Last Updated: 13-11-2025

​

1. Introduction

​

This Privacy Policy explains how Basaamad Co, registered in Denmark under CVR number 36612266 (“we,” “our,” “us”), collects, uses, and protects personal data when businesses (“you,” “your,” “Customer”) use the Go Bonoos Business Portal (“Portal”).

We are committed to processing personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable laws.

This Privacy Policy applies to the Go Bonoos Business Portal and related support channels. It does not cover the consumer-facing Bonoos mobile app (which has its own policy) or your own processing of consumer data as an independent controller.

​

The Go Bonoos Portal and its related services must not be used to create, host, promote, or distribute any product listings, materials, or communications containing or promoting sexual content, adult services, alcohol, tobacco, recreational drugs, weapons, or other restricted items prohibited under applicable laws or platform policies (e.g., Apple App Store, Google Play, or Stripe).

---------------------------------

​

2. Data Controller and Data Processor Roles

• For Business Account Data (your workspace admins, users, billing and contract data), we act as an independent Data Controller.

• For Consumer Data you access or upload through the Portal (e.g., discount requests sent by Bonoos users), we act as your Data Processor, and the DPA (Annex 1 to the Terms) applies.
  Certain partners (e.g., payment processors) act as independent controllers for their own processing; see Section 6.

---------------------------------

​

3. Data We Collect

We collect the following categories of personal data:

A. Business Account Data (Controller role)

• Company name and registration details

• Contact name, email, and phone number

• Login credentials and authentication data

• Billing and payment information

• Communication history with our support team

• Audit logs (login, settings changes, voucher actions)

• Workspace membership/roles and authorization metadata (e.g., permission grants, token status)

• Optional profile information (first/last name, language preference)

B. Consumer Data (Processor role)

When consumers use the Bonoos mobile app to interact with your business, we process on your behalf:

• Consumer name and/or contact details

• Discount request details (product/service requested, discount requested, timestamps)

• Communication exchanged within the Portal

C. Technical Data

• IP address and coarse location derived from IP

• Device, browser, OS version, and user-agent

• Session identifiers, security and fraud-prevention signals

• Application and API usage logs (timestamps, endpoints, status codes)

D. Data We Do Not Intentionally Collect

We do not intentionally process special categories of data (Art. 9 GDPR) in the Portal. Please do not upload such data.

We also do not collect or permit any data related to prohibited product categories such as adult or sexual content, alcohol, tobacco, controlled substances, or weapons. Any such content uploaded by users is subject to immediate removal in accordance with our Terms of Service.

---------------------------------

​

4. How We Use Your Data

As Data Controller (for your business data)

We use your data to:

• Create and manage your account

• Provide and improve the Portal services

• Process payments and manage subscriptions

• Communicate with you regarding service updates, support, or legal notices

• Comply with legal obligations

• To send service and security notifications (non-marketing)

• To prevent abuse, investigate incidents, and enforce our Terms

• To conduct aggregated, de-identified analytics to improve reliability and performance

• To enforce our Acceptable Use Policy and ensure compliance with restrictions on prohibited or regulated content and activities.

As Data Processor (for consumer data)

We process consumer data solely:

• According to your instructions

• For the purpose of delivering Portal services

• In compliance with the DPA

• We will not use Consumer Data for our own purposes and will only process it on your documented instructions and as described in the DPA.

---------------------------------

​

5. Legal Bases for Processing

We process personal data on the following bases:

• Contract performance (Art. 6(1)(b) GDPR) – To provide the Portal services to you.

• Legal obligation (Art. 6(1)(c) GDPR) – For compliance with applicable laws.

• Legitimate interest (Art. 6(1)(f) GDPR) – For Portal security, fraud prevention, and service improvement.

• Consent (Art. 6(1)(a) GDPR) – For marketing communications where required.

​Where we rely on legitimate interests, we balance our interests (e.g., security, service integrity) against your rights and freedoms and apply appropriate safeguards. You can object to processing based on legitimate interests (see Section 9).

---------------------------------

​

6. Data Sharing and Sub-Processors

We may share data with authorized service providers (“sub-processors”) who support our operations. These may include:​

Supabase (database & authentication; EU/US; SCCs),
Vercel (web hosting; EU/US; SCCs),
Wix (marketing site hosting; EU/US; SCCs),
Stripe or Wix Payments (payment processing; EU/US; PCI DSS + SCCs),
OneSignal and Resend as Email/SMS/Push Gateway providers (notifications; EU/US; SCCs).

The current list is maintained in our DPA and may be updated from time to time. We will provide notice of material changes as required by the DPA.

​We do not sell personal data to third parties.

​Independent controllers: when you pay, the relevant payment processor processes your payment data as an independent controller under its own privacy terms.

All sub-processors are contractually prohibited from processing or transmitting any data related to prohibited content categories or unlawful activities.

---------------------------------

​

7. International Data Transfers

If personal data is transferred outside the EU/EEA, we ensure appropriate safeguards such as:

• Adequacy decisions by the European Commission

• Standard Contractual Clauses (SCCs)

Where SCCs are used, we implement supplementary measures (e.g., encryption in transit/at rest, access controls) and conduct transfer risk assessments as appropriate.

---------------------------------

​

8. Data Retention

• Business Account Data: retained for the duration of your subscription and up to 5 years after termination for legal, tax and audit purposes (or longer where required by law).

• Consumer Data processed on your behalf: retained per your instructions; unless you instruct otherwise, we delete or anonymize Consumer Data within 90 days after termination.

• Security logs and backups: logs are typically retained up to 12 months for security and audit; encrypted backups follow rolling retention schedules and are automatically purged.

---------------------------------

​

9. Your Rights

Under GDPR, you have the right to:

• Access your personal data

• Rectify inaccurate data

• Request erasure (“right to be forgotten”)

• Restrict processing

• Data portability

• Object to processing

• Withdraw consent (where applicable)

We reserve the right to restrict or delete any account that uploads, promotes, or processes data involving prohibited content or products in violation of this Policy or applicable law.

To exercise your rights, contact us at gdpr@gobonoos.com. We will respond within one month (extendable by two months for complex requests).
You also have the right to lodge a complaint with a supervisory authority, e.g., Datatilsynet (Denmark) or your local authority in the EEA.

---------------------------------

​

10. Security Measures

We implement appropriate technical and organizational measures, including:

• Encryption of data in transit and at rest

• Role-based access controls

• Regular security audits

• Incident response protocols

• Optional multi-factor authentication (MFA) for admin accounts

• Principle of least privilege and regular access reviews

• Supplier due-diligence and contractual security obligations for sub-processors

• ​Automated and manual monitoring to detect and remove prohibited or inappropriate product data (e.g., adult, violent, or illegal content).

---------------------------------

​

11. Data Breach Notification

If we become aware of a personal data breach affecting your data, we will notify you without undue delay, providing details of the breach and mitigation steps.

Where we act as your Processor, we will assist you with breach notifications to authorities/data subjects as required by GDPR Articles 33–34.

---------------------------------

​

12. Marketing Communications

We may send you service-related communications without consent (transactional emails).

Marketing emails to business contacts are sent with consent where required or under legitimate interest for B2B communications, subject to your right to opt-out at any time.

​

---------------------------------

​

13. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted in the Portal and on our website with a revised “Last Updated” date. If we make material changes, we will provide advance notice through the Portal or by email.

---------------------------------

​

14. Prohibited Content and Compliance

​​

Businesses using the Go Bonoos Portal agree not to upload, distribute, or promote content related to:

• Pornographic, sexually explicit, or suggestive materials

• Alcohol, tobacco, or drug-related products or paraphernalia

• Weapons, ammunition, or explosives

• Hate speech, harassment, or discriminatory material

• Illegal or restricted goods or services under local or international law

Violations of these terms may result in suspension or termination of access without notice. This policy aligns with Apple App Store, Google Play, and applicable EU/Danish commerce and advertising regulations.

---------------------------------

​​

15. Contact Information

​

Basaamad Co

Ståbyvej 22, 2740 Skovlunde

General privacy queries: privacy@gobonoos.com
Data subject requests (GDPR): gdpr@gobonoos.com