Privacy Policy

Versie: 2.0

Date of entry into effect: 25 October 2023  
Last update: 20.09.2023
Previous version: 25.01.2021


We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who uses our services, such as our website and our mobile app. We will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) or any other data protection laws. This privacy policy informs you about the personal data that you share with us when you use our data, why we collect those data and how we use it, and your rights regarding the use of your personal data. Please read this privacy policy carefully and ensure that you understand it.

About us

bonsai NV is a licensed payment institution with registered address at B-9050 Gentbrugge, Jules Destréelaan 63B, and with company number BE0663.774.859 (herein referred to as “bonsai”, “we”, “us” or “our”). Bonsai is the controller of your personal data, which means that we determine what data we collect about you, and what we use your data for. As controller of your personal data, we are responsible for ensuring the protection of your personal data and for enabling you to exercise your rights.

If you have concerns about how we use your personal information, you can contact our data protection officer at  

What are the services that bonsai offers?

The privacy policy applies to the use of personal data we collect about you when you use our services. Our services consist in the provision of a mobile app and a website (hereinafter referred to as our “services”), including all features offered through our app or website. You can find an overview of the services which we offer in the general terms and conditions (hereinafter referred to as the “bonsai terms”).

What kind of personal data do you collect about me?

When using our services, we collect, store, and process different categories of personal data about you:

  • Identity data: information collected when you onboard in the app such as your email, name, date and place of birth, phone number, address and other identity details we retrieve from your identity card or passport;
  • Financial data: financial data encompasses any information related to your financial situation. That includes bank account details, financial transactions, and any other data that pertains to your financial status or that is embedded in your transaction data, such as information on your spending patterns;  
  • Location data: information about your geographic location (country or city-level), which may be inferred from your device data, such as an IP address, from the identity data collected upon your onboarding (see above under ‘identity data’), or from the merchants where you carry out transactions (see above under ‘financial data’);  
  • Device information: information collected automatically about your computer or device through the web browser or app and other technologies, such as cookies (Cookie Policy), or other tracking/recording tools, such as your IP address, device type, unique device identification numbers, model name and number, operating system, or browser type;  
  • Social contact information: information about the persons in your contact list, such as their name and phone numbers, and information about the transactions you make with them;
  • Images or photos you share with us when using our services;
  • Usage data: metrics about the way you use our app (such as the number of installs, the last time you used our app, etc) or its features (such as the number of trees you have planted);
  • Communication data: all the information you share when communicating with us.

What are the purposes of processing of my personal data?

We only process your personal data for specified purposes, namely:

  • To provide our services to you. That includes your registration as a bonsai member, the set-up and management of your bonsai account, the creation and management of your bonsai payment card, the processing of transactions, the provision of customer support, and all other processing operations required for the fulfilment of our contractual obligations in accordance with the bonsai terms;  
  • To comply with our legal and regulatory obligations. As a licensed payment institution, we are subject to various legal and regulatory requirements, including regulations for the prevention of money laundering and the financing of terrorism. Those requirements oblige us to process your personal data. That involves collecting and verifying your identity information, performing background checks and risk assessments, monitoring your transactions, reporting to competent authorities and responding to their requests, and complying with court orders;  
  • To develop and improve our services, products, and operations. We may process your personal data to analyse and improve our services, products, and operations, which includes conducting research, data analytics, and gathering feedback to enhance the customer experience and optimise business processes and strategies;  
  • To promote our services and products. We may process your personal data  for marketing purposes, such as sending promotional offers, newsletters, or targeted advertisements. This may involve analysing your preferences and behaviour to personalize marketing communications or to optimise our marketing and communication strategies.

What is the legal basis for processing my personal data?

We only use your personal data when we have a valid legal reason, called “legal basis”. This legal basis may consist in the prior consent you give to us to process your data for a specified purpose. We also have a legal basis to use your personal data when the processing of your data is necessary to perform (or enter into) a contract with you, to comply with our legal obligations, and/or to achieve our legitimate interests (to the extent that your interests do not outweigh those legitimate interests).  

Depending on the purpose for which we process your personal data (see above), our legal basis will be one of the following:


Consent is one of the legal bases for processing personal data under the General Data Protection Regulation (GDPR). It means that we can process your personal data if you have given your explicit, voluntary, informed, and unambiguous agreement for us to process your personal data for a specific purpose. We ask for your consent to process your personal data to send you targeted advertisements in the bonsai app and to have access to your phone’s contact list, your location, and your camera and photos.

Contractual necessity

This legal basis allows us to process your personal data when it is necessary to perform our obligations under the bonsai terms. We use this legal basis to process personal data that is necessary for issuing and managing your bonsai payment card, for processing your transactions, and for offering services you may request from us or sign up for through the bonsai app.

Legal obligations

This legal basis allows us to process your personal data when it is required by law. We use this legal basis when we need to process your personal data to be able to fulfil regulatory obligations.

Legitimate interests

Under certain conditions, the GDPR allows us to process personal data based on our legitimate interests. Legitimate interests may include commercial interests, but they must be balanced against your rights and freedoms. We rely on this legal basis to use your email address to send you marketing emails about new services, products, or features in the bonsai app.

What are my rights?

The right to be informed about our collection and use of your personal data

You have the right to be provided with clear and transparent information about how your personal data is collected, used, and processed.  

Right to access the personal data we hold about you

You have the right to obtain confirmation from us as to whether personal data concerning you is being processed. If that is the case, you have the right to access your personal data and receive a copy of it. This allows you to verify the accuracy and completeness of your personal data, as well as the lawfulness and fairness of the data processing.

Right to have your personal data rectified

You have the right to request the rectification of inaccurate or incomplete personal data we hold about you. If you believe your data is incorrect or outdated, you can request us to correct or complete it by providing accurate and up-to-date information.

Right to be forgotten

Also known as the right to erasure, this right allows you to request the deletion of your personal data. We must comply with your request, unless we have legitimate grounds for retaining certain data, such as legal obligations.

Right to restrict

You have the right to request the restriction of processing of your personal data. This right is applicable in specific situations, such as contesting the accuracy of the data or when we no longer need the data but you require it for legal claims.

Right to object

You can object to the processing of your personal data, including profiling and direct marketing. Unless we demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, we must cease processing your data.

Right to data portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that the data be transmitted directly to another data controller, if technically feasible and if it does not adversely affect the rights and freedoms of others.

Right of withdrawal of consent

If the processing of personal data for a certain purpose is based on your consent, you have the right to withdraw your consent to process your data for that purpose at any time. In that case, we must stop processing your personal data for that purpose promptly after receiving the withdrawal.

Rights relating to automated decision-making and profiling

You have the right not to be subject to solely automated decisions, including profiling, which significantly affect you. You have the right to request human intervention, to express your point of view, and to obtain an explanation of the decision-making process.  

How do I exercise my rights?  

To exercise any of your rights set out in the previous section, you can contact us by sending an email to For security reasons, we can't deal with your request if we’re not sure of your identity, so we may ask you for proof of identity.  

We will respond to your request within one month after receiving it. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. We will notify you whenever that is the case.  

We will usually not charge you a fee when you exercise your rights. However, we’re allowed by law to charge a reasonable fee or refuse to act on your request if it is manifestly unfounded or excessive. That would be the case, for instance, if you make repetitive requests.  

What can I do if I want to complain?  

Firstly, we hope to be able to resolve the matter through our Data Protection Officer (DPO). You can contact our DPO by sending an email to  

Secondly, if you consider that our processing of your personal information infringes data protection laws or if you are not satisfied with the reply or resolution that we propose, you have a legal right to lodge a complaint with your local data protection supervisory authority. If you are a resident of Belgium, you can file a complaint here.  

Data retention  

The period during which we retain your personal data varies depending on the type of information and the purposes for which we process the data. We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept until you delete your account or as long as required by mandatory law. As most of the personal data that we process is identification and transaction data, we are legally obliged to keep that data for ten years after our business relationship with you ends.  

Do you share my personal data?  

In order to offer our services to you, we work together with third party service providers such as IT service providers, card issuers, data hosting and data management providers. Whenever personal data is shared, these third parties have undertaken, through binding agreements, to take measures to protect the confidentiality and security of personal data. Some of those third parties are outside the European Economic Union, but we only share your personal data with third parties from countries that guarantee an appropriate level of security or where appropriate guarantees were provided.

How do we protect your personal data?  

The security of your personal data is essential to us. To protect your data, we will take appropriate technical and organisational precautions. This means that we have the necessary policies and procedures and IT security measures in place to ensure the confidentiality and integrity of your personal data.  

Internal access to the personal data is limited on a strict ‘need-to-know’ basis. Only authorized personnel, whose activity will be monitored to prevent any misuse, will be able to access the personal data.

Changes to this Privacy Policy

We reserve the right to modify the Privacy Policy at any time. If we make changes to this Privacy Policy, we will post the new version on the bonsai website and you will receive a notification in the bonsai app or via email.  

Close icon button

Start with

Use your phone's camera to scan and download the bonsai app.
Available on iOS and on Android