Skip to main content

Privacy Policy

Last updated: July 13, 2026

Introduction

Bondi Technology Inc. ("Bondi," "we," "our," or "us") is committed to protecting your privacy and ensuring transparency in our data practices. This Privacy Policy explains how we collect, use, store, and share your personal data when you interact with our websites, applications, and services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any part of this Policy, please discontinue use of our Services immediately.

Scope & Applicability

Intended Audience

  • U.S. Persons Not Permitted: Our Services are not available to U.S. Persons.
  • Panama Not Permitted: Our Services are not available to persons located in or resident in the Republic of Panama. For the avoidance of doubt, this restriction applies to users of the Platform and does not affect Bondi Technology Inc. in its capacity as platform operator, which is incorporated and operates in Panama.
  • Restricted Jurisdictions: In addition, our Services are not available to persons located in or resident in certain other jurisdictions as set forth in our Terms of Service.

Products Covered

This Policy applies to personal data collected in connection with Bondi’s Services, including:

  • Bondi Institutional — the institutional product experience (also referred to as Invest in the app), which uses a Bondi Institutional account (email and/or Google sign-in), wallet linking, and Ensuro KYC/AML verification for gated issuer-related actions.
  • Bondi Retail — the wallet-first secondary-market experience (also referred to as Trade in the app). Bondi Retail may be used with a connected wallet and does not require a Bondi Institutional account for wallet-only trading features. Certain economic rights (for example, claiming recorded proceeds that require KYC) may require Bondi Institutional registration and Ensuro verification.
  • Documentation and marketing sites operated by Bondi, including this documentation site and Bondi’s public marketing websites.

Primary Domains

This Policy applies to personal data collected through our Services on domains and subdomains operated by Bondi, including our primary domains:

…and any current or future subdomains or related websites operated by Bondi.

Account vs Wallet-Only Features

  • Bondi Institutional account required: Creating and maintaining an Institutional login, linking wallets to that account in Bondi’s systems, accessing Institutional product surfaces that are session-gated, and completing Ensuro KYC/AML through the Institutional flow for gated primary-market / coupon / redemption and related functions.
  • Wallet-only (no Institutional account required): Connecting a self-custodial wallet and using Bondi Retail secondary-market features that do not require Bondi’s Institutional session. Holding Bond Tokens in an unverified wallet does not itself entitle the holder to gated platform benefits until the wallet is whitelisted following Ensuro verification, as described in our Terms of Service and AML/CFT Policy.

Roles and Responsibilities

  • Bondi Technology Inc. is the data controller for personal data processed in connection with Bondi Institutional accounts, app usage and technical logs, Bondi-side wallet-link records, support communications, and operation of Bondi’s websites and applications.
  • Ensuro Re Ltd. (Bermuda), acting as issuer of Bond Tokens through a segregated account, is an independent controller for KYC/AML and issuer-compliance data collected through Ensuro’s verification programme. Ensuro engages its identity-verification vendor (historically iDenfy, or a substantially similar service) for that programme. Bondi presents Ensuro’s verification flow in the Bondi frontend and enforces Ensuro’s whitelisting decisions via Bondi’s KYC smart contracts. Bondi does not independently contract that KYC identity vendor as Bondi’s own KYC processor in the same sense, and Bondi does not independently verify identity outside Ensuro’s flow.
  • Bondi engages infrastructure and service providers (processors or service providers) to operate auth, hosting, email delivery, wallet connectivity, and analytics, as described under “How We Share Your Data.”

Personal Data We Collect

We collect only the personal data necessary to operate the Services securely, comply with legal obligations, and deliver the product experiences described above. Categories include:

Bondi Institutional Account Data (Bondi-controlled)

When you create or use a Bondi Institutional account, Bondi processes:

  • Account identifiers: account id, email address, and authentication provider (email or google). Bondi does not collect a separate profile name or avatar for this login flow.
  • Auth delivery metadata: metadata related to sending login one-time codes or magic-link style emails (for example, delivery timestamps and related email service logs).
  • Linked wallet records: public blockchain wallet addresses linked to your Institutional account in Bondi’s database, and wallet-link / event metadata (link history).
  • Wallet connection artifacts: data needed to connect wallets and, where applicable, complete Sign-In with Ethereum (SIWE) or equivalent authentication steps used for Institutional wallet linking and KYC gating (for example, wallet address, signature challenges, and related session artifacts).

Bondi’s Institutional data model includes records such as institutional accounts, linked wallets, and wallet-link events stored in Bondi’s database.

Identification & Verification Data (Ensuro-controlled flow)

Collected in Ensuro’s KYC/AML verification flow (presented in Bondi’s frontend), typically including:

  • Full legal name
  • Date of birth
  • Government-issued photo identification (for example, passport or driver’s license)
  • Proof of address (for example, a utility bill), where required
  • Liveness verification (selfie or video-based checks conducted in Ensuro’s verification flow)
  • Sanctions / PEP screening data and results

Contact & Wallet Information

  • Email address: used for Institutional account authentication, service communications, support, and (if you opt in) marketing.
  • Public blockchain wallet address: associated with wallet connection, Institutional linking, secondary-market activity, and Bond Token interactions.

Technical & Usage Data

Collected when you interact with our Services:

  • IP address
  • Device and browser information
  • Operating system and browser type
  • Usage logs, including timestamps and access details
  • Cookies, local storage, session storage, IndexedDB caches, and similar technologies (see “Cookies & Tracking”), which may include unique identifiers used to recognize your browser/device, maintain sessions (including wallet sessions), and understand usage of our Services

KYC/AML Documentation (Ensuro-controlled flow)

  • Supporting documents and verification outputs collected via Ensuro’s third-party verification provider (iDenfy, or a substantially similar service) to verify identity, assess eligibility, and fulfill anti-money-laundering obligations applicable to the issuer.

On-Chain / Public Blockchain Data

  • On-chain KYC registration, whitelist status, and related smart-contract state are recorded on public blockchains. That information is publicly observable and is not under Bondi’s exclusive control. Bondi cannot delete public blockchain records via Institutional account deletion.

Optional Marketing Data

  • Opt-in contact details, such as additional email addresses provided for receiving newsletters or promotional materials.

We process your personal data only for specific, limited purposes and on legally sound bases. Our primary purposes include:

Platform Operation and Contractual Necessity

  • Creating and maintaining Bondi Institutional accounts (including authentication).

  • Linking wallets to Institutional accounts and maintaining Bondi-side wallet-link records.

  • Enabling wallet connectivity for Institutional and Retail experiences.

  • Gating Institutional actions based on Ensuro KYC/AML status and Bondi’s onchain whitelist enforcement.

  • Facilitating issuance/redemption of Bond Tokens and distribution of coupon or principal payments where applicable.

  • Providing support and operating the Services.

  • Legal Basis: Processing is necessary for the performance of the contract you enter into when using our Services, and/or for steps taken at your request prior to entering into such a contract.

  • KYC/AML and fraud prevention: Identification and verification data are processed in Ensuro’s capacity as independent controller to satisfy issuer KYC/AML and related legal obligations. Bondi processes related status signals and enforces access controls (wallet whitelisting) based on Ensuro’s determinations.
  • Legal Basis: Legal obligation (including record-keeping requirements) and legitimate interests in maintaining a secure, compliant platform.

Safety, Security, and Internal Operations

  • Security monitoring, abuse prevention, investigation of suspicious activity, troubleshooting, and maintaining system integrity.
  • Legal Basis: Legitimate interests, supplemented by contractual necessity where applicable.

Marketing and Communications

  • Optional communications: If you opt in, we may send you newsletters, updates, or promotional information.
  • Legal Basis: Your explicit consent (which you may withdraw at any time).

International Best Practices

For our non-Panamanian users, in addition to complying with Panama's Law No. 81, we adhere to internationally recognized privacy principles (such as those embodied in the GDPR) to the extent applicable. This commitment reinforces our transparency, fairness, and security standards globally.

Exclusion for Minors

Our Services are strictly intended for individuals aged 18 years or older.

Legal Basis: We do not knowingly collect data from minors. In the event that personal data of a minor is inadvertently received, we will promptly delete such data and take measures to prevent further collection.

Data Storage, Transfers & Retention

Data Locations & Cross-Border Transfers

  • Personal data may be processed in, and transferred to, jurisdictions where we and our service providers operate, including Panama (Bondi), jurisdictions where our infrastructure providers operate (for example, hosting, auth, email, and wallet-connectivity providers), Bermuda (Ensuro Re Ltd., issuer / independent controller for KYC/AML), and jurisdictions where Ensuro’s verification vendor processes data.
  • Where required, we implement appropriate safeguards for international transfers, such as the European Commission’s Standard Contractual Clauses (SCCs) or equivalent contractual protections, plus technical and organizational measures (encryption in transit/at rest, access controls, and data minimization).
  • We will transfer personal data only to the extent necessary for the purposes set out in this Policy and in compliance with applicable law.

Retention Periods

  • Bondi Institutional account data (Bondi-controlled): Retained while your Institutional account remains active. Upon account deletion (see below), Bondi deletes or irreversibly anonymizes this data where feasible, subject to short-term backup, security, and legal holds.
  • KYC/AML documentation and identification/verification data (Ensuro-controlled): Retained by Ensuro (and its vendors, as applicable) for up to 5 years following user inactivity or account closure, to comply with legal and regulatory obligations. For Bondi Institutional users, “account closure” includes the date you delete your Bondi Institutional account and/or the date Ensuro treats the verification relationship as closed under Ensuro’s own retention schedule. Bondi does not control Ensuro’s retention clock.
  • Technical and usage data: Retained for a period of up to 12 months solely for security monitoring, troubleshooting, and system performance purposes, unless a longer period is required for investigations or legal compliance.
  • Marketing data: Retained until you opt out or request deletion, subject to any legal or regulatory retention requirements.

Bondi Institutional Account Deletion

You may delete your Bondi Institutional account in-app (Account menu → Delete account) or by requesting deletion at [email protected].

When a Bondi Institutional account is deleted, Bondi deletes or irreversibly anonymizes, where feasible:

  • The Supabase Auth user and login access to Bondi Institutional
  • Institutional account records, linked wallets, and wallet-link / event history in Bondi’s database
  • App-side session data and caches tied to that Institutional account, where practicable

Bondi does not delete, and cannot fully erase:

  • Ensuro KYC/AML records, identity documents, screening outputs, and related compliance artifacts retained by Ensuro (and its vendors) under legal/regulatory obligations (including retention for up to 5 years after inactivity or account closure, as described above)
  • On-chain KYC registration, whitelist state, or other public blockchain records

Important: Deleting your Bondi Institutional account deletes Bondi’s login and Bondi-side account/wallet-link data. It does not delete your Ensuro identity verification record or onchain KYC/whitelist state. If you later return with the same wallet, prior KYC/whitelist status may still apply depending on Ensuro’s records and onchain state.

Deletion or Anonymization (General)

When your personal data is no longer required for the purposes for which it was collected, or once the applicable legal retention period expires, Bondi will securely delete or irreversibly anonymize Bondi-controlled data. Notwithstanding this, data required for compliance with applicable laws (for example, AML requirements applicable to Ensuro as issuer) will be retained by the relevant controller until no longer legally mandated.

How We Share Your Data

We share your personal data only as necessary for the operation of our Services and in compliance with applicable law.

Infrastructure and Service Providers (Bondi processors / service providers)

Bondi uses service providers that process limited personal data on Bondi’s behalf to operate the Services, including:

  • Supabase — authentication and Institutional account database hosting
  • Resend — delivery of Institutional login / one-time-code emails
  • thirdweb — wallet connectivity and in-app wallet services
  • Vercel — application hosting and serverless API / BFF infrastructure
  • Google Analytics — usage analytics on certain Bondi sites (see “Cookies & Tracking”)

These providers process personal data solely as needed to provide their services to Bondi, under applicable confidentiality and security obligations.

Issuer and Regulated Counterparties

  • Ensuro Re Ltd. (Independent Controller): Ensuro processes identification and verification data, sanctions/PEP screening results, and related compliance artifacts as an independent controller under applicable law. Bondi may receive verification status / results from Ensuro (or Ensuro’s systems) solely as needed to enforce wallet whitelisting and access controls. Ensuro engages its own KYC verification vendor; that vendor is not engaged by Bondi as Bondi’s KYC processor.
  • Law enforcement and regulators: In response to valid legal requests, subpoenas, or court orders, we may disclose your data to government agencies, regulators, or other authorities as required by law.
  • Compliance purposes: We may share data when necessary to prevent or investigate suspected fraud, unlawful activity, or breaches of our Terms or this Privacy Policy.

Corporate Transactions

  • Business transfers: In the event of a merger, acquisition, corporate restructuring, or sale of all or part of our assets, your personal data may be transferred to a successor entity. Such transfers will only occur if the successor agrees to abide by privacy practices substantially similar to those described in this Policy.

Aggregated or De-Identified Data

  • Statistical and analytical purposes: We may share aggregated or de-identified data with third parties for research, analysis, and internal improvements. Such data does not identify you and is used solely for enhancing the performance and security of our Services.

Cookies & Tracking

We use cookies and similar technologies (such as pixels, local storage, session storage, IndexedDB, and device identifiers) to operate our Services, protect them, understand how they are used, and improve them.

What Are Cookies?

Cookies are small text files stored on your device by your browser. Similar technologies (such as local storage, session storage, and pixels) can perform comparable functions. Cookies may be:

  • Session cookies (deleted when you close your browser), or
  • Persistent cookies (remain until they expire or you delete them).

Types of Cookies and Similar Storage We Use

  1. Strictly necessary / essential: Required for core functionality and security (for example, load balancing, fraud prevention, maintaining secure sessions, Institutional auth session state, and wallet connection session state). These cannot be switched off in some systems without impacting the Services.
  2. Analytics and performance (non-essential in many jurisdictions): Help us understand how users interact with our Services so we can improve performance and usability.
  3. App storage beyond cookies: The Bondi app may use browser local storage, session storage, and IndexedDB (or similar) to store preferences, consent flags, product selection, KYC status caches, and wallet/session-related data needed for the Services to function.

Essential Cookies and Session Storage

We use cookies and related storage that are strictly necessary for the operation and security of our Services. These mechanisms ensure proper functioning, facilitate secure authentication (including Bondi Institutional sessions), and support wallet connectivity.

Google Analytics

We use Google Analytics on certain Bondi sites (including this documentation site) to analyze usage (for example, page views, session duration, traffic sources, and user interactions). Google Analytics may collect information such as:

  • device and browser details,
  • approximate location (derived from IP address),
  • identifiers stored in cookies, and
  • usage events (e.g., pages viewed, clicks).

Google may process this information as a separate controller under its own terms and privacy policy. For more information, see Google’s materials:

Where required by applicable law, we will request your consent before placing analytics and performance cookies (including Google Analytics) on your device. You may withdraw your consent at any time by adjusting your cookie preferences (where available) or by using the opt-out options above and/or your browser settings.

Managing Cookies and Local Storage

You can manage cookies and related storage through:

  • Browser settings: You can delete cookies and block future cookies through your browser settings. You may also clear local storage, session storage, and site data. If you disable cookies or clear storage, some features of the Services may not function properly (including login and wallet sessions).
  • Opt-out tools: For Google Analytics, use the opt-out link above.

Automated Decision-Making & Profiling

We may use automated tools to assist with sanctions/PEP screening, fraud detection, and risk scoring in support of KYC/AML obligations (including tools used within Ensuro’s verification programme). These tools do not involve solely automated decision-making that produces legal effects concerning you or similarly significantly affects you without human review. If in the future a decision were to be made solely by automated means with such effects, we will provide you with specific notice and a mechanism to request human intervention, express your point of view, and contest the decision, as required by applicable law.

User Rights & Choices

We respect your rights regarding your personal data. Depending on your jurisdiction and the applicable law, you may have the following rights:

A. Right to Access
You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data. This may include information on the categories of data collected and the purposes of processing.

B. Right to Rectification
If you believe that any personal data we hold is inaccurate or incomplete, you may request that we update or correct such data. Please provide sufficient detail to allow us to identify and amend the data in question.

C. Right to Deletion
Subject to legal obligations (including AML retention), you have the right to request deletion of personal data Bondi controls. For Bondi Institutional app data, you may use the in-app Delete account control, which deletes Bondi’s Institutional auth user and cascaded Bondi Institutional database records as described above. Deletion of Bondi Institutional data does not erase Ensuro-held KYC/AML records or onchain KYC/whitelist state. For residual Bondi-controlled data, or requests that may involve Ensuro-held data, contact [email protected]. Requests involving Ensuro-held KYC/AML data may require referral to Ensuro or coordinated handling.

D. Right to Withdraw Consent
If you have provided your consent for the processing of your personal data (for example, for marketing communications), you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing carried out prior to your withdrawal.

E. How to Exercise Your Rights

  • Bondi Institutional account deletion: use Delete account in the Account menu, or email [email protected].
  • Access, rectification, and other requests: email [email protected] with a clear description of your request.
    We may ask you to provide additional information to verify your identity before processing your request. We aim to respond to all valid requests within 30 days. Where a request relates to data for which Ensuro is the independent controller, we may need to involve Ensuro and will inform you if that is the case.

Security Measures

Technical Safeguards

  • Encryption: We use SSL/TLS encryption to protect data transmitted between your device and our servers.
  • Access Controls: Strict authentication protocols are in place to limit access to personal data to authorized personnel only.

Organizational Measures

  • Employee Training: Regular training is provided to our staff on data protection principles and secure data handling.
  • Vendor Agreements: Third-party processors and service providers are required to adhere to stringent security standards and confidentiality obligations appropriate to their role.

Incident Response & Breach Notification

Monitoring and Detection

We continuously monitor our systems for unusual activity or potential breaches through a combination of automated tools and manual oversight.

Response and Containment

In the event of a confirmed data breach, we will immediately initiate our incident response protocol to contain the breach, assess its impact, and mitigate further risks.

Notification Procedures

If a breach poses a significant risk to your rights or freedoms, we will notify you and the relevant supervisory authorities (for instance, Panama's National Authority for Transparency and Access to Information, ANTAI) promptly in accordance with applicable law. Where a breach primarily affects Ensuro-controlled KYC/AML data, notification responsibilities may also rest with Ensuro as independent controller.

Complaints & Dispute Resolution

Internal Review Process

If you have any questions or concerns about our data practices or this Policy, please contact us at [email protected]. We are committed to addressing your concerns and will respond within 30 days.

Regulatory Complaints

If you believe that your rights under Panama's Law No. 81 have been violated, you may file a complaint with the National Authority for Transparency and Access to Information (ANTAI) via https://www.antai.gob.pa/. Non-Panamanian users may also seek remedies through their local supervisory authorities where applicable.

Changes to This Policy

We reserve the right to modify this Privacy Policy at any time to reflect changes in our practices or legal requirements.

  • Notification: Material changes will be communicated to you via email (if possible) or by posting a notice on our Services at least 7 days prior to the effective date of the changes.
  • Continued Use: Your continued use of our Services following any updates constitutes acceptance of the revised Policy.

Contact Information

For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact us at:

Email: [email protected]

Registered Address:
Bondi Technology Inc.
Province of Panama, District of Panama, Betania,
Vía Ricardo J. Alfaro, PH The Century Tower, Office 317

Final Remarks

Bondi Technology Inc. is committed to processing your personal data in a lawful, fair, and transparent manner. By adhering to Panama's Law No. 81 and internationally recognized privacy principles, we strive to protect Bondi-controlled data while providing a secure and reliable service. We encourage you to review this Privacy Policy regularly and to contact us with any questions or concerns.