top of page

PRIVACY POLICY

Effective Date: September 18, 2025

1. Introduction & Scope  
   1.1. BonsAI BI (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal and business‐related data when you use the Site (bonsai.bi) or any of our services, tools, integrations, or agents (collectively “Services”), or interact with us as visitor, user, customer, partner, or supplier.  
   1.2. If you are located in or a resident of a jurisdiction with specific data protection laws (e.g. GDPR, UK GDPR, CCPA, LGPD, etc.), this Policy is meant to comply with those as applicable.  

2. Definitions  
   - “Personal Data” means any information relating to an identified or identifiable natural person.  
   - “Business Data” includes data about organizations, companies, business metrics, operations, sustainability metrics etc. When “Business Data” relates to or identifies individuals, it is treated as Personal Data.  
   - “Processing” means any operation performed on Personal Data, such as collection, storage, use, disclosure, deletion etc.

3. Data We Collect  
   3.1. From you (directly):  
       a. Account registration information (name, email, business name, business type, billing/contact details)  
       b. Profile and business information you provide (e.g. sustainability metrics, procurement data, financial data)  
       c. Communications (support tickets, email, feedback)  

   3.2. Automatically from your use of the Services:  
       a. Usage analytics, logs, performance data, device and browser information, IP address, geolocation data (if permitted)  
       b. Diagnostic/error data  
       c. Cookies, tracking technologies  

   3.3. From third parties / integrations:  
       a. Partners or service providers via integrations or APIs (e.g. data you permit us to connect with)  
       b. Publicly available sources (where lawful)  

4. Legal Bases for Processing Personal Data  
   We rely on one or more of the following legal grounds:  
   a. Consent – where you have explicitly consented, especially for non‐essential processing (e.g. marketing, profiling)  
   b. Contractual necessity – to provide the Services you have requested, perform our contract with you  
   c. Legitimate interests – for purposes such as improving our Services, ensuring security, compliance, data analytics, business development  
   d. Legal obligations – to comply with applicable laws, regulations, court orders  

5. Use of Data / Purposes  
   We use data for purposes that may include, but not be limited to:  
   - Providing and maintaining the Services, including AI agents, BI, sustainability insights, etc.  
   - Personalizing and improving performance, features, content, and user experience  
   - Security, fraud prevention, detection of abuse or misuse  
   - Compliance, auditing, and legal obligations  
   - Marketing, promotions, and communications (but only where you have consented or where allowed by law)  
   - Generating aggregated or anonymized reports/data for internal or external use  

6. Sharing, Transfers & Disclosure  
   6.1. With Service Providers & Contractors: We may share data with third‐party vendors who process data on our behalf (e.g. cloud hosting, analytics, security, AI infrastructure). They are bound by contract to protect the data.  
   6.2. With Partners / Integrations you authorize.  
   6.3. Legal Requirements: Where required by law, regulation, court order, or to protect rights, safety, property.  
   6.4. Cross‐Border Transfers: If data is transferred across national borders (e.g. from [your country] to other countries), we will ensure appropriate safeguards (e.g. Standard Contractual Clauses, adequacy decisions) are in place.  

7. Data Security  
   We implement technical and organizational measures to safeguard your data, including:  
   - Encryption in transit and at rest  
   - Access controls and authentication  
   - Role‐based access  
   - Audit logs and monitoring  
   - Security reviews / penetration tests  

   In case of data breach, we will notify affected individuals and relevant authorities in accordance with applicable law, within required timeframes.

8. Retention of Data  
   We retain data only as long as reasonably necessary for the purposes for which it was collected, to satisfy legal, accounting, or reporting obligations, or resolve disputes. When data is no longer needed, it is securely deleted or anonymized. Different types/categories of data may have different retention periods—e.g.:  
   - Account / transactional data: 6 years after account closure  
   - Logs / analytics: 12 months / years  
   - Marketing / lead data: 2 years unless opt‐out  

9. Cookies, Tracking & Similar Technologies  
   - We use cookies and similar technologies for essential site functioning, analytics, improvement of services, and marketing (where consented).  
   - Types of cookies/tracking used, what third‐party trackers are involved, duration, etc.  
   - Your choices: how to accept, reject, or delete cookies; change preferences; opt out of analytics or marketing tracking.

10. Your Rights  
    Depending on your jurisdiction, you may have the following rights:  
    a. Right to be informed about what Personal Data we collect and how we use it  
    b. Right to access your Personal Data  
    c. Right to correct / update inaccurate or incomplete data  
    d. Right to erase / delete your Personal Data (“right to be forgotten”)  
    e. Right to restrict or object to certain processing, including profiling or direct marketing  
    f. Right to data portability (to receive your data in a structured, machine‐readable format)  
    g. Right to withdraw consent where we rely on consent for processing  

    To exercise these rights, please contact us at [contact email / address]. We aim to respond within [x] days (or as required by applicable law).  

    You also have the right to lodge a complaint with a supervisory authority if you believe your rights are being violated—[Name & contact of authority in your jurisdiction].

11. Minors  
    Our Services are not directed to children under [age – e.g. 16 or as applicable]. We do not knowingly collect Personal Data of minors. If we become aware we have collected such without parental consent, we will delete it.

12. Changes to Privacy Policy  
    We may modify this Policy from time to time. Whenever we make material changes, we will provide notice (e.g. by email or prominent banner), and update the “Effective Date.” Your continued use of the Services after changes become effective constitutes acceptance of them.

13. Contact Information  
    If you have questions, requests, or complaints about this Privacy Policy or our data practices, you may contact:  
    Email: ian{at}v-expos.com  
 

 

bottom of page