Date of entry into effect: 25 October 2023
Last update: 20.09.2023
Previous version: 25.01.2021
bonsai NV is a licensed payment institution with registered address at B-9050 Gentbrugge, Jules Destréelaan 63B, and with company number BE0663.774.859 (herein referred to as “bonsai”, “we”, “us” or “our”). Bonsai is the controller of your personal data, which means that we determine what data we collect about you, and what we use your data for. As controller of your personal data, we are responsible for ensuring the protection of your personal data and for enabling you to exercise your rights.
If you have concerns about how we use your personal information, you can contact our data protection officer at firstname.lastname@example.org.
When using our services, we collect, store, and process different categories of personal data about you:
We only process your personal data for specified purposes, namely:
We only use your personal data when we have a valid legal reason, called “legal basis”. This legal basis may consist in the prior consent you give to us to process your data for a specified purpose. We also have a legal basis to use your personal data when the processing of your data is necessary to perform (or enter into) a contract with you, to comply with our legal obligations, and/or to achieve our legitimate interests (to the extent that your interests do not outweigh those legitimate interests).
Depending on the purpose for which we process your personal data (see above), our legal basis will be one of the following:
Consent is one of the legal bases for processing personal data under the General Data Protection Regulation (GDPR). It means that we can process your personal data if you have given your explicit, voluntary, informed, and unambiguous agreement for us to process your personal data for a specific purpose. We ask for your consent to process your personal data to send you targeted advertisements in the bonsai app and to have access to your phone’s contact list, your location, and your camera and photos.
This legal basis allows us to process your personal data when it is necessary to perform our obligations under the bonsai terms. We use this legal basis to process personal data that is necessary for issuing and managing your bonsai payment card, for processing your transactions, and for offering services you may request from us or sign up for through the bonsai app.
This legal basis allows us to process your personal data when it is required by law. We use this legal basis when we need to process your personal data to be able to fulfil regulatory obligations.
Under certain conditions, the GDPR allows us to process personal data based on our legitimate interests. Legitimate interests may include commercial interests, but they must be balanced against your rights and freedoms. We rely on this legal basis to use your email address to send you marketing emails about new services, products, or features in the bonsai app.
You have the right to be provided with clear and transparent information about how your personal data is collected, used, and processed.
You have the right to obtain confirmation from us as to whether personal data concerning you is being processed. If that is the case, you have the right to access your personal data and receive a copy of it. This allows you to verify the accuracy and completeness of your personal data, as well as the lawfulness and fairness of the data processing.
You have the right to request the rectification of inaccurate or incomplete personal data we hold about you. If you believe your data is incorrect or outdated, you can request us to correct or complete it by providing accurate and up-to-date information.
Also known as the right to erasure, this right allows you to request the deletion of your personal data. We must comply with your request, unless we have legitimate grounds for retaining certain data, such as legal obligations.
You have the right to request the restriction of processing of your personal data. This right is applicable in specific situations, such as contesting the accuracy of the data or when we no longer need the data but you require it for legal claims.
You can object to the processing of your personal data, including profiling and direct marketing. Unless we demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, we must cease processing your data.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that the data be transmitted directly to another data controller, if technically feasible and if it does not adversely affect the rights and freedoms of others.
If the processing of personal data for a certain purpose is based on your consent, you have the right to withdraw your consent to process your data for that purpose at any time. In that case, we must stop processing your personal data for that purpose promptly after receiving the withdrawal.
You have the right not to be subject to solely automated decisions, including profiling, which significantly affect you. You have the right to request human intervention, to express your point of view, and to obtain an explanation of the decision-making process.
To exercise any of your rights set out in the previous section, you can contact us by sending an email to email@example.com. For security reasons, we can't deal with your request if we’re not sure of your identity, so we may ask you for proof of identity.
We will respond to your request within one month after receiving it. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. We will notify you whenever that is the case.
We will usually not charge you a fee when you exercise your rights. However, we’re allowed by law to charge a reasonable fee or refuse to act on your request if it is manifestly unfounded or excessive. That would be the case, for instance, if you make repetitive requests.
Firstly, we hope to be able to resolve the matter through our Data Protection Officer (DPO). You can contact our DPO by sending an email to firstname.lastname@example.org.
Secondly, if you consider that our processing of your personal information infringes data protection laws or if you are not satisfied with the reply or resolution that we propose, you have a legal right to lodge a complaint with your local data protection supervisory authority. If you are a resident of Belgium, you can file a complaint here.
The period during which we retain your personal data varies depending on the type of information and the purposes for which we process the data. We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept until you delete your account or as long as required by mandatory law. As most of the personal data that we process is identification and transaction data, we are legally obliged to keep that data for ten years after our business relationship with you ends.
In order to offer our services to you, we work together with third party service providers such as IT service providers, card issuers, data hosting and data management providers. Whenever personal data is shared, these third parties have undertaken, through binding agreements, to take measures to protect the confidentiality and security of personal data. Some of those third parties are outside the European Economic Union, but we only share your personal data with third parties from countries that guarantee an appropriate level of security or where appropriate guarantees were provided.
The security of your personal data is essential to us. To protect your data, we will take appropriate technical and organisational precautions. This means that we have the necessary policies and procedures and IT security measures in place to ensure the confidentiality and integrity of your personal data.
Internal access to the personal data is limited on a strict ‘need-to-know’ basis. Only authorized personnel, whose activity will be monitored to prevent any misuse, will be able to access the personal data.