Privacy Policy

Last updated: 14 May 2026

1. Who we are

This Privacy Policy explains how bondgo (“bondgo”, “we”, “us” or “our”) collects and processes personal data in connection with our pre-launch waitlist on bondgoapp.com.

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Irish Data Protection Act 2018, bondgo is the data controller of the personal data described below.

You can contact us about this policy or your rights at privacy@bondgoapp.com.

2. What data we collect

When you join the bondgo waitlist, we collect:

  • First name and last name – so we can address you personally.
  • Email address – so we can contact you about early access and product updates.
  • Submission timestamp – the date and time you joined the waitlist.

We do not knowingly collect special categories of personal data (such as health, religious or biometric data) through the waitlist, and we do not collect personal data from children.

3. How we use your data and our legal basis

We process your personal data on the following legal bases under Article 6 GDPR:

  • Consent (Art. 6(1)(a)) – when you submit the waitlist form, you consent to us storing your details and emailing you about bondgo’s launch, early access invitations and related product news.
  • Legitimate interests (Art. 6(1)(f)) – to maintain a secure record of waitlist sign-ups, prevent abuse of the form, and operate basic internal analytics on waitlist volume.

We will not use your waitlist data for advertising profiling or sell it to third parties.

4. Who we share your data with (processors)

We use a small number of trusted service providers who act as data processors on our behalf, under contracts that meet the requirements of Article 28 GDPR:

  • Supabase – database and backend hosting for waitlist records.
  • Cloudflare – website hosting, edge runtime and security.
  • Resend – delivery of transactional and waitlist emails.
  • Microsoft (OneDrive / Excel) – internal record-keeping of waitlist sign-ups.

Some of these providers may process data outside the European Economic Area (EEA), in particular in the United States. Where that happens, transfers are protected by appropriate safeguards under Chapter V GDPR, such as the European Commission’s Standard Contractual Clauses and/or the EU–US Data Privacy Framework.

5. How long we keep your data

We keep your waitlist data until the earlier of:

  • you ask us to delete it, or unsubscribe; or
  • 24 months after bondgo publicly launches, after which inactive waitlist entries are deleted or anonymised.

Email delivery logs (e.g. send status, bounces) are retained for up to 12 months for deliverability and abuse-prevention purposes.

6. Your rights under GDPR

As a data subject in the EU/EEA you have the following rights:

  • Right of access (Art. 15) – get a copy of your data.
  • Right to rectification (Art. 16) – correct inaccurate data.
  • Right to erasure / “right to be forgotten” (Art. 17).
  • Right to restrict processing (Art. 18).
  • Right to data portability (Art. 20).
  • Right to object to processing (Art. 21).
  • Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, email privacy@bondgoapp.com. We will respond within one month, as required by Art. 12(3) GDPR.

You can unsubscribe from waitlist emails at any time using the link at the bottom of every email we send.

7. Cookies and tracking

The bondgo waitlist site uses only strictly necessary cookies and local storage required to operate the site (for example, to preserve form state). We do not use advertising or cross-site-tracking cookies on the waitlist page, so no cookie banner is required under the ePrivacy Regulations (S.I. 336 of 2011) for these uses.

8. Security

We apply appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), row-level security on our database, restricted administrative access, and audit logging. No method of transmission over the internet is 100% secure, but we work to protect your data and will notify you and the Data Protection Commission of any personal data breach where required by Articles 33 and 34 GDPR.

9. Complaints and supervisory authority

If you believe we have not handled your personal data in line with the GDPR, you have the right to lodge a complaint with the Irish supervisory authority:

Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: www.dataprotection.ie

You may also complain to the supervisory authority in your EU Member State of residence or work.

10. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent version. Material changes affecting how we use waitlist data will be notified by email before they take effect.

This policy is provided for transparency and does not constitute legal advice. If you have specific legal questions, you should consult a qualified solicitor.