firestore (Firebase), processed by Google as our processor; Vercel provides our hosting, cookieless Web Analytics, and our rate-limiting/cache store (Vercel KV / Upstash); PayPal and Stripe process payments (each as an independent controller, and Stripe also as our processor) — full card numbers are never stored by Soluna; and Resend sends our transactional, abandoned-cart, and newsletter emails as our processor. These recipients are described in full, with their roles and transfer safeguards, in our Privacy Policy.
5. Consent and Your Choices (EEA, UK, Switzerland)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, applicable law (the ePrivacy rules and the GDPR / UK GDPR) requires your prior, freely given, specific, informed, and unambiguous consent before any non-essential cookie or tracker — the analytics and marketing technologies described above (the Meta Pixel, the Meta Conversions API sharing of personal/hashed data, Microsoft Clarity, and our first-party analytics) — is set or activated.
- Strictly necessary cookies (Section 2.1) do not require consent and are always active.
- You can control, refuse, or withdraw the use of non-essential cookies and trackers at any time using the methods in Section 6 — your browser settings and the Meta and Microsoft opt-out controls.
- Refusing non-essential cookies does not block access to the Site — you can browse and complete a purchase either way.
- You may email hello@soluna.garden at any time to ask us to stop processing your personal data for analytics or marketing.
If you do not want analytics or marketing technologies to run, please use your browser controls (Section 6.2) to block non-essential and third-party cookies before and while you browse.
6. How to Withdraw Consent, Manage, or Opt Out of Cookies
You have several ways to control these technologies:
6.1 Managing Your Choices
You can control or withdraw the use of non-essential cookies and trackers at any time through your browser settings (Section 6.2), your Meta ad preferences (Section 6.3), and Microsoft privacy controls (Section 6.4). To ask us to stop processing your personal data, email hello@soluna.garden.
6.2 Your Browser Settings
Most browsers let you view, block, or delete cookies and refuse third-party cookies through their settings menu. Help pages are available for Chrome, Firefox, Safari, and Edge. Blocking essential cookies may stop parts of the Site from working correctly. Deleting cookies will also clear any stored consent choice, so you may be asked again on your next visit.
6.3 Meta (Facebook / Instagram) Advertising Preferences
You can control the ads you see and how your activity is used through your Meta ad preferences in your Facebook/Instagram account settings (Settings → Ads / Ad preferences).
6.4 Microsoft Clarity
Blocking or deleting cookies through your browser (Section 6.2) stops Microsoft Clarity from recording your session. You can also manage Microsoft use of data through Microsoft own privacy controls.
6.5 California — Opt Out of Sale/Sharing
Sharing your personal information with Meta for cross-context behavioural advertising is treated as a "sale"/"share" under the California Consumer Privacy Act (as amended by the CPRA). California residents may opt out of this sale/share — and exercise the rights to know/access, delete, correct, limit the use of sensitive personal information, and non-discrimination — by emailing hello@soluna.garden or using the controls in this Section; the designated request methods are described in our Privacy Policy. You do not need an account to opt out.
7. Marketing, Pricing, and Reviews — Honesty Commitment
Any promotional or "compare-at" pricing, discount, "free shipping" claim, and any countdown or scarcity indicator shown on the Site reflects a genuine, currently-available offer; we do not display fake reference prices or false urgency. Product reviews are from genuine customers and are not fabricated, incentivised without disclosure, or selectively filtered to hide honest negative feedback. (Free worldwide shipping applies to all orders; estimated delivery is 7–14 business days after 1–2 business days' processing — these are estimates, not guarantees, and any import duties or taxes may be payable by you as the recipient. Returns, the 30-day money-back guarantee, and the EU/UK statutory 14-day right of withdrawal are governed by our Terms and Refund/Returns Policy, which this Cookie Policy does not limit.)
8. Changes to This Cookie Policy
We may update this Cookie Policy from time to time to reflect changes in the technologies we use, in our providers, or in the law. When we make material changes, we will update the "Last updated" date at the top and, where required, ask for your consent again. The current version is always available on the Site.
9. Contact Us
If you have any questions about this Cookie Policy or how we use cookies and similar technologies, please contact us:
- Operator / data controller: MATO, an Israeli sole proprietorship (osek murshe), Rehovot, Israel
- Email: hello@soluna.garden
You also have the right to lodge a complaint with your local data-protection supervisory authority — for EEA visitors your national Data Protection Authority, for the UK the Information Commissioner's Office (ICO), and in Israel the Privacy Protection Authority (PPA) — if you believe your rights have not been respected.