Skip to main content

Privacy Policy

Introduction

Bondi Technology Inc. ("Bondi," "we," "our," or "us") is committed to protecting your privacy and ensuring transparency in our data practices. This Privacy Policy explains how we collect, use, store, and share your personal data when you interact with our websites, applications, and services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any part of this Policy, please discontinue use of our Services immediately.

Scope & Applicability

Intended Audience

  • U.S. Persons Not Permitted: Our Services are not available to U.S. Persons.
  • Panama Not Permitted: Our Services are not available to persons located in or resident in the Republic of Panama. For the avoidance of doubt, this restriction applies to users of the Platform and does not affect Bondi Technology Inc. in its capacity as platform operator, which is incorporated and operates in Panama.
  • Restricted Jurisdictions: In addition, our Services are not available to persons located in or resident in certain other jurisdictions as set forth in our Terms of Service.

Applicability

This Policy applies to all personal data collected through our Services, including our primary domains:

...and any current or future subdomains or related websites operated by Bondi.

Roles and Responsibilities

Bondi Technology Inc. acts as a data controller for personal data processed in connection with access to and use of the Platform. We engage certain processors to perform services on our behalf (e.g., identity verification). When personal data is shared with Ensuro Re Ltd. (Bermuda), acting as issuer of Bond Tokens, Ensuro will process such data as an independent controller to satisfy its own legal and regulatory obligations. Ensuro Re Ltd. engages iDenfy (or a substantially similar service) as its KYC verification provider and acts as the operational KYC/AML principal. Bondi presents Ensuro's verification flow on its frontend and enforces Ensuro's whitelisting decisions via its KYC smart contracts; it does not independently contract KYC/AML verification vendors.

Personal Data We Collect

We collect only the personal data necessary to ensure the secure operation of our platform, comply with our legal obligations, and deliver our Services effectively. The categories include:

Identification & Verification Data

  • Full Legal Name
  • Date of Birth
  • Government-Issued Photo Identification: (e.g., passport, driver's license)
  • Proof of Address: (e.g., utility bill)
  • Liveness Verification: (via selfie or video-based checks conducted by our KYC provider)
  • Sanctions/PEP Screening Data: Results from checks against sanctions, watchlists, and politically exposed person (PEP) lists.

Contact & Wallet Information

  • Email Address: Used for account communications, support, newsletters, and service notifications.
  • Public Blockchain Wallet Address: Associated with your Bond Token activities.

Technical & Usage Data

Collected when you interact with our Services:

  • IP Address
  • Device & Browser Information
  • Operating System and Browser Type
  • Usage Logs: Including timestamps and access details
  • Cookies and similar technologies (see “Cookies & Tracking” below), which may include unique identifiers used to recognize your browser/device and understand usage of our Services

KYC/AML Documentation

  • Supporting Documents: Collected via our third-party KYC provider (iDenfy, or a substantially similar service) to verify identity, assess eligibility, and fulfill anti-money-laundering obligations.

Optional Marketing Data

  • Opt-In Contact Details: Such as additional email addresses provided for receiving newsletters or promotional materials.

Purposes & Legal Bases

We process your personal data only for specific, limited purposes and on legally sound bases. Our primary purposes include:

Platform Operation and Contractual Necessity

  • Provision of Services: Processing data to enable wallet connectivity, issuance/redemption of Bond Tokens, and the distribution of coupon payments.
  • Legal Basis: Processing is necessary for the performance of the contract you enter into when using our Services.
  • KYC/AML and Fraud Prevention: Data is processed to verify your identity, comply with anti-money-laundering laws, prevent fraud, and satisfy issuer obligations applicable to Ensuro Re Ltd. acting through a segregated account under Bermuda law.
  • Legal Basis: Legal obligation (including record-keeping requirements) and legitimate interests in maintaining a secure platform.

Safety, Security, and Internal Operations

  • Security Monitoring: To protect our Services, investigate suspicious activity, and maintain system integrity.
  • Legal Basis: Legitimate interests, supplemented by contractual necessity where applicable.

Marketing and Communications

  • Optional Communications: If you opt in, we may send you newsletters, updates, or promotional information.
  • Legal Basis: Your explicit consent (which you may withdraw at any time).

International Best Practices

For our non-Panamanian users, in addition to complying with Panama's Law No. 81, we adhere to internationally recognized privacy principles (such as those embodied in the GDPR) to the extent applicable. This commitment reinforces our transparency, fairness, and security standards globally.

Exclusion for Minors

Our Services are strictly intended for individuals aged 18 years or older.

Legal Basis: We do not knowingly collect data from minors. In the event that personal data of a minor is inadvertently received, we will promptly delete such data and take measures to prevent further collection.

Data Storage, Transfers & Retention

Data Locations & Cross-Border Transfers

  • Personal data may be processed in, and transferred to, jurisdictions where we and our service providers operate, including Panama (Bondi), European Economic Area or other locations of our KYC provider (iDenfy), Bermuda (Ensuro Re Ltd., issuer), and other jurisdictions where our infrastructure providers are located.
  • Where required, we implement appropriate safeguards for international transfers, such as the European Commission’s Standard Contractual Clauses (SCCs) or equivalent contractual protections, plus technical and organizational measures (encryption in transit/at rest, access controls, and data minimization).
  • We will transfer personal data only to the extent necessary for the purposes set out in this Policy and in compliance with applicable law.

Retention Periods

  • KYC/AML Documentation: Retained for up to 5 years following user inactivity or account closure to comply with legal obligations.
  • Identification and Verification Data: Maintained as long as necessary to support account management and fraud prevention, and thereafter in anonymized form where feasible.
  • Technical and Usage Data: Retained for a period of up to 12 months solely for security monitoring, troubleshooting, and system performance purposes.
  • Marketing Data: Retained until you opt out or request deletion, subject to any legal or regulatory retention requirements.

Deletion or Anonymization

When your personal data is no longer required for the purposes for which it was collected, or once the legal retention period expires, we will securely delete or irreversibly anonymize your data. Notwithstanding this, data required for compliance with applicable laws (e.g., AML requirements) will be retained until no longer legally mandated.

How We Share Your Data

We share your personal data only as necessary for the operation of our Services and in compliance with applicable law. Our sharing practices are organized into the following categories:

Third-Party Service Providers

  • KYC/AML Providers (Processor): We engage reputable third-party providers (iDenfy, or a substantially similar service) to conduct identity verification and fraud prevention. These providers process your personal data solely to perform these services on our behalf, under strict confidentiality and security obligations.
  • Infrastructure and Hosting: Our platform is supported by service providers that offer hosting, maintenance, and security services. These providers may process limited personal data necessary for system operations.

Issuer and Regulated Counterparties

  • Ensuro Re Ltd. (Independent Controller): We may share identification and verification data, sanctions/PEP screening results, and related compliance artifacts with Ensuro Re Ltd. (Bermuda), acting through a segregated account as issuer of Bond Tokens, so they can fulfill their legal and regulatory obligations. Ensuro processes such data as an independent controller under applicable law.
  • Law Enforcement and Regulators: In response to valid legal requests, subpoenas, or court orders, we may disclose your data to government agencies, regulators, or other authorities as required by law.
  • Compliance Purposes: We may share data when necessary to prevent or investigate suspected fraud, unlawful activity, or breaches of our Terms or this Privacy Policy.

Corporate Transactions

  • Business Transfers: In the event of a merger, acquisition, corporate restructuring, or sale of all or part of our assets, your personal data may be transferred to a successor entity. Such transfers will only occur if the successor agrees to abide by privacy practices substantially similar to those described in this Policy.

Aggregated or De-Identified Data

  • Statistical and Analytical Purposes: We may share aggregated or de-identified data with third parties for research, analysis, and internal improvements. Such data does not identify you and is used solely for enhancing the performance and security of our Services.

Cookies & Tracking

We use cookies and similar technologies (such as pixels, local storage, and device identifiers) to operate our Services, protect them, understand how they are used, and improve them.

What Are Cookies?

Cookies are small text files stored on your device by your browser. Similar technologies (such as local storage and pixels) can perform comparable functions. Cookies may be:

  • Session cookies (deleted when you close your browser), or
  • Persistent cookies (remain until they expire or you delete them).

Types of Cookies We Use

We use the following categories of cookies and tracking technologies:

  1. Strictly necessary cookies (essential): Required for core functionality and security (for example, load balancing, fraud prevention, and maintaining secure sessions). These cannot be switched off in some systems without impacting the Services.
  2. Analytics and performance cookies (non-essential in many jurisdictions): Help us understand how users interact with our Services so we can improve performance and usability.

Google Analytics

We use Google Analytics to analyze usage of our Services (for example, page views, session duration, traffic sources, and user interactions). Google Analytics may collect information such as:

  • device and browser details,
  • approximate location (derived from IP address),
  • identifiers stored in cookies, and
  • usage events (e.g., pages viewed, clicks).

Google may process this information as a separate controller under its own terms and privacy policy. For more information, see Google’s materials:

Hotjar

We use Hotjar to better understand user experience on our Services (for example, how users navigate pages, where users click, and where users encounter friction). Hotjar may collect information such as:

  • device and browser details,
  • IP address (which Hotjar may process in accordance with its settings and policies),
  • usage events (e.g., pages viewed, clicks, scrolling), and
  • feedback submitted through Hotjar widgets (if enabled).

Hotjar provides an opt-out mechanism:

Where required by applicable law, we will request your consent before placing analytics and performance cookies (including Google Analytics and Hotjar) on your device. You may withdraw your consent at any time by adjusting your cookie preferences (where available) or by using the opt-out options above and/or your browser settings.

Managing Cookies

You can manage cookies through:

  • Browser settings: You can delete cookies and block future cookies through your browser settings. If you disable cookies, some features of the Services may not function properly.
  • Opt-out tools: For Google Analytics and Hotjar, use the opt-out links above.

Automated Decision-Making & Profiling

We may use automated tools to assist with sanctions/PEP screening, fraud detection, and risk scoring in support of KYC/AML obligations. These tools do not involve solely automated decision-making that produces legal effects concerning you or similarly significantly affects you without human review. If in the future a decision were to be made solely by automated means with such effects, we will provide you with specific notice and a mechanism to request human intervention, express your point of view, and contest the decision, as required by applicable law.

Essential Cookies

We use cookies that are strictly necessary for the operation and security of our Services. These cookies ensure proper functioning, enhance user experience, and facilitate secure authentication.

User Rights & Choices

We respect your rights regarding your personal data. Depending on your jurisdiction and the applicable law, you may have the following rights:

A. Right to Access You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data. This may include information on the categories of data collected and the purposes of processing.

B. Right to Rectification If you believe that any personal data we hold is inaccurate or incomplete, you may request that we update or correct such data. Please provide sufficient detail to allow us to identify and amend the data in question.

C. Right to Deletion Subject to any legal obligations (such as retaining AML data for 5 years), you have the right to request deletion of your personal data. We will assess your request and, where applicable, delete the data or provide an explanation if deletion is not possible.

D. Right to Withdraw Consent If you have provided your consent for the processing of your personal data (for example, for marketing communications), you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing carried out prior to your withdrawal.

E. How to Exercise Your Rights To exercise any of these rights, please contact us at [email protected] with a clear description of your request. We may ask you to provide additional information to verify your identity before processing your request. We aim to respond to all valid requests within 30 days.

Security Measures

Technical Safeguards

  • Encryption: We use SSL/TLS encryption to protect data transmitted between your device and our servers.
  • Access Controls: Strict authentication protocols are in place to limit access to personal data to authorized personnel only.

Organizational Measures

  • Employee Training: Regular training is provided to our staff on data protection principles and secure data handling.
  • Vendor Agreements: All third-party processors and service providers are required to adhere to stringent security standards and confidentiality obligations.

Incident Response & Breach Notification

Monitoring and Detection

We continuously monitor our systems for unusual activity or potential breaches through a combination of automated tools and manual oversight.

Response and Containment

In the event of a confirmed data breach, we will immediately initiate our incident response protocol to contain the breach, assess its impact, and mitigate further risks.

Notification Procedures

If a breach poses a significant risk to your rights or freedoms, we will notify you and the relevant supervisory authorities (for instance, Panama's National Authority for Transparency and Access to Information, ANTAI) promptly in accordance with applicable law.

Complaints & Dispute Resolution

Internal Review Process

If you have any questions or concerns about our data practices or this Policy, please contact us at [email protected]. We are committed to addressing your concerns and will respond within 30 days.

Regulatory Complaints

If you believe that your rights under Panama's Law No. 81 have been violated, you may file a complaint with the National Authority for Transparency and Access to Information (ANTAI) via https://www.antai.gob.pa/. Non-Panamanian users may also seek remedies through their local supervisory authorities where applicable.

Changes to This Policy

We reserve the right to modify this Privacy Policy at any time to reflect changes in our practices or legal requirements.

  • Notification: Material changes will be communicated to you via email (if possible) or by posting a notice on our Services at least 7 days prior to the effective date of the changes.
  • Continued Use: Your continued use of our Services following any updates constitutes acceptance of the revised Policy.

Contact Information

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact us at:

Email: [email protected]

Registered Address:
Bondi Technology Inc.
Province of Panama, District of Panama, Betania,
Vía Ricardo J. Alfaro, PH The Century Tower, Office 317

Final Remarks

Bondi Technology Inc. is committed to processing your personal data in a lawful, fair, and transparent manner. By adhering to Panama's Law No. 81 and internationally recognized privacy principles, we strive to protect your data while providing a secure and reliable service. We encourage you to review this Privacy Policy regularly and to contact us with any questions or concerns.