Privacy Policy
Last updated: June 11, 2026
1. Data controller
For business-account data and the operation of the platform, the data controller is Pawel MYSLIWIEC (Bonivoo), 90 avenue Marceau Hamecher, 82000 Montauban, France — contact@bonivoo.com. For any question about your data, write to this address.
2. Roles: controller and processor
Bonivoo acts as CONTROLLER for the data of business accounts (owners and staff) and the operation of the service. For the data of END CUSTOMERS collected by a business through Bonivoo, the business is the controller; Bonivoo then acts as a PROCESSOR within the meaning of Article 28 of the GDPR and processes such data only to provide the service.
3. Data collected
Business accounts: email, name, role, language, business logo and contact details. End customers: depending on the business configuration — email, first name, last name, phone, date of birth, language, loyalty balance (stamps/points/membership), transaction history, marketing consent. Payment: handled by Stripe (Bonivoo stores no card numbers). Technical data: connection logs, wallet card identifiers (Apple/Google), cookies (see the Cookie Policy).
4. Purposes and legal bases
Provision and management of the service and loyalty program (contract performance / legitimate interest). Subscription and billing management (contract performance / legal obligation). Issuing wallet cards and sending loyalty-related notifications (service performance / legitimate interest). Any marketing communications to end customers (consent). Security, fraud prevention and aggregated statistics (legitimate interest).
5. Recipients and sub-processors
Data is hosted and processed by technical providers acting on our behalf: Supabase, Inc. (database, authentication, storage — AWS infrastructure in the European Union, Ireland region); Vercel Inc. (website hosting and delivery); Stripe (payment processing); Resend Inc. (email sending); Apple and Google (generation and updating of Apple Wallet / Google Wallet cards); Cloudflare, Inc. (DNS). A fallback logo may be generated via ui-avatars.com when a business has no logo. No data is sold to third parties.
6. Transfers outside the European Union
Some providers (notably Vercel, Apple, Google, Cloudflare and, where applicable, Stripe) may process data outside the European Union. Such transfers are governed by appropriate safeguards, in particular the European Commission Standard Contractual Clauses. The main database is hosted in the EU (Ireland).
7. Retention periods
Business-account data: for the duration of the contract, then deleted or anonymized within a reasonable time after termination. End-customer data: kept while the business maintains its program, until deleted by the business or the customer. Billing data: kept for 10 years in accordance with accounting obligations. Technical logs: short duration, for security purposes.
8. Security
Bonivoo implements appropriate technical and organizational measures: strict data isolation between businesses (Row-Level Security), encryption in transit (HTTPS), secure authentication, and restricted access to data. As no system is infallible, Bonivoo cannot guarantee absolute security.
9. Your rights
Under the GDPR, you have the rights of access, rectification, erasure, restriction, objection, portability and withdrawal of consent. Exercise them at contact@bonivoo.com. An end customer may contact the business (controller) directly or Bonivoo, which will forward the request. You may lodge a complaint with the French CNIL (www.cnil.fr).
10. Minors
The service is not intended for minors under 15. No data is knowingly collected from a minor without the consent of the holders of parental authority.
11. Cookies
The use of cookies and trackers is detailed in the Cookie Policy, available from the footer.
12. Changes
This policy may be updated. The last-updated date appears at the top of the page; significant changes will be flagged.