BonBonAI

Privacy Policy

Effective date: April 21, 2026

This Privacy Policy describes how BonBon AI (“BonBon AI,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards information when you use the BonBon AI CRM web application, mobile apps, APIs, and related services (collectively, the “Service”). It applies to account holders, their invited team members, and individuals whose information is stored in the Service by our customers.

If you do not agree with this Privacy Policy, please do not use the Service.

1. Information we collect

1.1 Information you provide

  • Account information. When you sign up, we collect your name, email address, phone number (optional), organization name, trade/industry, and password (stored as a salted hash). We may also collect billing details processed by our payment processor.
  • Business records. The Service lets you store customers, proposals, projects, invoices, change orders, expenses, documents, daily logs, schedules, time entries, and communications. You are the controller of this data.
  • Support communications. If you contact us, we retain the message and any files or screenshots you share.

1.2 Information collected automatically

  • Usage and device data. IP address, browser type, operating system, device identifiers, pages viewed, features used, referring URLs, and timestamps.
  • Cookies and similar technologies. Session cookies for authentication, preference cookies for UI state, and limited analytics cookies to understand aggregate usage. You can disable cookies in your browser, though parts of the Service may not function.
  • Logs. Application and security logs, including audit trails of actions taken within your organization (who created, edited, sent, or deleted a record).

1.3 Information from connected third-party services

When you connect a third-party service (e.g., Google/Gmail for email, Google Calendar for scheduling, Intuit QuickBooks Online for accounting), we receive the OAuth tokens and the data scopes you authorize. For QuickBooks Online this typically includes customer lists, invoice data, payment status, and company metadata. We only request the minimum scopes required to operate the features you enable, and we never sell or use this data for advertising.

2. How we use information

  • Provide, operate, and maintain the Service.
  • Authenticate users and secure accounts.
  • Sync and push data to third-party services you explicitly connect (e.g., send invoices to QuickBooks, read Gmail threads, create calendar events).
  • Process payments and manage subscriptions.
  • Send transactional messages (receipts, security alerts, invitations, password resets) and service announcements.
  • Respond to support requests and troubleshoot issues.
  • Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms.
  • Improve the Service — analyze aggregated, de-identified usage patterns to prioritize features and fix bugs.
  • Comply with legal obligations.

We do not sell your personal information. We do not use your business records, QuickBooks data, email contents, or calendar data to train generalized AI models for other customers.

3. How we share information

We share information only in these limited situations:

  • Within your organization. Data you enter into the Service is visible to other members of your organization based on their role and the permissions configured by your admin.
  • Service providers (sub-processors). Infrastructure, hosting, database, email, payment, and analytics vendors that process data on our behalf under contractual confidentiality and security obligations. Current sub-processors include, among others: Supabase (database and auth), Vercel (hosting), and Stripe (payments).
  • Third-party integrations you connect. When you authorize an integration (e.g., Intuit QuickBooks Online, Google), we exchange data with that provider only as needed to perform the actions you request. Those services operate under their own privacy policies.
  • Legal and safety. To comply with law, enforce our Terms, or protect the rights, property, or safety of BonBon AI, our users, or others.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets, with notice to you where required by law.

4. QuickBooks Online integration

If you connect the Service to QuickBooks Online, you authorize us to access, create, update, and read data in your QuickBooks company, including customers, invoices, payments, and related metadata. We store the OAuth tokens and the QuickBooks realm ID for your organization. Tokens are stored encrypted at rest on our infrastructure and are accessible only to the backend processes that execute sync on your behalf.

We use QuickBooks data solely to:

  • Push invoices you create in the Service to your QuickBooks company.
  • Receive payment status updates via webhooks so the Service can reflect paid invoices.
  • Display QuickBooks customer suggestions when you link a project to a QuickBooks customer.

You can disconnect QuickBooks at any time from Settings → QuickBooks, which revokes our tokens and stops all future sync. Disconnecting does not delete data already written to your QuickBooks company.

5. Data retention

We retain data for as long as your account is active or as needed to provide the Service. If you delete your account, we delete or de-identify your data within 30 days, except where we must retain it to comply with legal obligations (e.g., tax records), resolve disputes, or enforce our agreements. Backups containing deleted data are purged on our backup rotation schedule.

6. Security

We use industry-standard safeguards including TLS in transit, encryption at rest, hashed passwords, row-level security on tenant data, least-privilege access controls, audit logging, and regular dependency updates. No system is perfectly secure; you are responsible for keeping your credentials confidential and for using strong passwords. If you believe your account has been compromised, contact us immediately.

7. Your rights and choices

Depending on your jurisdiction, you may have the right to access, correct, export, restrict, or delete personal information we hold about you; to opt out of certain processing; and to lodge a complaint with a data protection authority. To exercise any of these rights, email privacy@crmbonbonai.com. We will respond within the timeframe required by applicable law.

If you are an end user whose data is stored by one of our customers (for example, a customer or employee in someone’s CRM), please contact that organization directly — they are the controller of your data.

8. Children

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

9. International transfers

The Service is operated in the United States. If you access it from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate. We rely on appropriate safeguards (such as Standard Contractual Clauses) where required.

10. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes we will notify you by email or in-app notice before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

11. Contact us

Questions, requests, or complaints about this policy or our data practices: