Privacy Policy

Last updated: January 29, 2026

This Privacy Policy governs your use of Bonsai (the “Application”) and our website bonsaiapp.co (collectively referred to as the “Product”). It explains how Rhythmic, Inc. (“Company,” “we,” “us,” or “our”) collects, uses, and discloses your information when you use our services and outlines your rights and choices regarding that information.

By using the Product, you agree to the terms of this Privacy Policy.

1. Interpretation and Definitions

Interpretation

Words with initial capitalization have meanings defined below. These definitions apply equally to the singular and plural forms.

Definitions

• Account – A unique account created for you to access our Service or parts of it.

• Affiliate – An entity that controls, is controlled by, or is under common control with the Company.

• Application – The Bonsai app provided by the Company.

• Company – Rhythmic, Inc., registered in Delaware, United States.

• Country – Refers to Delaware, United States.

• Device – Any device that can access the Service (e.g., smartphone, tablet, or computer).

• Personal Data – Any information that relates to an identified or identifiable individual.

• Service Provider – A third-party company or individual that processes data on behalf of the Company.

• Usage Data – Information automatically collected when using the Service (e.g., device type, usage duration).

• You – The individual using the Service, or the legal entity represented by that individual.

2. Information We Collect

We collect both information you provide voluntarily and data collected automatically when you use our Product.

Information You Provide

• Profile Data: Your email address, password, and any optional profile details.

• Payment Data: When you make purchases, payment information is processed by third-party providers (e.g., Apple, Google, Stripe). We do not store your full payment credentials.

• Support & Feedback: Any information you provide when contacting us for support, completing surveys, or giving feedback.

Data Collected Automatically

• Usage Data: How you interact with the app, including features accessed, session duration, and frequency.

• Device & Browser Data: IP address, device type, OS version, time zone, and language settings.

• Referrer & Campaign Data: Information on how you discovered Bonsai (e.g., ad source, referral link).

• Cookies & Similar Technologies: Used to maintain sessions and measure product performance. You can control cookies through your browser settings.

Tracking and Advertising Identifiers

We may collect your Apple Identifier for Advertisers (IDFA) or Google Advertising ID (AAID) for analytics and marketing attribution via third-party partners such as Singular.
These identifiers help us measure campaign effectiveness and understand where users discover Bonsai.
You can reset or disable these identifiers in your device settings. We do not use them to serve personalized ads without your consent.

3. How We Use Your Personal Data

We process your personal data for the following purposes:

1. To Provide and Improve the Service

We use your data to operate, maintain, and enhance the Bonsai experience. This includes enabling core functionality, troubleshooting technical issues, authenticating users, and ensuring secure access to your account.

To improve our AI assistant experience, we process general information about how you interact with chat features (e.g. refresh actions, viewed prompts, usage frequency, etc.). This helps us understand engagement patterns and improve usability.
Conversations are processed by Open AI and retained by them for up to 30 days solely for security monitoring, after which they are deleted.

We partner with Open AI to deliver AI-powered chat functionality. Chat metadata may be processed by Open AI and retained for up to 30 days solely for security and misuse monitoring. Open AI does not use this data to train or improve its models, and applies strong security measures such as encryption and access controls.

If you request a refund for a consumable in-app purchase, we may share limited usage data with Apple Inc. to verify your request. This data exchange follows Apple’s policies and is restricted to what is necessary to process the refund.

2. To Analyze and Enhance the Product

We use aggregated and anonymized data to understand how users interact with Bonsai.
This includes analyzing engagement, running surveys, testing new features, and identifying areas for improvement.
For example, if we notice certain features are rarely used, we may focus development efforts on improving them.

3. To Customize Your Experience

We use your data to personalize the Product—for instance, to determine which payment options, promotions, or recommendations to display to you. This ensures your experience feels relevant and useful.

4. To Process Payments

We rely on trusted third-party payment providers (such as Apple or Google) to process in-app purchases and subscriptions.
Your payment data is handled securely by these providers, and we do not store full payment details.

5. To Enforce Terms and Prevent Fraud

We process personal data to enforce our Terms of Service, prevent fraud, resolve disputes, and detect malicious activity.
When required by law or in cases involving fraud or legal claims, we may share relevant information with law enforcement authorities.

To communicate with you regarding your use of our Product

We may communicate with you, for example, by email or directly on the Product, including through push notifications. As a result of such processing, we may send you messages about your statistics.

6. To Communicate With You

We may contact you via email, in-app messages, or push notifications to provide updates about your account, app usage, or feature changes.
These communications may include statistics, reminders, or security notices.

7. To Send Marketing Communications

We may send you marketing messages about Bonsai’s features, offers, and events, or information about third-party services we think may interest you.
You can opt out of marketing emails at any time by clicking “Unsubscribe” in the email footer.

8. To Provide Customer Support

We use your data to respond to support inquiries, confirm transactions, send legal notices, and notify you of app status updates or product availability.

10. To Comply With Legal Obligations

We may process or share your information when required by applicable law, regulation, legal process, or government request.

4. Third-Party Services and SDKs

We use trusted third-party providers to enhance our app’s functionality and measure performance:

• Amplitude (Amplitude, Inc.) – Used for product analytics and event tracking. Amplitude helps us understand how users navigate and interact with Bonsai so we can improve functionality and engagement. Amplitude does not sell user data or use it for advertising purposes.

  • Privacy Policy: https://amplitude.com/privacy

• Singular (Singular Labs, Inc.) – Used for analytics and attribution. Singular may collect device identifiers, IP address, and limited engagement data to measure campaign effectiveness.

  • Privacy Policy: https://www.singular.net/privacy-policy/

• Open AI – Provides our AI chat functionality (“AI Coach”). Chat data may be shared with Open AI and retained for up to 30 days solely for security and misuse monitoring. Open AI does not use chat data to train or improve its models.

  • Privacy Policy: https://openai.com/privacy

• Payment Processors (Apple, Google, Stripe) – Process subscription and in-app payments. We never store full credit card data.

  • Apple: https://www.apple.com/legal/privacy/

  • Google: https://policies.google.com/privacy

  • Stripe: https://stripe.com/privacy

• Langfuse (Langfuse GmbH) — LLM observability and monitoring. Helps us analyze AI assistant performance and quality. Langfuse processes data as a processor on our behalf and is SOC 2 Type II and ISO 27001 certified.

  • Privacy Policy: https://langfuse.com/privacy

• Sentry (Functional Software, Inc.) — Error monitoring and performance tracking. Collects crash reports, error logs, and device information to help us identify and fix issues. Sentry does not use advertising identifiers.

  • Privacy Policy: https://sentry.io/privacy/

• Expo (650 Industries, Inc.) — App development and update delivery infrastructure. May collect device identifiers and push tokens when delivering over-the-air updates. Expo does not store or handle end-user PII.

  • Privacy Policy: https://expo.dev/privacy

• OneSignal (OneSignal, Inc.) — Push notification delivery. Collects push tokens and may collect device identifiers and limited engagement data to deliver and optimize notifications. Does not collect IP addresses from EU/UK users by default.

  • Privacy Policy: https://onesignal.com/privacy_policy

• RevenueCat (RevenueCat, Inc.) — Subscription and in-app purchase management. Processes purchase history and subscription status to validate receipts, prevent fraud, and sync purchases across devices. RevenueCat acts as a data processor and does not sell or share personal data.

  • Privacy Policy: https://www.revenuecat.com/privacy/

5. App Tracking Transparency (ATT)

In accordance with Apple’s App Tracking Transparency framework, Bonsai may request your permission to track activity across apps and websites owned by other companies for advertising and attribution purposes.
If you decline, we respect your choice and disable tracking features not essential to app operation.

6. Sensitive Data

Bonsai focuses on supporting stress reduction and burnout awareness.
While we are not a medical provider and do not collect "Protected Health Information" under HIPAA, we understand that data regarding your mood, burnout symptoms, and reflections is sensitive. We treat this as Special Category Data. We process this data solely to provide the Service to you. Check-in data, reflections, chat transcripts, and journaling data remain private to you and are not shared externally unless you choose to export or disclose them.

7. Legal Bases for Processing (EEA/UK Users)

If you reside in the European Economic Area or the United Kingdom, our legal bases for processing include:

• Contract performance – to deliver our Service.

• Consent – when using tracking, cookies, or marketing communications.

• Legitimate interests – to improve and secure our Service.

• Legal obligation – to comply with applicable laws.

You have the right to withdraw consent at any time.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

• Access or request a copy of your data.

• Request correction or deletion of your information.

• Withdraw consent for marketing or tracking.

• Request data portability.

• Object to processing under certain circumstances.

To exercise these rights, email us at admin@bonsaiapp.co.

California Residents (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to Know: You can request details about the personal information we collect, use, and disclose.

• Right to Delete: You can request deletion of your personal information, subject to certain exceptions.

• Right to Correct: You can request correction of inaccurate personal information.

• Right to Opt Out of Sharing: You can opt out of the "sharing" of your personal information for cross-context behavioral advertising.

• Right to Non-Discrimination: We will not discriminate against you for exercising these rights.

We do not "sell" personal information for monetary consideration. However, our use of analytics and advertising identifiers (such as IDFA or AAID) with partners like Singular may constitute "sharing" under California law.

To opt out of sharing or exercise any of these rights, you can:

• Email us at admin@bonsaiapp.co

• Use the "Do Not Sell or Share My Personal Information" link in our website footer

We will respond to verified requests within 45 days.

9. Data Retention

We retain your personal data only as long as necessary for the purposes stated in this Policy.

• Open AI chat data: up to 30 days

• Singular analytics data: up to 24 months (aggregated data may persist longer in anonymized form)

• Account data: retained until your account is deleted or as legally required

10. Data Transfers

International Data Transfers

Your information may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer personal data from the European Economic Area, United Kingdom, or Switzerland, we rely on:

• Service provider safeguards: Our third-party providers have implemented appropriate transfer mechanisms, including Standard Contractual Clauses approved by the European Commission and/or certification under recognized frameworks.

• Contractual protections: We maintain data processing agreements with our service providers that require them to protect your data consistent with this Privacy Policy.

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

If you have questions about international transfers, contact us at admin@bonsaiapp.co.

11. Data Security

We use encryption, access controls, and secure servers to protect your data.
However, no internet transmission or electronic storage is completely secure, and we cannot guarantee absolute security.

12. Data Breach Notification

In the event of a security breach that results in unauthorized access to your personal data and poses a risk to your rights or freedoms, we will:

• Notify affected users without undue delay, and where feasible, within 72 hours of becoming aware of the breach

• Notify relevant supervisory authorities as required by applicable law

• Provide information about the nature of the breach, the data involved, and steps we are taking to address it

We maintain incident response procedures to detect, investigate, and respond to potential security incidents.

13. Children’s Privacy

Bonsai is not intended for children under 13.
We do not knowingly collect data from children.
If you believe your child has provided data, please contact us to have it deleted.

14. Links to Other Websites

Our Service may contain links to third-party websites not operated by us.
We are not responsible for the content or privacy practices of those sites.
Please review their privacy policies before providing any personal data.

15. Changes to This Policy

We may update this Privacy Policy periodically.
The updated version will always be available at https://bonsaiapp.co/privacy.

16. Delete Your Personal Data

You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You.

Our Service may give You the ability to delete certain information about You from within the Service.

You may update, amend, or delete Your information at any time by signing in to Your Account, if you have one, and visiting the account settings section that allows you to manage Your personal information. You may also contact Us to request access to, correct, or delete any personal information that You have provided to Us.

Please note, however, that We may need to retain certain information when we have a legal obligation or lawful basis to do so.

17. Changes to this Privacy Policy

We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions or requests regarding this Privacy Policy, please contact us:

Rhythmic, Inc.
Attention: Privacy Officer
Email: admin@bonsaiapp.co
Address: 251 Little Falls Drive, Wilmington, DE, 19808, United States