Introduction
This Privacy Policy (“Policy”) describes how BonkX, Inc., a Delaware corporation doing business as “BonkX” (“we,” “us,” or “our”), collects, uses, shares, and protects personal information when you access or use our website at bonkx.io, our mobile application, digital wallet, card program services, rewards programs, and any related services (collectively, the “Services”).
This Policy applies to all users worldwide. If you reside in the European Economic Area (“EEA”), the United Kingdom (“UK”), or the State of California, additional rights and disclosures are set forth in Sections 11, 12, and 13 below.
By accessing or using our Services, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Policy. If you do not agree, please do not use the Services.
BonkX provides a self-custody digital wallet with a crypto-collateralized secured spend card program issued through our service partners, including Signify Holdings Inc. (d/b/a “Rain”) and Third National Corporation. For details on how our partners process your data, please refer to their respective privacy policies. BonkX does not directly collect or store identity verification documents; KYC (Know Your Customer) verification is performed directly by Rain.
Information We Collect
We collect information in the following categories:
Information You Provide Directly
-
Account Information: Name, email address, phone number, and password when you create an account or join our waitlist.
-
Wallet Information: Public wallet addresses you connect to or generate through the Services. We do not have access to your private keys or seed phrases.
-
Card Program Data: When you apply for the BonkX secured spend card, Rain collects identity verification information (government-issued ID, proof of address, date of birth, Social Security Number or equivalent) directly. BonkX receives only a verification status (approved/denied) and your card-linked profile data (name, last four digits of card number).
-
Subscription Information: Subscription tier selection, billing preferences, and payment method details necessary to process recurring charges.
-
Communications: Information you provide when contacting support, submitting feedback, responding to surveys, or participating in promotions.
-
Waitlist and Quest Data: Email address, referral codes, quest completion data, and leaderboard activity when you participate in the BonkX waitlist or Domino.run quest platform.
Information Collected Automatically
-
Device and Browser Data: IP address, device type, operating system, browser type and version, device identifiers, screen resolution, and language preferences.
-
Usage Data: Pages visited, features used, click patterns, session duration, referral source, and interactions with our Services.
-
Transaction Data: On-chain transaction history associated with your connected wallet addresses (which is publicly available on the blockchain), card transaction metadata (merchant name, amount, date), collateral deposit and withdrawal records, and rewards/points activity.
-
Location Data: Approximate location derived from your IP address. We do not collect precise GPS location unless you explicitly grant permission.
-
Cookies and Similar Technologies: See Section 9 (Cookies and Tracking Technologies) for details.
Information from Third Parties
-
Card Program Partners: Rain and Third National Corporation may share transaction data, card status, and compliance-related information with us as necessary to provide the card program services.
-
Blockchain Data: We may collect publicly available on-chain data associated with your wallet addresses, including transaction history, token balances, and smart contract interactions.
-
Analytics Providers: Third-party analytics services may provide us with aggregated or pseudonymized usage data.
How We Use Your Information
We use the information we collect for the purposes described below. Where required by applicable law (including under the GDPR), we identify the legal basis for each processing activity.
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide and maintain the Services (wallet, card, subscriptions) | Account, wallet, transaction, card, subscription data | Performance of contract |
| Process card applications via Rain | Verification status, card profile data | Performance of contract |
| Manage waitlist, quests, and referrals | Email, referral codes, quest activity | Performance of contract / Consent |
| Prevent fraud and ensure security | Device data, IP, usage patterns, transaction data | Legitimate interest / Legal obligation |
| Comply with legal and regulatory obligations (AML, sanctions) | Account data, transaction data, verification status | Legal obligation |
| Improve and develop our Services | Usage data, device data, analytics | Legitimate interest |
| Send service-related communications | Email, phone number, account data | Performance of contract |
| Send marketing communications (with consent) | Email, usage data, preferences | Consent |
| Administer rewards and points programs | Account data, points balance, quest activity | Performance of contract |
| Enforce our Terms of Service and protect legal rights | All categories as necessary | Legitimate interest / Legal obligation |
How We Share Your Information
We do not sell your personal information. We may share your information in the following circumstances:
Service Partners
Rain (Signify Holdings Inc.): We share your account information and card application data with Rain to facilitate card issuance, KYC verification, transaction processing, and compliance monitoring. Rain processes your identity documents directly and acts as an independent data controller for the data it collects during verification.
Third National Corporation: As the card issuer under the Visa network, Third National receives transaction data necessary to process your card transactions. Third National is an independent data controller for the data it processes.
Other Third Parties
-
Analytics and Infrastructure Providers: We use third-party services for hosting, analytics, error monitoring, and performance optimization. These providers process data on our behalf under data processing agreements.
-
Legal and Compliance: We may disclose information to comply with applicable law, regulation, legal process, or governmental request; to enforce our Terms of Service; to protect the rights, safety, or property of BonkX, our users, or the public; or in connection with an investigation of suspected or actual illegal activity.
-
Business Transfers: In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such change and any choices you may have regarding your information.
-
With Your Consent: We may share information for other purposes when you provide specific consent.
Blockchain Disclosures
Important: Transactions conducted on public blockchains (including Solana and other supported networks) are permanently and publicly recorded. Wallet addresses, transaction amounts, and timestamps are visible to anyone. BonkX cannot delete, modify, or restrict access to on-chain data. Before conducting any blockchain transaction through the Services, you should understand that this data becomes part of the permanent public record.
Data Retention
We retain your personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specifically:
-
Account Data: Retained for the duration of your account and for up to five (5) years after account closure to comply with financial record-keeping and anti-money-laundering requirements.
-
Transaction Data: Retained for a minimum of five (5) years in accordance with applicable financial regulations.
-
Card Program Data: Retention governed by Rain and Third National’s respective policies and applicable banking regulations.
-
Waitlist and Quest Data: Retained for the duration of the waitlist program and for twelve (12) months after the program ends, unless you request earlier deletion.
-
Device and Usage Data: Generally retained for twenty-four (24) months from the date of collection.
-
Marketing Preferences: Your opt-out preferences are retained indefinitely to ensure we honor your choices.
When personal information is no longer needed, we securely delete or anonymize it in accordance with our data retention schedule.
Data Security
We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
-
Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
-
Access controls limiting personnel access to personal information on a need-to-know basis.
-
Regular security assessments and penetration testing.
-
Incident response procedures for prompt detection and remediation of security events.
-
Data protection impact assessments (DPIAs) for high-risk processing activities, including the crypto-collateralized card program and KYC/AML processing pipeline.
-
Secure development practices for our application and infrastructure.
Self-Custody Wallet Security: BonkX’s wallet is self-custodial. We do not store, access, or have the ability to recover your private keys or seed phrases. You are solely responsible for securing your wallet credentials. If you lose your private keys or seed phrases, we cannot recover your assets.
While we strive to protect your information, no method of transmission or storage is completely secure. If you become aware of any unauthorized access to your account, please contact us immediately at security@bonkx.io.
Breach Notification: In the event of a personal data breach, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, where required by the GDPR or other applicable law, unless the breach is unlikely to result in a risk to your rights and freedoms. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay. We will also coordinate with our Card Program Partners (Rain and Third National) regarding any breach involving shared data.
Your Rights and Choices
Depending on your jurisdiction, you may have some or all of the following rights:
-
Access: Request a copy of the personal information we hold about you.
-
Rectification: Request correction of inaccurate or incomplete information.
-
Erasure: Request deletion of your personal information, subject to legal retention requirements.
-
Restriction: Request that we limit our processing of your data in certain circumstances.
-
Data Portability: Request a machine-readable copy of data you provided to us.
-
Objection: Object to processing based on legitimate interests or for direct marketing purposes.
-
Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
-
Opt-Out of Marketing: Unsubscribe from marketing emails using the link in any marketing communication, or by contacting us at privacy@bonkx.io.
To exercise any of these rights, please contact us at privacy@bonkx.io. We will respond within the timeframes required by applicable law (generally 30 days, or 45 days for CCPA requests). We may need to verify your identity before processing your request.
Blockchain Limitation: Deletion and rectification rights do not extend to data recorded on a public blockchain. On-chain data is immutable and cannot be modified or deleted by BonkX or any other party.
Children’s Privacy
The Services are not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@bonkx.io and we will take steps to delete such information promptly.
Cookies and Tracking Technologies
We use cookies and similar technologies to operate and improve the Services. The types of cookies we use include:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Essential for site functionality, security, and authentication. Cannot be disabled. | Session or up to 12 months |
| Performance / Analytics | Help us understand how visitors interact with the Services, measure traffic, and improve performance. | Up to 24 months |
| Functional | Remember your preferences (language, region, display settings) for a personalized experience. | Up to 12 months |
| Marketing | Used to deliver relevant advertisements and measure campaign effectiveness. Only with your consent. | Up to 12 months |
Managing Cookies: You can control cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling strictly necessary cookies may impair the functionality of the Services. Where required by law, we will obtain your consent before placing non-essential cookies.
Do Not Track: Some browsers offer a “Do Not Track” (DNT) signal. There is no industry-standard response to DNT signals at this time. We will update this Policy if a standard is established.
International Data Transfers
BonkX is based in the United States. Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have different data protection laws than your country of residence.
Where we transfer personal data from the EEA, UK, or Switzerland, we implement appropriate safeguards, including:
-
Standard Contractual Clauses (SCCs): EU-approved contractual provisions ensuring adequate protection for transferred data.
-
Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate protection.
-
Supplementary Measures: Technical and organizational measures (encryption, access controls, pseudonymization) as recommended by the European Data Protection Board.
You may request a copy of the applicable transfer safeguards by contacting us at privacy@bonkx.io.
Additional Disclosures for EEA and UK Residents
If you are located in the EEA or UK, the following additional provisions apply:
Data Controller
BonkX, Inc. (d/b/a BonkX) is the data controller for the personal information processed through the Services. For card program data, Rain and Third National Corporation act as independent data controllers for the data they collect directly.
Legal Bases for Processing
Our legal bases for processing are detailed in the table in Section 3. We rely on: (a) performance of our contract with you; (b) compliance with legal obligations; (c) our legitimate interests (fraud prevention, security, service improvement), balanced against your rights; and (d) your consent, where applicable.
Your GDPR Rights
In addition to the rights listed in Section 7, you have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal data violates applicable law.
EU Representative
Pursuant to Article 27 of the GDPR, our appointed representative in the European Union is: Adam-Noaf Grigore, Strada Emanoil Porumbaru 82-84, ap. 3, Sector 1, Bucharest, Romania. Contact: gdpr@bonkx.io.
Automated Decision-Making
We do not currently engage in solely automated decision-making that produces legal or similarly significant effects on you. If this changes, we will update this Policy and provide you with the right to contest such decisions, obtain human intervention, and express your point of view.
Data Protection Impact Assessments
BonkX conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals, as required by Article 35 of the GDPR. This includes assessments for our crypto-collateralized card program, KYC/AML verification pipeline, transaction monitoring, and rewards program profiling. DPIAs are reviewed and updated annually or when material changes are made to the relevant processing activities.
Records of Processing Activities
BonkX maintains records of processing activities as required by Article 30 of the GDPR, including the purposes of processing, categories of data subjects and personal data, recipients, international transfers, retention periods, and a description of technical and organizational security measures.
Additional Disclosures for California Residents
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), provides you with additional rights:
Categories of Personal Information
In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA: identifiers (name, email, IP address); commercial information (transaction records, subscription data); internet or electronic network activity (usage data, device data); geolocation data (approximate location from IP); and inferences drawn from the above categories.
Your CCPA/CPRA Rights
-
Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the third parties with whom we share it.
-
Right to Delete: You may request deletion of your personal information, subject to certain exceptions (legal obligations, fraud detection, completing transactions).
-
Right to Correct: You may request correction of inaccurate personal information.
-
Right to Opt-Out of Sale/Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising as defined by the CCPA/CPRA.
-
Right to Limit Use of Sensitive Personal Information: To the extent we process sensitive personal information, we limit its use to purposes permitted by the CCPA/CPRA.
-
Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
How to Exercise Your Rights
Submit a verifiable consumer request by emailing privacy@bonkx.io. We will verify your identity using account information on file. You may designate an authorized agent to submit a request on your behalf. We will respond within forty-five (45) days, with the option to extend by an additional forty-five (45) days with notice.
Shine the Light
Under California Civil Code Section 1798.83, California residents may request information regarding disclosures of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.
Other Jurisdiction-Specific Disclosures
Residents of other U.S. states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may have similar rights to access, delete, correct, and opt out of certain processing activities. To exercise your rights under any applicable state privacy law, please contact us at privacy@bonkx.io.
Right to Appeal: If we deny your privacy rights request in whole or in part, you may appeal our decision by contacting us at privacy@bonkx.io with the subject line “Privacy Rights Appeal.” We will respond to your appeal within sixty (60) days. If you are not satisfied with the outcome of your appeal, you may contact your state attorney general’s office to file a complaint.
Universal Opt-Out Signals: Where required by applicable state law, we honor Global Privacy Control (GPC) and other recognized universal opt-out preference signals. When we detect such a signal, we will treat it as a valid opt-out request for the sale or sharing of personal information associated with that browser or device.
For users outside the United States and the EEA/UK, we process your data in accordance with applicable local laws. If you have questions about how your local laws apply, please contact us.
Third-Party Links and Services
The Services may contain links to third-party websites, applications, or services that are not operated by us. This includes links to Rain’s platform, blockchain explorers, decentralized applications, and other external resources. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will: (a) update the “Last Updated” date at the top of this Policy; (b) notify you by email or through a prominent notice within the Services at least fourteen (14) days before the changes take effect; and (c) where required by applicable law, obtain your consent.
Your continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the changes. If you do not agree to the updated Policy, you must stop using the Services and may request deletion of your account.
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
BonkX, Inc. (d/b/a BonkX)
General Privacy Inquiries: privacy@bonkx.io
GDPR / EU Representative Inquiries: gdpr@bonkx.io
Security Concerns: security@bonkx.io
Data Protection Officer: dpo@bonkx.io
We aim to respond to all inquiries within thirty (30) days, or within the timeframes required by applicable law.