Privacy Policy

1. Scope of This Policy

This Privacy Policy applies to all users of our Services, including visitors, registered users, content creators, and other individuals who provide personal information to us. By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this policy, please do not use the Services.

This Privacy Policy should be read in conjunction with our Terms of Service, which govern your use of the Services.

2. Data We Collect

We collect the following categories of information when you use our Services:

2.1 Information You Provide

• Account Information: When you create an account, we collect your email address, username, display name, profile picture, and authentication credentials (or tokens from third-party sign-in providers such as Apple or Google).
• User Content: Prompts you submit for playable generation, the generated playable content (interactive HTML5 experiences), comments, likes, shares, and other content you create, upload, or interact with through the Services.
• Communications: Information you provide when contacting our support team, responding to surveys, or participating in promotions, including your name, email address, and the content of your messages.
• Payment Information: If you make purchases through the Services, payment processing is handled by third-party providers (such as Apple App Store or Google Play). We do not directly collect or store your credit card numbers or banking information.

2.2 Information Collected Automatically

• Device Information: Device model, operating system and version, unique device identifiers (e.g., IDFA, Android Advertising ID), hardware specifications, screen resolution, and mobile network information.
• Usage Data: Information about how you interact with our Services, including pages and screens viewed, actions taken (e.g., playables created, played, liked, or shared), session duration, timestamps, referring URLs, and navigation paths.
• Log Data: IP address, browser type and version, access times, crash reports, performance diagnostics, and error logs.
• Location Data: Approximate location derived from your IP address. We do not collect precise GPS location data.

2.3 Analytics and Aggregated Data

We collect aggregated and anonymized data used to understand user behavior, measure performance, and improve the Services. This includes click patterns, navigation paths, feature usage statistics, and content engagement metrics. Anonymized data cannot reasonably be used to identify you.

We do not knowingly collect sensitive personal information (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data) unless explicitly provided by you for a specific purpose and with your consent.

3. How We Use Your Data

We process your information for the following purposes:

3.1 Service Delivery and Operations

• Providing, operating, and maintaining the Services
• Processing your prompts and generating playable content using AI
• Displaying your published playables in the community feed for other users to discover and play
• Facilitating social features including likes, comments, sharing, and following
• Processing transactions and managing your account
• Providing customer support and responding to your inquiries

3.2 Improvement and Development

• Analyzing usage patterns to improve and optimize the Services
• Training, fine-tuning, evaluating, and benchmarking our AI models using anonymized and aggregated data to improve content generation quality
• Developing new products, features, and functionality
• Conducting research and analysis to understand user preferences and trends
• Performing A/B testing and measuring feature effectiveness

3.3 Safety and Security

• Detecting, preventing, and addressing fraud, abuse, security incidents, and technical issues
• Enforcing our Terms of Service and community guidelines
• Moderating content to ensure compliance with our policies and applicable laws
• Protecting the rights, property, and safety of Bonkr, our users, and the public

3.4 Communications

• Sending service-related notices, updates, security alerts, and administrative messages
• Sending promotional communications and marketing materials (only with your consent, where required by law)
• Personalizing your experience and providing content recommendations

3.5 Legal Compliance

• Complying with applicable laws, regulations, legal processes, or enforceable governmental requests
• Establishing, exercising, or defending legal claims

3.6 Legal Basis for Processing (GDPR)

Where the General Data Protection Regulation applies, we process your personal data based on the following legal grounds:

• Consent: Where you have given explicit consent, such as for marketing communications, non-essential cookies, or specific data processing activities. You may withdraw consent at any time.
• Performance of Contract: Where processing is necessary to fulfill our obligations under the Terms of Service, such as providing the Services and managing your account.
• Legitimate Interests: For improving our Services, ensuring security, analyzing usage patterns, and preventing fraud, where these interests do not override your fundamental rights and freedoms.
• Legal Obligation: Where processing is necessary to comply with applicable laws or regulations.

4. AI-Specific Data Practices

4.1 AI Model Training

Bonkr uses artificial intelligence to generate interactive playable content. To improve the quality and capabilities of our AI models, we may use anonymized and aggregated data derived from user interactions with the Services. This includes anonymized prompts, usage patterns, and engagement metrics. We apply industry-standard de-identification techniques before using any data for model training purposes.

4.2 Third-Party AI Providers

Bonkr may transmit prompts and related data to third-party AI service providers to generate playable content. These providers process data on our behalf and are contractually obligated to protect your information. We do not authorize third-party AI providers to use your personal data for their own independent purposes.

4.3 Anonymized Data Retention

Once User Content or Usage Data has been anonymized and incorporated into AI models, datasets, or aggregate analyses, it cannot be extracted, identified, or deleted because it no longer constitutes personal data. Your right to deletion applies to personal data that can still be reasonably linked to you.

5. Cookies and Tracking Technologies

We and our third-party partners use cookies and similar tracking technologies to collect and use information about you and your interactions with the Services. The types of technologies we use include:

• Essential Cookies: Necessary for core functionality of the Services, such as maintaining security, session management, and enabling basic navigation. These cookies cannot be disabled without impairing the Services.
• Functional Cookies: Enable personalized features, such as remembering your language preferences, display settings, or region selections, to enhance your user experience.
• Analytics Cookies: Collect anonymized data to analyze usage patterns, visitor behavior, and performance metrics, helping us understand how the Services are used and identify areas for improvement.
• Marketing Cookies: Used to deliver personalized advertisements and promotions based on your interests and online activities, only with your consent where required by law.

You can manage your cookie preferences through your browser settings or our cookie consent mechanism. Most browsers allow you to refuse or delete cookies. Please note that disabling certain cookies may affect the functionality of the Services.

Do Not Track

Some browsers transmit “Do Not Track” (DNT) signals. At this time, the Services do not respond to DNT signals because there is no industry-accepted standard for how to interpret them.

6. Data Sharing and Third Parties

We may share your information in the following circumstances:

• Service Providers: We work with trusted third-party providers (e.g., cloud hosting, analytics platforms, email delivery services, AI service providers, content delivery networks, customer support tools) who process data on our behalf under strict contractual obligations to protect your information and use it only for the purposes we specify.
• Legal Requirements: We may disclose your data when required by law, regulation, legal process (such as a subpoena, court order, or government request), or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Bonkr, our users, or the public.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity, with appropriate safeguards in place. We will notify you of any such transfer and any changes to the applicable privacy policy.
• With Your Consent: We may share your information with third parties when you have given us explicit consent to do so.
• Public Content: When you publish playables, comments, or other content through the Services, that content is visible to other users and the public according to your privacy settings.

We do not sell your personal data. We do not sell, rent, or trade your personal information to third parties for their own marketing purposes under any circumstances. As we do not engage in the sale of personal information, no opt-out mechanism for data sales is necessary.

7. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

7.1 Rights Under GDPR (EU/EEA/UK Users)

• Right of Access (Article 15): Request a copy of the personal data we hold about you and information about how it is processed.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): Request deletion of your personal data, subject to legal retention requirements and technical limitations (see Section 4.3 regarding anonymized data).
• Right to Restriction (Article 18): Request that we limit the processing of your data in certain circumstances, such as when you contest its accuracy.
• Right to Data Portability (Article 20): Request your data in a structured, commonly used, machine-readable format for transfer to another service.
• Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not adequately addressed your concerns.

7.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share (as defined by the CCPA) your personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

7.3 Rights Under Other US State Laws

Residents of other US states with comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, and others) may have similar rights to access, correct, delete, and opt out of certain data processing. Please contact us to exercise your rights under your applicable state law.

7.4 Exercising Your Rights

To exercise any of your rights, please contact us at [email protected] with the subject line “Privacy Rights Request.” We may need to verify your identity before processing your request. We will respond within the timeframes required by applicable law:

• GDPR: Within 30 days (extendable by up to 60 days for complex requests)
• CCPA: Within 45 days (extendable by up to 45 additional days)

You may also designate an authorized agent to make a request on your behalf. We may require proof of authorization and identity verification.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

• Encryption: All data in transit is encrypted using HTTPS/TLS protocols. Sensitive data at rest is encrypted using industry-standard encryption algorithms.
• Access Controls: Access to personal data is restricted to authorized personnel who need it to perform their job functions, using role-based access controls and multi-factor authentication.
• Infrastructure Security: Our infrastructure is hosted on reputable cloud providers with SOC 2 compliance and regular security assessments.
• Regular Audits: We conduct periodic reviews of our data practices, security configurations, and vulnerability assessments to ensure compliance with privacy regulations and industry best practices.
• Incident Response: We maintain an incident response plan to address potential data breaches promptly and effectively.

While we strive to protect your data using commercially reasonable measures, no system is completely secure. If we become aware of a data breach that affects your personal data, we will notify affected users and relevant authorities as required by applicable law (e.g., within 72 hours under GDPR where the breach is likely to result in a risk to your rights and freedoms).

9. Data Retention

We retain your data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:

• Account Information: Retained for the duration of your account. Upon account deletion, we will delete or anonymize your personal information within 30 days, except as required for legal, security, or audit purposes.
• User Content (Playables, Comments): Retained for the duration of your account. Published content that has been shared, liked, or interacted with by other users may persist in the platform. Deleted content may be retained in encrypted backups for up to 30 days.
• Usage and Log Data: Retained for up to 24 months for analytics and debugging purposes, then deleted or anonymized.
• Cookie Data: Retained according to the cookie type — session cookies expire when you close your browser; persistent cookies expire after up to 12 months.
• Analytics Data: Retained in anonymized form for up to 24 months for performance analysis and trend reporting.
• Communications and Support Data: Retained for up to 24 months after the last interaction, or longer if required for ongoing legal matters.

When data is no longer needed for any legitimate purpose, we securely delete or irreversibly anonymize it in accordance with applicable regulations. Anonymized data incorporated into AI models is retained indefinitely as it no longer constitutes personal data (see Section 4.3).

10. International Data Transfers

Bonkr is based in the United States. Your data may be transferred to and processed in countries other than your country of residence, including the United States, where data protection laws may differ from those in your jurisdiction. By using the Services, you consent to the transfer of your data to the United States and acknowledge that U.S. law may provide different protections than the laws of your jurisdiction.

Where required by applicable law (including the GDPR), we ensure that appropriate safeguards are in place before transferring personal data outside of the European Economic Area (EEA), United Kingdom, or Switzerland. These safeguards include:

• Standard Contractual Clauses (SCCs): Agreements approved by the European Commission to ensure adequate data protection for international transfers.
• Adequacy Decisions: Where the European Commission has determined that a country provides an adequate level of data protection.
• Contractual Safeguards: We require all third-party service providers to comply with applicable data protection requirements through contractual obligations.

We only transfer data to third parties that meet our privacy standards and comply with applicable data protection laws.

11. Children's Privacy

The Services are not directed at children under the age of 13 (or 16 in certain jurisdictions). We do not knowingly collect, use, or disclose personal data from children under 13 years of age. In compliance with the Children's Online Privacy Protection Act (COPPA) and similar international regulations:

• We do not knowingly solicit or collect personal information from children under 13
• If we learn that we have collected personal data from a child under 13 without verified parental consent, we will take steps to promptly delete such information
• We will not knowingly use children's personal information for any commercial purposes unrelated to providing the Services

If you are a parent or guardian and believe that your child under 13 has provided personal information to us, please contact us immediately at [email protected] with the subject line “COPPA Request.” We will investigate and promptly delete any such information.

For users between 13 and 18 years of age: a parent or legal guardian must review and agree to this Privacy Policy and the Terms of Service on your behalf before you use the Services.

12. California-Specific Disclosures

12.1 CCPA Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers: Name, email address, username, unique device identifiers, IP address
• Internet/Electronic Activity: Browsing history within the Services, search history, interaction data with content and features
• Geolocation Data: Approximate location derived from IP address
• Inferences: Preferences, characteristics, and trends drawn from the above information to create a user profile for content recommendations

12.2 Shine the Light

Under California Civil Code Section 1798.83, California residents may request information about the disclosure of personal information to third parties for direct marketing purposes. As we do not disclose personal information to third parties for their direct marketing purposes, no such disclosure has been made.

13. Third-Party Links and Services

The Services may contain links to third-party websites, applications, or services that are not owned or controlled by Bonkr. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services before providing them with your personal information.

14. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will:

• Post the updated policy on this page with a revised “Last Updated” date
• Notify you through the application, by email, or through a prominent notice on our website
• Where required by law, obtain your consent to material changes

Your continued use of the Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us:

xGenie LLC (d/b/a Bonkr)
Email: [email protected]

We aim to respond to all privacy inquiries within 30 days, or sooner as required by applicable law.

For GDPR-related inquiries, you may also contact your local data protection supervisory authority if you believe we have not adequately addressed your concerns. A list of EU data protection authorities can be found at the European Data Protection Board website.