Privacy Policy
Privacy Policy
This policy reflects how the Bonded marketing site collects and uses personal data as of the date below. A qualified data-protection lawyer`s review is a planned safety-net, not a blocker on publication. If anything here needs correcting, email the contact in section 1.
Last updated: 2026-05-28 Version: 1.0
1. Who we are
Bonded is a B2B custom-software consultancy that builds owned digital systems for small and medium-sized businesses. We are the data controller for personal data collected through this website (bonded-pi.vercel.app).
- Who runs Bonded: Felipe Ramon Torres and Che Cole, trading as Bonded (a partnership).
- Jurisdiction: England and Wales.
- Contact for privacy questions: bondeddevelopment@gmail.com
- Data Protection Officer: not required. Bonded`s processing does not meet the UK GDPR Article 37 threshold for a mandatory DPO. Privacy queries are handled directly by the contact above.
If you have questions about how we handle your information, email the address above and we will respond within 30 days.
2. What information we collect
We only collect information you give us through the contact form, plus a small amount of technical information your browser sends automatically.
2.1 Information you give us
When you fill in the contact form on the Contact page, we ask for:
- Your name (required, so we can address you when we reply)
- Your email address (required, so we can reply)
- Your business name (optional, useful context)
- Your phone number (optional, only if you prefer phone contact)
- Your preferred contact method (required, so we contact you the way you asked)
- The inquiry context you choose to share in the multi-step form
We do not ask for anything else. We do not have account sign-up, billing, or any other collection surface on this site today.
2.2 Information your browser sends automatically
When you submit the contact form, our server records a small amount of technical information:
- The language you were using on the site (English or Spanish), so we reply in the right one
- Your user-agent string (the technical fingerprint your browser sends, e.g. "Mozilla/5.0...")
- The referrer URL (if you came from another page or a link)
- The timestamp of your submission
- Your IP address (the network address your request came from)
This is standard for any web form submission. We use it for spam filtering, abuse prevention, and to understand which markets are reaching us.
2.3 Analytics
We use Vercel Analytics to count page views and understand which pages get traffic. Vercel Analytics is cookieless: it derives an anonymous identifier from your request data rather than setting a tracking cookie. It does not identify you personally and we do not combine it with the contact-form data.
We treat Vercel as a data processor acting on our behalf for both hosting and analytics. Because Vercel Analytics is cookieless and uses only a short-lived hashed identifier that is discarded automatically, it does not store personal data about individual visitors.
3. How we use your information
We use what you give us only for what you submitted it for. Specifically:
- To reply to your inquiry. Your name, email, phone (if given), and inquiry context let us respond accurately.
- To assess fit. Your business name and inquiry context help us understand whether Bonded is the right partner for what you want to build. If we are not the right fit, we tell you and recommend an alternative where we can.
- To keep an internal record of who has contacted us, so we recognise you if you come back, and so we do not lose context between conversations. This is a basic internal CRM function.
- To protect the site from abuse. The technical information (IP, user-agent) lets us spot bot submissions and rate-limit aggressive senders.
We do not:
- Sell your personal information to anyone.
- Share your information with third-party marketers.
- Use your information to train AI models.
- Run automated decision-making that has a legal or significant effect on you.
4. Legal basis for processing (UK and EU visitors)
If you are in the UK or the EU, we process your personal data under one of these UK GDPR / EU GDPR Article 6 bases:
- Legitimate interest: responding to an inquiry you initiated. You sent us a contact form; we respond to it. Our legitimate interest in operating a B2B sales process is balanced against the minimal nature of the data and the fact that you initiated the contact.
- Consent: for any future marketing communication that goes beyond responding to your inquiry. We do not currently send marketing, but if we add it (newsletter, promotional emails) we will ask for separate, explicit consent at that point.
We rely on legitimate interest for responding to inquiries you initiate, and we would ask for separate explicit consent before sending any future marketing communication.
5. Who we share your information with
We use a small number of trusted service providers to operate this site. They process your data on our behalf and only for the purposes we set:
| Provider | What they do | Where they process |
|---|---|---|
Supabase (data importer: Supabase Pte. Ltd, Singapore; physical hosting: AWS London region, technical code eu-west-2) | Stores your contact-form submission in our database. See §5.1 for the full sub-processor chain. | UK (AWS London region). The UK-to-Singapore contractual transfer is governed by the UK ICO Approved Addendum B.1.0 to the EU SCCs: see §6 for the full transfer disclosure. |
| Vercel | Hosts the website and runs Vercel Analytics | Vercel operates globally with regional edge nodes. Vercel Analytics is cookieless and processes no personal data about individual visitors. |
5.1 Sub-processors of Supabase
Supabase Pte. Ltd uses the following sub-processors to deliver its service. This list is taken verbatim from the Supabase Data Processing Addendum, Schedule 3 (last updated 2026-03-12, available at supabase.com/legal/dpa). Per-entity processing locations are not enumerated in the DPA itself; for Bonded specifically, contact-form submissions are stored in the AWS London (eu-west-2) region, as noted in the table above and in §6.
| # | Sub-processor | Purpose (DPA wording) |
|---|---|---|
| 1 | Supabase Pte. Ltd | Provision of support services |
| 2 | Active Campaign, LLC d/b/a Postmark | Communication with Authorized Users |
| 3 | Amazon Web Services, Inc | Provision of hosting services |
| 4 | Atlassian Corporation Plc | Provision of status page services |
| 5 | Braintrust Data, Inc | Provision of monitoring and tracing |
| 6 | Clay Labs Inc. | Provision of customer insight services |
| 7 | Clazar, Inc | Provision of marketplace services |
| 8 | Cloudflare, Inc | Provision of hosting services |
| 9 | ConfigCat Korlátolt Felelősségű Társaság | Feature flagging |
| 10 | Google, LLC | Provision of hosting services |
| 11 | Fly.io, Inc | Provision of hosting services |
| 12 | FrontApp, Inc | Communication with Authorized Users |
| 13 | Functional Software, Inc d/b/a Sentry | Error monitoring and tracing |
| 14 | Github, Inc | Authorized Users account authentication |
| 15 | Hex Technologies, Inc | Provision of data analytics services |
| 16 | Hubspot, Inc | Communication with Authorized Users |
| 17 | Notion Labs, Inc | Communication with Authorized Users |
| 18 | OpenAI, LLC | Natural language processing and generation services |
| 19 | PandaDoc, Inc | Communication with Authorized Users |
| 20 | Slack Technologies, LLC | Communication with Authorized Users |
| 21 | Upstash, Inc | Serverless data hosting services |
| 22 | Vercel, Inc | Provision of hosting services |
5.2 Other providers
We do not share your information with anyone else. We do not have advertising networks, retargeting pixels, social-media trackers, or any other third-party scripts on the site. The audit confirmed this directly by scanning the codebase.
If we ever need to share your information beyond the providers above (for example, with a legal advisor responding to a complaint, or because law requires it), we will only share what is necessary and we will tell you unless law prevents us.
6. Where your data is stored
Your contact-form submission is physically stored on Supabase infrastructure in the United Kingdom (AWS London region, technical code eu-west-2). The data is held in the UK under UK GDPR jurisdiction with the Information Commissioner's Office (ICO) as supervisory authority.
The contractual data importer is Supabase Pte. Ltd (Singapore), the Supabase group entity that contracts with us for the platform. Although your data is physically hosted in the UK, the contractual relationship constitutes an international transfer from the United Kingdom to Singapore under UK GDPR Chapter V. This transfer is governed by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (the UK ICO Approved Addendum version B.1.0, laid before UK Parliament on 2 February 2022), which is incorporated into Supabase's Data Processing Agreement available at supabase.com/legal/dpa. This is the appropriate safeguard mechanism under UK GDPR Article 46(2)(d).
If you are accessing the Site from the European Union or European Economic Area, the chain extends: your data first transfers from the EU/EEA to the UK, then onward to Singapore. The EU-to-UK leg is covered by the European Commission's adequacy decision for the UK (Commission Implementing Decision (EU) 2021/1772, renewed 2024, with next periodic review in 2028). The UK-to-Singapore leg is covered by the same UK Addendum cited above.
If we ever introduce a sub-processor outside the chain described above (for example, a US-based email service), we will update this section, conduct the data protection test required by UK GDPR Article 46(1A), and put the appropriate safeguard mechanism in place (typically the UK Addendum or standard contractual clauses adopted by the Secretary of State under UK GDPR Article 47A) before any transfer occurs.
You can ask about where your data is stored by emailing us at the address in section 1.
7. How long we keep your information
We keep your data only for as long as we need it, and we apply different periods to different kinds of record:
- Contact-form submissions and pre-contract correspondence (where you have not entered into a contract with us): up to 24 months from your last meaningful contact with us. After that we delete or anonymise it. If you tell us sooner that you no longer want to be contacted, we delete it sooner.
- Contract records (where we have a written engagement with you): 7 years from the end of the engagement, to comply with UK contract-claims limitation periods (the Limitation Act 1980 sets six years for simple contracts) plus a one-year safety margin.
- Data-subject-rights records (when you exercise a right below): 3 years from the request, so we can show we handled it properly.
- Backups: retained for 30 days. When you ask us to delete data, we remove it from the live system immediately, and it clears from backups within 30 days as they roll over.
You can ask for earlier deletion by emailing the contact in section 1. We can only refuse where the law requires us to keep something (for example tax records).
8. Your rights
If you are in the UK, EU, or another jurisdiction with similar rules, you have rights over the personal data we hold about you. You can:
- Access the information we hold about you (we send you a copy)
- Correct information that is wrong or out of date
- Delete your information ("right to erasure")
- Restrict how we use your information while we sort out a dispute
- Object to processing based on our legitimate interest
- Receive a portable copy of your information in a common format
- Withdraw consent at any time (for the limited cases where we rely on consent)
To exercise any of these rights, email bondeddevelopment@gmail.com. We respond within 30 days and we will not charge you for the request unless it is repeated or excessive.
If you are in the UK, you also have the right to complain to the Information Commissioner`s Office (ico.org.uk). If you are in the EU, you can complain to your national data-protection authority.
A note for visitors in California
Bonded is a UK-based partnership and falls well below the size and revenue thresholds that trigger the California Consumer Privacy Act. We do not sell your personal information, and we do not share it for cross-context behavioural advertising. If you are in California and want to access or delete the information we hold about you, the rights in this section already cover you. Email us at the address in section 1.
9. Cookies
The site uses one cookie and one cookieless analytics identifier. Both are functional (we need them to operate the service you chose):
| Item | What it does | Type | Duration |
|---|---|---|---|
NEXT_LOCALE | Stores your language choice (English or Spanish) so the site remembers it across pages | Functional cookie | 1 year |
| Vercel Analytics anonymous identifier | Counts page views; does not identify you personally | Cookieless (hashed request fingerprint) | Session-scoped |
We do not use:
- Advertising cookies
- Social-media tracking cookies
- Retargeting pixels
- Third-party analytics beyond Vercel
- Cross-site tracking
Because both items are strictly necessary to deliver the service you asked for, they fall within the exemption for functional storage. Under the UK Data (Use and Access) Act 2025, storage that is essential to provide a service the user has requested does not need prior consent, so the site does not show a cookie consent banner. The NEXT_LOCALE cookie only remembers your language choice, and the Vercel identifier is cookieless and does not identify you. This section is the transparency notice for both.
10. Children`s privacy
Bonded`s services are aimed at business owners and operators. The site is not directed at children under the age of 13 (or under 16 in some jurisdictions). We do not knowingly collect personal information from children. If you believe a child has submitted information to us, email bondeddevelopment@gmail.com and we will delete it.
11. Security
We protect your information with industry-standard measures:
- All traffic to and from this site is encrypted in transit (HTTPS / TLS)
- Submissions are written to a managed database (Supabase) which encrypts data at rest
- Access to submissions is limited to Bonded staff who need it for the purpose set out in section 3
- We do not store any payment information on this site (we do not have a payment surface)
No system is perfectly secure. If we ever experience a security incident that affects your personal data, we will notify you and the relevant authorities as required by law.
12. Changes to this policy
We may update this policy from time to time. If the changes are material (for example, we add a new category of data collection, change the legal basis we rely on, or change our retention period), we will:
- Update the Last updated date at the top of this page
- Increment the version number
- Note the change in a brief changelog section below
For very material changes (for example, a new commercial purpose or a new processor in a new jurisdiction), we will notify previously-contacted prospects by email where we have your email address.
Changelog
| Version | Date | Change |
|---|---|---|
| 1.0 | 2026-05-28 | First published privacy policy |
13. Contact
For privacy-related questions, data-subject requests, or concerns about how Bonded handles your information:
Email: bondeddevelopment@gmail.com
We handle all privacy queries by email. If you need a postal address for a formal legal notice, ask us by email and we will provide one.
This policy reflects how Bonded handles your data today. We will review it as the business grows, and a qualified data-protection lawyer may suggest refinements over time. If anything here is unclear, email us at the address in section 1 and we will explain it in plain terms.