Privacy Policy

Bondify · bondify.dev Effective date: June 15, 2026 Last updated: June 15, 2026

Overview

Bondify ("Bondify," "we," "us," or "our") operates the developer authentication platform available at bondify.dev and via our API and SDKs (collectively, the "Services"). This Privacy Policy explains how we collect, use, store, and protect personal data, and describes the rights available to you.

Two distinct processing roles — please read carefully.

If you are an End User of an application that uses Bondify for login: your personal data is processed on behalf of the Developer who built that application. Please direct any privacy requests to that Developer. Bondify processes your data solely as instructed by the Developer and does not use it for its own purposes.

1. Scope

This Privacy Policy applies to personal data processed by Bondify in its capacity as a Data Controller — that is, data we collect directly from Developers who register for and use the Bondify platform.

It does not govern End User personal data processed on behalf of Developers. That processing is governed exclusively by our DPA and applicable contractual instructions from each Developer.

2. Information We Collect

2.1 Developer Data (Bondify as Data Controller)

We collect the following categories of personal data directly from Developers:

Account data

• Email address (used as account identifier and primary contact channel)
• Password hash (bcrypt; the plaintext password is never stored)
• Account creation timestamp and plan status

Billing and payment data

• Payment transaction references and status (processed by third-party payment gateways — see Section 7)
• Subscription plan, billing interval, wallet balance, and payment history
• We do not store raw card numbers, bank account details, or full payment instrument data; these are handled exclusively by our payment processors

Dashboard and project data

• Project names, webhook URLs, and project configuration settings
• Secret key previews (first 9 and last 4 characters only; full keys are stored as SHA-256 hashes and are never recoverable)
• Custom Telegram bot tokens where provided by the Developer (stored encrypted at rest)

Usage and operational data

• Monthly Active User (MAU) counts per project (aggregated, not individually identifiable)
• Session analytics: daily authentication counts, conversion rates, funnel data (aggregated)
• Webhook delivery logs (URL, attempt count, HTTP status, error messages)
• In-app notifications and read status

Communications

• Support correspondence and any information you include in communications with us

2.2 End User Data (Bondify as Data Processor)

When an End User authenticates via a Bondify-powered application, we transiently process the following data on behalf of and under the instructions of the Developer:

Telegram

• Telegram numeric user ID
• Display name (first name + last name, as configured in Telegram)
• Telegram username (@handle), if set
• Phone number (only when explicitly enabled by the Developer in project settings and affirmatively shared by the End User via Telegram's native contact-sharing flow)

Session metadata (all messenger channels)

• Session token (random hex, non-guessable)
• Authentication status (pending, confirmed, used, expired, cancelled)
• Session creation timestamp, confirmation timestamp
• Telegram chat ID (used to deliver authentication messages; not stored beyond the session lifecycle)

What we do not collect from End Users:

• Passwords, secrets, or credentials of any kind
• Message content or conversation history
• Device identifiers, IP addresses, or browser fingerprints
• Location data
• Financial information

End User data is associated with the Developer's project and is accessible to that Developer via the Dashboard and API. Bondify does not use End User data for advertising, profiling, or any purpose beyond delivering the authentication session.

3. How We Use Information

3.1 Developer Data

We do not sell or "share" Developer personal data, and we do not use Developer personal data for behavioral advertising. Where we engage infrastructure or payment providers, they act as service providers (or, for payments, as independent controllers) under contracts that limit their use of the data to providing services to us.

3.2 End User Data

Bondify processes End User data solely to:

1. Generate and validate authentication session tokens
2. Deliver authentication confirmation messages via the relevant messenger
3. Transmit confirmed identity attributes (messenger ID, display name, username, phone number if requested) to the Developer's application via webhook or API response
4. Maintain session state for the duration of the authentication flow (maximum 10 minutes for pending sessions)

Bondify has no independent purpose for End User data beyond the above. The Developer is responsible for determining the lawful basis for End User data processing within their application, for displaying its own privacy policy to End Users, and (where phone-number collection is enabled) for obtaining valid consent. Bondify may technically disable or suspend features that transmit sensitive data — including phone-number collection — for any project that has not provided a valid, publicly accessible privacy policy URL in its Dashboard settings, or that Bondify reasonably believes is processing End User data unlawfully.

4. Data Retention

4.1 Developer Data

Upon written request to [email protected], Developers may request earlier deletion of account data not subject to legal retention obligations.

4.2 End User Data

A scheduled purge job enforces these windows automatically. The retention window for the Developer's plan is the maximum lifetime of any End User session record; Bondify does not retain End User session data beyond it.

End User data is not archived, not sold, and not used after the session lifecycle concludes. There is no permanent End User profile database at Bondify.

5. Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We share data only in the following limited circumstances:

5.1 Payment Processors

Developer payments are handled by third-party payment processors. We currently use one or more of the following, and may add or change processors over time (the current list is maintained on our sub-processors page):

• A processor for international card payments
• A processor for cryptocurrency payments

Each payment processor acts as an independent controller for the transaction data it handles, under its own privacy policy. We transmit to payment processors only the data minimally necessary to process a transaction (amount, currency, and a Bondify-internal order reference). We do not transmit Developer personal identifiers to payment processors beyond what those processors require for transaction processing and fraud screening. Bondify is not responsible for the independent acts or omissions of payment processors.

5.2 Infrastructure and Hosting Providers

The Services run on cloud infrastructure. Bondify's hosting and infrastructure providers process data as sub-processors (and as "service providers" for CCPA purposes) under written data processing agreements that restrict their use of the data to providing services to Bondify, and that include appropriate technical and organizational measures and, where applicable, Standard Contractual Clauses (SCCs) for cross-border transfers. A current list of sub-processors is available on request and on our sub-processors page.

5.3 Developer Access to End User Data

Confirmed End User session data (messenger ID, display name, username, phone number if enabled) is transmitted to the Developer's registered webhook URL or returned via the /verify API response. This transmission is the core function of the Services. Developers are responsible for handling this data in compliance with applicable law.

5.4 Legal Requirements

We may disclose personal data if required to do so by applicable law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Bondify, our users, or the public.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred as part of that transaction. We will provide notice via the Dashboard and email before personal data is transferred and becomes subject to a different privacy policy.

6. Your Privacy Rights

6.1 Rights of Developers (Bondify as Data Controller)

If you are a Developer and a resident of the European Economic Area (EEA), United Kingdom, Switzerland, or California, you have the following rights with respect to your personal data:

California residents (CCPA/CPRA): You have the right to know, delete, correct, and opt out of the "sale" or "sharing" of personal information, and not to be discriminated against for exercising these rights.

• We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA.
• Our infrastructure and payment providers act as service providers (or independent controllers for payment processing) under written contracts that restrict their use of personal information to providing services to us. Engaging a service provider in this way is not a "sale" or "share" under the CCPA/CPRA.
• Because we do not sell or share personal information, no opt-out is technically required. If you would nonetheless like to submit a "Do Not Sell or Share My Personal Information" request, or exercise any other California right, email [email protected] with the subject line California Privacy Request, or use the request form linked in our website footer. We will respond within 45 days. You may use an authorized agent to submit a request on your behalf.

To exercise any right: email [email protected] with the subject line Privacy Request — [Right Type]. We will respond within 30 days (EEA/UK) or 45 days (California). We may require identity verification before processing your request.

6.2 Rights of End Users (Bondify as Data Processor)

If you are an End User of a Bondify-powered application, Bondify is not the controller of your personal data in that context. Please direct all data access, deletion, and portability requests to the Developer (operator) of the application you used. Bondify will assist Developers in responding to End User requests as required under our DPA.

7. International Data Transfers

Bondify may transfer personal data to countries outside the EEA or UK, including to the United States. Where such transfers occur, we rely on one or more of the following mechanisms:

• EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914)
• UK International Data Transfer Agreement (IDTA)
• Adequacy decisions issued by the European Commission or UK Secretary of State

To request a copy of the relevant transfer mechanism, contact [email protected].

8. Security

Bondify implements industry-standard technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, and destruction. These include, at a minimum:

• Passwords protected using strong one-way hashing; plaintext passwords are never stored
• API secret keys stored only in irreversible hashed form (the full key is shown once, at creation)
• Encryption in transit for all API and Dashboard communications
• Signed, HTTPS-only webhook delivery so recipients can verify payload integrity
• Access controls and source restrictions on sensitive inbound endpoints
• Rate limiting on authentication and API endpoints
• Automatic, time-bound expiry of authentication sessions

We keep the specific technologies used under review and may update them as the state of the art evolves, provided the overall level of protection is not reduced. No method of transmission or storage is 100% secure. In the event of a personal data breach affecting Developer data, we will notify affected Developers without undue delay and, where required, the relevant supervisory authority within 72 hours of becoming aware.

9. Cookies and Tracking

The Bondify Dashboard uses strictly necessary cookies to maintain your authenticated session. We do not use third-party advertising cookies or behavioral tracking cookies on the Dashboard.

Our public website (bondify.dev) may use analytics cookies to understand traffic patterns. Where required by law, we obtain your consent before placing non-essential cookies. You can manage cookie preferences via the cookie banner on the website.

The Bondify API and SDKs themselves do not set cookies in End Users' browsers.

10. Children

The Services are intended for Developers and are not directed at individuals under the age of 18 (or the applicable age of digital consent in their jurisdiction). We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to Bondify, please contact [email protected] and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' prior notice via the Dashboard or email before the new policy takes effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

12. Contact

Data Controller: Bondify Website: https://bondify.dev Privacy inquiries: [email protected] Response time: Within 30 days (EEA/UK GDPR) · 45 days (CCPA)

For End User privacy requests: contact the operator of the application through which you authenticated.

This Privacy Policy was prepared in accordance with Regulation (EU) 2016/679 (GDPR), the UK GDPR, the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), and applicable international data protection frameworks.