Privacy Policy

Last Updated: November 2025

1. Introduction

1.1 Who We Are

This Privacy Policy describes how Bondi (“Bondi”, “we”, “us”, or “our”) collects, uses, shares, and protects personal information. Bondi is a cloud-based business management and workflow automation platform.

Company Information:

Legal Name: Bondi Labs, Inc.
Principal: Barak Turgeman
Address: 2803 Philadelphia Pike, Suite B #356, Claymont, DE 19703, United States
Email: privacy@heybondi.com
Data Protection Officer: dpo@heybondi.com

1.2 What This Policy Covers

This Privacy Policy applies to personal information we collect through:

Our website (heybondi.com)
Our SaaS platform and Services
Communications with us (email, support, chat)
Any other interactions with Bondi

This Privacy Policy should be read together with:

Our Cookie & Consent Policy - Details on cookies and tracking
Our Data Processing Agreement (DPA) - For business customers
Our Terms of Service - Governing use of our Services

1.4 Our Commitment

As a US-based company serving customers globally, including in the European Union and United Kingdom, we are committed to compliance with:

EU General Data Protection Regulation (GDPR)
UK GDPR (Data Protection Act 2018)
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
Other applicable data protection laws

2. Information We Collect

We collect personal information in three ways: information you provide to us, information we collect automatically, and information from third parties.

2.1 Information You Provide to Us

Account Registration:

Name (first and last)
Email address
Company name and size
Job title and role
Phone number (optional)
Password (encrypted)

Profile Information:

Profile photo
Time zone and language preferences
Notification preferences
Workspace and team settings

Payment Information:

Billing name and address
Payment method details (processed by Stripe - we do not store full credit card numbers)
Tax identification (if applicable)
Billing history

Content You Create:

Workspaces, boards, and projects
Data you enter into the platform
Files and documents you upload
Comments, messages, and collaboration content
Custom fields, templates, and automations

Communications:

Support tickets and correspondence
Feedback and survey responses
Messages sent to our team
Event and webinar registrations

Job Applications:

Resume/CV and cover letter
References and work history
Information collected during interviews

2.2 Information We Collect Automatically

Device and Browser Information:

IP address (anonymized for analytics purposes)
Browser type and version
Operating system
Device type (desktop, mobile, tablet)
Screen resolution
Language settings

Usage Information:

Pages and features accessed
Time spent on platform
Click patterns and navigation paths
Search queries within the platform
Feature usage and interaction data
Session duration and frequency

Location Information:

General location based on IP address (country/region level)
We do not collect precise GPS location

Cookies and Tracking Technologies:

We use cookies and similar technologies as described in our Cookie Policy
Essential cookies for platform functionality
Analytics cookies (with your consent) to understand usage patterns
We do NOT use marketing or advertising cookies for EU/UK users

Log Data:

Server logs (timestamps, API calls, errors)
Security events and authentication logs
Performance and diagnostic data

2.3 Information from Third Parties

OAuth Providers:

If you sign up using Google, Microsoft, or other OAuth providers, we receive basic profile information (name, email, profile picture) as permitted by your settings

Payment Processors:

Stripe provides us with payment confirmation and billing information

Public Sources:

Company information from public business directories (for B2B purposes)

Integration Partners:

Data from third-party services you connect to Bondi (with your authorization)

3. How We Use Your Information

We use your personal information for specific purposes based on legal grounds required by GDPR and other privacy laws.

Under GDPR Article 6(1), we process personal data based on:

a) Consent - Where you have given clear consent for us to process your personal data for a specific purpose (e.g., analytics cookies, marketing communications for non-EU users)

b) Contractual Necessity - Where processing is necessary to perform our contract with you (providing the Services)

c) Legal Compliance - Where we must process your data to comply with legal obligations

f) Legitimate Interests - Where processing is necessary for our legitimate business interests, provided these do not override your rights and interests

3.2 Specific Purposes

To Provide Our Services (Legal basis: Contractual necessity)

Create and manage your account
Enable access to platform features
Process and store your data
Provide collaboration and workflow tools
Enable integrations with third-party services

To Process Payments (Legal basis: Contractual necessity)

Charge subscription fees
Process invoices and receipts
Manage billing and payment disputes
Comply with tax obligations

To Communicate with You (Legal basis: Contractual necessity, Legitimate interest)

Send service-related notifications and updates
Respond to your inquiries and support requests
Send technical notices and security alerts
Provide customer support
Send important policy or terms updates

To Improve Our Services (Legal basis: Legitimate interest, Consent for cookies)

Analyze platform usage and performance
Understand user behavior and preferences (anonymized, no profiling)
Develop new features and improvements
Conduct product research and testing
Fix bugs and technical issues

For Security and Fraud Prevention (Legal basis: Legitimate interest, Legal compliance)

Detect and prevent fraud, spam, and abuse
Protect against security threats
Monitor for suspicious activity
Enforce our Terms of Service
Comply with legal requirements

For Analytics (Legal basis: Consent, Legitimate interest)

Website analytics using Google Analytics (anonymized, IP-truncated)
Product usage analytics using Mixpanel (privacy-enhanced)
Performance monitoring and optimization
Important: We do NOT use analytics for behavioral profiling, targeted advertising, or remarketing to EU/UK users

To Comply with Legal Obligations (Legal basis: Legal compliance)

Respond to lawful requests from authorities
Comply with court orders and legal processes
Meet regulatory requirements
Enforce our legal rights

For Business Operations (Legal basis: Legitimate interest)

Internal administration and record-keeping
Business planning and forecasting
Mergers, acquisitions, or business transfers

3.3 What We Do NOT Do

We do not:

Sell your personal information to third parties
Use your data for targeted advertising or remarketing to EU/UK users
Engage in behavioral profiling or automated decision-making that significantly affects you
Share your data for marketing purposes without consent
Use your Customer Data (content you create in the platform) for any purpose other than providing Services

We share your personal information only in limited circumstances and with appropriate safeguards.

4.1 Service Providers and Sub-Processors

We engage trusted third-party service providers to help us operate our business and provide Services. These providers have access to personal information only to perform specific tasks on our behalf and are obligated to protect your data.

Our Sub-Processors:

Service Provider	Service Type	Location	Purpose	Safeguards
Amazon Web Services (AWS)	Cloud Infrastructure	EU (Frankfurt/Dublin)	Hosting, data storage, databases	EU Data Residency, ISO 27001, SOC 2, SCCs
Google LLC	Analytics	USA	Website analytics (anonymized, no profiling)	Standard Contractual Clauses, IP anonymization
Mixpanel Inc	Product Analytics	USA	Optional usage analytics (privacy-enhanced)	Standard Contractual Clauses, privacy settings
Stripe Inc	Payment Processing	USA	Subscription billing and payments	Standard Contractual Clauses, PCI-DSS Level 1
Mailgun Technologies	Email Delivery	USA	Transactional emails and notifications	Standard Contractual Clauses, DPA

For a complete list and more details, see our Data Processing Agreement.

Sub-Processor Changes: We will notify you 30 days in advance of adding new sub-processors. You have the right to object on reasonable data protection grounds.

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

Valid legal processes (court orders, subpoenas)
Requests from law enforcement or government authorities
National security requirements
Protection of our legal rights or safety

We will notify you of such requests unless prohibited by law.

4.3 Business Transfers

If Bondi is involved in a merger, acquisition, bankruptcy, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

We may share your information with third parties when you explicitly consent to such sharing.

4.5 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you with partners, researchers, or the public (e.g., industry benchmarks, usage statistics).

We do not:

Sell or rent your personal information
Share your data for advertising or marketing purposes (except with your explicit consent for non-EU users)
Provide third-party access to your Customer Data without your authorization
Share data with data brokers

5. International Data Transfers

5.1 Our Global Operations

Bondi is headquartered in the United States. We process and store data globally to provide our Services efficiently and reliably.

5.2 EU/UK Data Residency

For customers in the European Economic Area (EEA) and United Kingdom:

Your data is primarily stored in the European Union using AWS data centers in Frankfurt, Germany and/or Dublin, Ireland
Customer Data from EU/UK customers does not leave the EEA/UK except for limited processing by authorized sub-processors with appropriate safeguards

5.3 Transfers to the United States

Some of our sub-processors are located in the United States (Google, Mixpanel, Stripe, Mailgun). When we transfer personal data from the EEA/UK to the US, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs):

We have entered into Standard Contractual Clauses approved by the European Commission (Decision 2021/914) with all US-based sub-processors
These clauses provide legally binding data protection obligations

Supplementary Measures: In addition to SCCs, we implement technical and organizational measures:

End-to-end encryption of data in transit and at rest
IP address anonymization for analytics
Access controls and authentication requirements
Contractual restrictions on data access
Regular security audits and assessments

5.4 Other International Transfers

For transfers to countries outside the EEA/UK without an adequacy decision, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses
Binding Corporate Rules (where applicable)
Certification mechanisms
Your explicit consent (where appropriate)

6. Data Retention

We retain your personal information only as long as necessary for the purposes described in this Privacy Policy or as required by law.

6.1 Retention Periods

Active Accounts:

Personal and account data: For the duration of your active subscription

Deleted Accounts:

We delete your personal information within 30 days of account deletion
Backup copies may persist for up to an additional 30 days and are then securely deleted

Analytics Data:

Website analytics: Up to 2 years (anonymized, aggregated)
Product usage data: Up to 1 year (anonymized)

Financial Records:

Payment and billing information: 7 years (as required by tax and accounting laws)
Invoice history: 7 years

Communications:

Support tickets and correspondence: 3 years or until resolution, whichever is longer
Marketing communications: Until you unsubscribe or object

Legal Holds:

We may retain information longer if required by law, legal proceedings, or regulatory requirements

6.2 Deletion and Anonymization

Upon expiration of retention periods:

Personal identifiers are deleted or anonymized
Data is securely destroyed using industry-standard methods
Backup systems are purged according to our backup retention schedule

6.3 Customer Data

You control the retention of Customer Data (content you create in the platform)
You can delete Customer Data at any time through the platform
Upon account termination, we will delete or return Customer Data as specified in our Data Processing Agreement

7. Security

We take the security of your personal information seriously and implement comprehensive technical and organizational measures to protect it.

7.1 Technical Security Measures

Encryption:

Data in transit: TLS 1.3 or higher for all connections
Data at rest: AES-256 encryption for databases and file storage
Password storage: Industry-standard hashing (bcrypt/Argon2)

Access Controls:

Multi-factor authentication (MFA) available for all users
MFA required for administrative access
Role-based access control (RBAC)
Principle of least privilege
Regular access reviews and audits

Network Security:

Firewalls and intrusion detection/prevention systems
DDoS protection (AWS Shield)
Virtual Private Cloud (VPC) isolation
Network segmentation and monitoring

Application Security:

Regular penetration testing (annual)
Vulnerability scanning (quarterly)
Secure development practices (SAST/DAST)
Input validation and sanitization
Protection against common attacks (SQL injection, XSS, CSRF)

Infrastructure Security:

AWS data centers with ISO 27001 and SOC 2 certifications
Physical security controls (biometric access, 24/7 monitoring)
Environmental controls (fire suppression, climate control)

7.2 Organizational Security Measures

Policies and Procedures:

Comprehensive information security policy
Incident response plan
Business continuity and disaster recovery plans
Data retention and deletion policies

Personnel:

Background checks for employees with data access (where legally permitted)
Confidentiality agreements for all employees
Regular security awareness training
GDPR and privacy training

Vendor Management:

Security assessments of all sub-processors
Data processing agreements with contractual protections
Regular vendor security reviews

Compliance:

Working towards SOC 2 Type II certification
Working towards ISO 27001 certification
Regular internal and external security audits

7.3 Data Breach Response

In the event of a security incident affecting your personal data:

We will notify you within 72 hours of becoming aware
We will provide details about the incident and its impact
We will take immediate steps to mitigate harm
We will cooperate with regulatory authorities as required

7.4 Your Role in Security

You can help protect your data by:

Using strong, unique passwords
Enabling multi-factor authentication
Keeping your contact information up to date
Not sharing your login credentials
Logging out when using shared devices
Reporting suspicious activity to security@heybondi.com

8. Your Privacy Rights

Depending on your location, you have various rights regarding your personal information.

Under the GDPR and UK GDPR, you have the following rights:

Right to Access (Article 15)

You can request a copy of the personal data we hold about you
We will provide this information in a structured, commonly used format

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data
You can update most information directly in your account settings

Right to Erasure / “Right to be Forgotten” (Article 17)

You can request deletion of your personal data in certain circumstances:
- The data is no longer necessary for the purposes collected
- You withdraw consent (where processing was based on consent)
- You object to processing and there are no overriding legitimate grounds
- The data was unlawfully processed
- Deletion is required for legal compliance

Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data in certain situations:
- You contest the accuracy of the data
- Processing is unlawful but you don’t want erasure
- We no longer need the data but you need it for legal claims
- You’ve objected to processing pending verification

Right to Data Portability (Article 20)

You can receive your data in a structured, machine-readable format
You can request that we transmit your data to another controller

Right to Object (Article 21)

You can object to processing based on legitimate interests
You can object to direct marketing at any time
You can object to processing for research or statistical purposes

Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you can withdraw it at any time
Withdrawal does not affect the lawfulness of processing before withdrawal

Right to Lodge a Complaint (Article 77)

You can file a complaint with your local supervisory authority
See Section 15.3 for contact information

Right Not to Be Subject to Automated Decision-Making (Article 22)

We do not make automated decisions that significantly affect you without human intervention

8.2 Rights for California Users (CCPA/CPRA)

If you are a California resident, you have the following rights:

Right to Know

What personal information we collect
Sources of personal information
Purposes for collection
Categories of third parties we share with
Specific pieces of information we’ve collected

Right to Delete

Request deletion of personal information we’ve collected
Subject to certain exceptions (legal obligations, fraud prevention, etc.)

Right to Correct

Request correction of inaccurate personal information

Right to Opt-Out

Opt-out of sale of personal information (we do not sell personal information)
Opt-out of sharing for cross-context behavioral advertising
Limit use of sensitive personal information

Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights
We will not deny services, charge different prices, or provide different quality of service

Right to Limit Use of Sensitive Personal Information

We do not use sensitive personal information beyond what is necessary to provide Services

8.3 How to Exercise Your Rights

Methods to Submit Requests:

Email: privacy@heybondi.com
Within your account settings (for certain requests)
Contact our Data Protection Officer: dpo@heybondi.com

What We Need from You:

Sufficient information to verify your identity
Description of the specific request
Details to help us locate your information

Response Time:

We will respond within 30 days (GDPR)
We will respond within 45 days (CCPA), extendable to 90 days if needed
We will notify you if we need more time

Verification:

We may request additional information to verify your identity
This is to protect your personal information from unauthorized access

No Fee:

We do not charge a fee to exercise your rights
We may charge a reasonable fee for manifestly unfounded or excessive requests

Authorized Agents:

You may designate an authorized agent to make requests on your behalf (CCPA)
We may require proof of authorization

9. Children’s Privacy

9.1 Age Restrictions

Our Services are not directed to individuals under the age of 16 (or 13 in certain jurisdictions). We do not knowingly collect personal information from children.

COPPA Compliance (USA):

We do not knowingly collect information from children under 13

GDPR Article 8 Compliance (EU):

Children under 16 (or lower age set by member states) should not use our Services without parental consent

9.2 If We Discover Child Data

If we become aware that we have collected personal information from a child without appropriate consent:

We will delete the information as quickly as possible
We will terminate the associated account
We will not use or share the information

9.3 Parental Rights

If you believe your child has provided personal information to us:

Contact us immediately at privacy@heybondi.com
We will investigate and take appropriate action
You can request access to, correction of, or deletion of your child’s information

10. Cookies and Tracking Technologies

10.1 Overview

We use cookies and similar tracking technologies to provide, improve, and secure our Services. For detailed information, please see our Cookie & Consent Policy.

10.2 Types of Cookies We Use

Essential Cookies:

Required for platform functionality
Session management and authentication
Security features
These cannot be disabled as they are necessary for Services

Analytics Cookies:

Help us understand how you use our Services
Google Analytics (anonymized, IP-truncated)
Mixpanel (privacy-enhanced, optional)
Require your consent (except where legitimate interest applies)

Functional Cookies:

Remember your preferences and settings
Enhance user experience
Theme preferences, language settings

What We Do NOT Use:

Marketing or advertising cookies for EU/UK users
Cross-site tracking cookies
Third-party advertising networks
Behavioral profiling or remarketing pixels

10.3 Managing Cookies

You can control cookies through:

Our cookie consent banner (on first visit)
Cookie Settings (accessible from website footer)
Your browser settings
Google Analytics Opt-Out: Browser Add-on
Mixpanel Opt-Out: Opt-out Page

Note: Disabling essential cookies may affect platform functionality.

10.4 Do Not Track

We respect Do Not Track (DNT) signals where technically feasible. However, there is no universal DNT standard. We recommend using our cookie consent manager for precise control.

11. California-Specific Privacy Rights

11.1 California Consumer Privacy Act (CCPA/CPRA)

See Section 8.2 for your rights under CCPA.

11.2 California “Shine the Light” Law

California Civil Code Section 1798.83 allows California residents to request information about disclosure of personal information to third parties for direct marketing purposes.

Our Practice:

We do not share personal information with third parties for their direct marketing purposes without your consent
You can contact us at privacy@heybondi.com for more information

11.3 Notice of Collection

Categories of Personal Information Collected:

Identifiers (name, email, IP address)
Commercial information (purchase history, subscriptions)
Internet activity (usage data, browsing)
Professional information (job title, company)
Inferences (preferences, characteristics)

Business and Commercial Purposes:

Providing Services and customer support
Security and fraud prevention
Analytics and service improvement
Legal compliance

Categories of Third Parties:

Service providers (sub-processors)
Legal and regulatory authorities
Business transfer recipients (in M&A scenarios)

Sale of Personal Information:

We do NOT sell personal information

Sensitive Personal Information:

We collect payment information (processed by Stripe)
We do not use sensitive personal information beyond what is necessary for Services

12. Changes to This Privacy Policy

12.1 Updates

We may update this Privacy Policy from time to time to reflect:

Changes in our data practices
New features or Services
Legal or regulatory requirements
Industry best practices

12.2 Notification of Material Changes

For material changes that significantly affect your rights:

We will notify you by email (to your registered email address)
We will post a prominent notice on our website or within the platform
We will provide at least 30 days’ notice before changes take effect
We may require your consent for certain changes

12.3 Notification of Minor Changes

For minor, non-material changes:

We will update the “Last Updated” date at the top of this policy
Changes take effect immediately upon posting
Continued use of Services constitutes acceptance

12.4 Review History

You can request previous versions of this Privacy Policy by contacting privacy@heybondi.com.

13. Contact Us & Data Protection

13.1 General Privacy Inquiries

For questions about this Privacy Policy or our data practices:

Email: privacy@heybondi.com
Address: 2803 Philadelphia Pike, Suite B #356, Claymont, DE 19703, United States

13.2 Data Protection Officer

For data protection matters, GDPR requests, or exercising your rights:

Data Protection Officer: dpo@heybondi.com
Response Time: Within 30 days

13.3 EU Representative Status

As a US-based company processing EU personal data on an occasional basis through privacy-enhanced analytics only (no systematic monitoring or behavioral targeting), Bondi qualifies for the exception under GDPR Article 27(2)(a) and is not required to appoint an EU representative.

Our Occasional Processing:

Limited to anonymized, IP-truncated analytics
No behavioral profiling or user tracking
No remarketing or targeted advertising to EU users
Privacy-first configuration of all analytics tools

Note: This assessment is based on current operations as of November 2025 and may be revised as our business evolves.

EU residents can contact us directly at the addresses above for any privacy-related inquiries or to exercise their rights under GDPR.

13.4 Security Concerns

For security-related issues or to report a vulnerability:

Email: security@heybondi.com
Response: We take security seriously and will respond promptly

14. Additional Information for EU/UK Users

14.1 Supervisory Authorities

You have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or where an alleged infringement occurred.

EU Supervisory Authorities: A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

UK Supervisory Authority: Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113

14.2 Legal Basis Summary

Purpose	Legal Basis	GDPR Article
Provide Services	Contractual necessity	6(1)(b)
Process payments	Contractual necessity	6(1)(b)
Customer support	Contractual necessity	6(1)(b)
Analytics (anonymized)	Legitimate interest	6(1)(f)
Security & fraud prevention	Legitimate interest	6(1)(f)
Legal compliance	Legal obligation	6(1)(c)
Marketing (consent required)	Consent	6(1)(a)

14.3 Data Protection by Design

We implement data protection principles by design and by default:

Data minimization: We collect only necessary data
Purpose limitation: Data used only for stated purposes
Storage limitation: Retention only as long as needed
Integrity and confidentiality: Strong security measures
Accountability: Regular audits and documentation

14.4 International Framework Compliance

We comply with GDPR and use Standard Contractual Clauses for international transfers
We monitor developments in international data transfer frameworks
We implement supplementary measures beyond SCCs (encryption, access controls)

15. Miscellaneous

15.1 Third-Party Links

Our Services may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We encourage you to read the privacy policies of any third-party sites you visit.

15.2 Public Forums

If we offer blogs, forums, or community features, any information you share in these public areas may be visible to other users. Exercise caution when sharing personal information publicly.

15.3 Business Customers

If you use our Services through a business or organization (your employer), that organization may have its own policies regarding data collection and use. Please refer to your organization’s privacy policy for information about how they handle your data.

15.4 Compliance Certifications

We are working towards obtaining:

SOC 2 Type II certification
ISO 27001 certification

We maintain security practices aligned with these standards.

15.5 Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, United States, except where Data Protection Laws require otherwise. For EU/UK users, GDPR and UK GDPR shall prevail to the extent of any conflict.

16. Effective Date

This Privacy Policy is effective as of the “Last Updated” date stated at the top of this document.

By using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

For any questions or concerns about this Privacy Policy, please contact us at privacy@heybondi.com.