Bon Logo

Privacy policy

Effective Date: December 15, 2025

This Privacy Policy (“Privacy Policy”) explains Bon, (“Bon,” “we” “us” or “our”) privacy practices for any information we receive from the MaxRewards mobile application (the “App”), the website at bonhq.com (the “Site”), any other web address or hyperlink that redirects to the Site, and any other webpage or application controlled by us that links to this Privacy Policy and describes the ways in which we use the information we receive from you. Certain portions of this Privacy Policy also apply to other information collected or maintained by Bon, for example, under the “Rights Under the California Consumer Privacy Act” and “General Data Protection Regulation (GDPR)” sections below.

By using the App, the Site or receiving any services of Bon (the “Services”) you consent to the terms of this Privacy Policy. If you do not agree to the terms and conditions of this Privacy Policy, including having your Personal Information (as defined below) used in any of the ways described in this Privacy Policy, please do not use the Site, the App or the Services. Please note, however, that if you don't provide us with your Personal Information, certain parts or features of the Site, App or Services may not function properly.

Bon may update this Privacy Policy from time-to-time in our sole discretion by posting such revised Privacy Policy on the Site or within the App. Please note the Effective Date of this Privacy Policy set forth above. It is your responsibility to review this Privacy Policy regularly for any changes each time that you use the App, the Services or provide us information.

Use of the App or the Services by you following our posting of a new Privacy Policy constitutes your acceptance of the Privacy Policy as modified and will apply to all information received after the Effective Date of the modification. In the event we materially change the way in which we use your Personal Information that we previously collected, we will provide you with notice and ask you to affirmatively accept the new uses. This Privacy Policy is incorporated as part of the Terms and Conditions that apply with respect to your use of the App or Services.

If you are accessing the services while located in the European Union, you may have additional data privacy rights. Please review the “General Data Protection Regulation (GDPR)” section below for more information.

1. Information We Collect

We collect several categories of personal information to provide and improve our Services. The types of information we collect depend on how you interact with us and which features you use.

1.1 Information You Provide Directly

Account Registration Information: When you create an account, we collect your full legal name, mobile phone number, email address, date of birth, and a self-selected personal identification number (PIN).

Social Security Number (SSN): We collect your SSN through our identity verification partner, Spinwheel, to verify your identity, prevent duplicate accounts, facilitate credit report retrieval, and enable debt management services. Your SSN is transmitted and stored using industry-standard encryption.

Mailing and Physical Addresses: We collect current and historical addresses associated with your identity, as retrieved through our verification partners.

Debt and Financial Goals: During onboarding and ongoing use, you may provide information about your debt types, preferred extra payment amounts, financial goals, and repayment preferences.

Communications: When you contact our support team, provide feedback, or communicate with us, we collect the content of those communications, including any information you choose to share.

Biometric Data: If you enable Face ID or fingerprint authentication, the biometric data is processed and stored locally on your device by your device's operating system. We do not collect, transmit, or store biometric templates on our servers.

1.2 Information from Third-Party Services

We partner with trusted third-party financial data providers to deliver our Services. By using specific features, you authorize us to access data through these providers.

1.2.1 Credit Report Data (via Array/Equifax)

When you authorize us to retrieve your credit report, we access and store information from Equifax through our partner, Array. This includes:

  • Credit scores and score history
  • Credit account details (creditor names, account types, balances, credit limits, account status, open/close dates, and payment history)
  • Public records (bankruptcies, judgments, tax liens)
  • Collections accounts (creditor, balance, date reported)
  • Hard and soft credit inquiries
  • Credit utilization ratios
  • Personal identifying information as reported by creditors (names, addresses, employment information)

Important: Credit reports do not contain APR, interest rates, due dates, minimum payment amounts, income, transaction history, or spending data. Any estimates we provide related to these data points are calculated approximations, not exact figures.

1.2.2 Bank and Financial Account Data (via Plaid)

If you choose to link your bank accounts or credit cards through Plaid, we may access:

  • Account balances and available credit
  • Transaction history (dates, amounts, merchant names, categories)
  • Recurring transactions and subscription details
  • Account and routing numbers (for payment processing only)
  • Account holder name and institution information

Plaid's own privacy practices are governed by Plaid's Privacy Policy. By linking your accounts through Plaid, you also agree to Plaid's terms. We encourage you to review them.

1.2.3 Debt and Loan Data (via Spinwheel)

Through Spinwheel, we may access:

  • Identity verification data (name, address, SSN validation)
  • Loan and debt account information
  • Payment processing capabilities for bill payments

Spinwheel's privacy practices are governed by Spinwheel's own privacy policy, available at their website.

1.2.4 Credit and Loan Offers (via MoneyLion)

We partner with MoneyLion to present credit, loan, and financial product offers. When you view or interact with offers:

  • We share limited information necessary to generate personalized offers (such as credit score range and general financial profile)
  • If you click through to an offer, you leave our Services and interact directly with the product issuer, subject to their own privacy policy

1.3 Information Collected Automatically

When you use our Services, we automatically collect:

  • Device Information: Device type, model, operating system version, unique device identifiers, mobile network information, and app version.
  • Usage Data: Features accessed, screens viewed, actions taken, time spent on features, tap and interaction patterns, and session duration.
  • Log Data: IP address, browser type (for Website), access times, referring URLs, and error logs.
  • Location Data: We do not collect precise GPS location. We may infer approximate location from your IP address for fraud prevention and to comply with geographic service restrictions.
  • Push Notification Tokens: If you enable push notifications, we collect device tokens to deliver notifications. You can disable notifications through your device settings at any time.
  • Analytics Data: We use analytics tools (such as Amplitude) to understand how users interact with our Services, identify bugs, and improve features. This data is collected in aggregate or pseudonymized form.

1.4 Information from Other Sources

  • Referral Information: If you are referred by another user or refer someone to us, we collect the referral relationship and associated contact information.
  • Publicly Available Information: We may supplement data we collect with publicly available information to verify your identity or improve our Services.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Provide and Operate Our Services

  • Create and maintain your account
  • Retrieve and analyze your credit report to generate personalized financial insights
  • Provide AI-powered financial recommendations, including debt repayment strategies, interest cost estimates, balance transfer analysis, and subscription audits
  • Process bill payments and facilitate auto-pay through Spinwheel
  • Display credit and loan offers through our MoneyLion partnership
  • Deliver proactive financial alerts and notifications
  • Enable credit score monitoring and credit simulation features

2.2 AI-Powered Financial Analysis

Our AI agent analyzes your financial data to generate personalized insights and recommendations. Important: The AI agent provides estimates and suggestions, not professional financial advice. All dollar amounts, savings projections, and interest calculations are approximations based on available data. When we provide estimates derived from credit report data (which does not include exact APR or interest rates), we use industry-standard estimation models and clearly label these as estimates.

2.3 Improve and Develop Our Services

  • Analyze usage patterns and feature engagement to improve the user experience
  • Develop new features and services
  • Conduct research and analysis (using aggregated or de-identified data)
  • Test and optimize app performance
  • Train and improve our AI models using de-identified and aggregated data

2.4 Communications

  • Send transactional communications (account verification, payment confirmations, security alerts)
  • Deliver financial insights and proactive notifications
  • Send service updates and policy changes
  • Respond to your inquiries and support requests

2.5 Safety, Security, and Compliance

  • Verify your identity and prevent fraud
  • Detect and prevent unauthorized access or misuse of our Services
  • Comply with applicable laws, regulations, legal processes, and law enforcement requests
  • Enforce our Terms and Conditions and protect our legal rights
  • Fulfill our obligations under the FCRA, GLBA, and other applicable financial regulations

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following limited circumstances:

3.1 Third-Party Service Providers

We share information with trusted service providers who perform services on our behalf, subject to contractual obligations to protect your data:

ProviderServiceData SharedPurpose
Array / EquifaxCredit reportingSSN, name, DOB, addressCredit report retrieval
PlaidFinancial data aggregationAccount credentials (via Plaid's secure flow)Bank/card account linking
SpinwheelIdentity verification and paymentsSSN, name, DOB, payment instructionsIdentity verification, bill payments
MoneyLionFinancial product offersCredit score range, financial profile summaryPersonalized credit/loan offers
AmplitudeAnalyticsPseudonymized usage data, device infoProduct analytics and improvement
Cloud Infrastructure ProvidersHosting and storageAll data (encrypted)Service hosting, data storage, backups

3.2 Legal and Regulatory Disclosures

We may disclose your information when required or permitted by law, including:

  • In response to lawful requests by public authorities, including to meet national security or law enforcement requirements
  • To comply with a subpoena, court order, or other legal process
  • To protect the rights, property, or safety of our Company, our users, or the public
  • To enforce our Terms and Conditions or other agreements
  • In connection with an investigation of fraud, intellectual property infringement, or other illegal activity

3.3 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Services of any change in ownership or use of your personal information, as well as any choices you may have regarding your personal information.

3.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

3.5 Aggregated or De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This data may be used for industry analysis, market research, and improving our Services.

4. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our Services. Specific retention periods include:

  • Account Information: Retained for the duration of your account and for up to 7 years after account closure for tax, legal, and regulatory compliance purposes.
  • Credit Report Data: Your most recent credit report is retained while your account is active. Credit reports are refreshed approximately every 20 days. Historical credit data is retained to enable score tracking and trend analysis.
  • Transaction and Financial Data: Retained while your account is active and linked, and for up to 7 years after account closure for regulatory compliance.
  • AI Conversation History: Retained while your account is active to provide continuity in the agent experience. De-identified conversation data may be retained longer to improve our AI models.
  • SSN: Encrypted and retained for as long as your account is active for identity verification and credit report retrieval purposes. Securely deleted within 90 days of account closure, unless retention is required by law.
  • Usage and Analytics Data: Retained in aggregate or pseudonymized form for up to 3 years for product improvement.

When personal information is no longer necessary for the purposes described above, we securely delete or de-identify it in accordance with our data retention and destruction policies.

5. Data Security

We implement and maintain commercially reasonable administrative, technical, and physical safeguards designed to protect your personal information, including:

  • Encryption: All personal data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 or equivalent industry-standard encryption.
  • Access Controls: Access to personal information is restricted to authorized personnel on a need-to-know basis, with role-based access controls and multi-factor authentication.
  • Infrastructure Security: Our Services are hosted on enterprise-grade cloud infrastructure with SOC 2 compliance, regular security audits, and penetration testing.
  • Secure Authentication: We use OTP-based phone verification, PIN protection, and optional biometric authentication (Face ID/fingerprint) to secure your account.
  • Vendor Security: We require our third-party service providers to maintain appropriate security measures and undergo regular security assessments.
  • Incident Response: We maintain an incident response plan and will notify affected users and relevant regulators in the event of a data breach as required by applicable law.

No method of transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. If you become aware of any unauthorized access to your account, please contact us immediately at support@boncredit.ai.

6. Your Rights and Choices

Depending on your state of residence, you may have certain rights regarding your personal information under applicable privacy laws. We honor these rights for all users regardless of state, to the extent feasible.

6.1 General Rights (Available to All Users)

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may request correction of inaccurate or incomplete personal information.
  • Deletion: You may request deletion of your personal information, subject to certain exceptions (such as data we are required to retain by law or for legitimate business purposes).
  • Data Portability: You may request a copy of your data in a commonly used, machine-readable format.
  • Opt-Out of Marketing: You may opt out of promotional communications by following the unsubscribe instructions in any marketing message or by contacting us.
  • Revoke Third-Party Access: You may disconnect your Plaid-linked accounts at any time through the App. You can also revoke access via Plaid's consumer portal at my.plaid.com.
  • Account Closure: You may request closure of your account by contacting us at support@boncredit.ai. We will delete or de-identify your data in accordance with our retention policies and applicable law.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising purposes. If this changes, we will provide a clear opt-out mechanism.
  • Right to Limit Use of Sensitive Personal Information: We collect sensitive personal information (SSN, financial account data) only as necessary to provide our Services. You may request that we limit use of sensitive information to what is necessary for the Services.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

Categories of Personal Information Collected (past 12 months): Identifiers (name, email, phone, SSN, address); financial information (credit report data, bank account data, payment history); internet or electronic network activity (usage data, device info); geolocation data (approximate, from IP address); inferences drawn from the above (financial health profile, savings opportunities).

We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA Section 1798.121.

6.3 Virginia Residents (VCDPA)

Virginia residents have the right to access, correct, delete, and obtain a portable copy of their personal data. You also have the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. We do not engage in any of these practices. To exercise your rights, contact us at the information below.

6.4 Colorado Residents (CPA)

Colorado residents have rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling. To exercise these rights, contact us using the information below. You may designate an authorized agent to make a request on your behalf.

6.5 Connecticut Residents (CTDPA)

Connecticut residents have similar rights to access, correct, delete, and port personal data, and to opt out of the sale of personal data, targeted advertising, and profiling. To exercise these rights, contact us using the information provided below.

6.6 Other State Residents

If you reside in Delaware, Indiana, Iowa, Kentucky, Maryland, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, or any other state with a comprehensive consumer privacy law, you may have additional rights including the right to access, correct, delete, and port your personal data. We commit to honoring valid privacy rights requests from residents of all US states. Contact us to exercise your rights.

6.7 How to Exercise Your Rights

To submit a privacy rights request, contact us at support@boncredit.ai. We will verify your identity before processing your request. Verification may require you to provide your name, email address, phone number, and account information. We will respond to your request within 45 days (or the timeframe required by your state's applicable law). If we need additional time, we will notify you of the extension and the reason for it.

If we deny your request, you have the right to appeal. To appeal, contact us at support@boncredit.ai with the subject line "Privacy Rights Appeal." We will respond to appeals within 60 days.

7. Gramm-Leach-Bliley Act (GLBA) Notice

As a provider of financial services, Bhim Digital Inc. is subject to the Gramm-Leach-Bliley Act. Under the GLBA, we are required to provide you with this notice of our information-sharing practices.

Categories of Nonpublic Personal Information (NPI) We Collect: Information from your account application and transactions (name, SSN, address, income, account balances); information from consumer reporting agencies (credit report data); and information from your use of our Services.

How We Protect NPI: We restrict access to your NPI to employees and service providers who need it to provide our Services. We maintain physical, electronic, and procedural safeguards that comply with applicable federal and state regulations to protect your NPI.

Sharing of NPI: We share NPI with non-affiliated third parties only as permitted by law (for example, with service providers who assist us in providing our Services, or as required by legal process). We do not share NPI with non-affiliated third parties for their own marketing purposes.

Your Choice: Because we do not share your NPI with non-affiliated third parties for their own marketing purposes, there is no opt-out requirement under GLBA. If our practices change, we will provide you with a revised notice and an opportunity to opt out.

8. Fair Credit Reporting Act (FCRA) Disclosures

Bhim Digital Inc. accesses your credit report from Equifax through our partner Array for the permissible purpose of providing you with credit monitoring, financial management, and educational services that you have requested. By creating an account and agreeing to our Terms, you authorize us to obtain your consumer credit report for these purposes.

Your FCRA Rights: Under the FCRA, you have the right to:

  • Know what is in your credit file by requesting a disclosure from the credit reporting agency
  • Dispute incomplete or inaccurate information directly with the credit bureau
  • Have inaccurate information corrected or deleted
  • Know if information in your file has been used against you
  • Limit prescreened offers of credit and insurance
  • Seek damages from violators of the FCRA

Important: BON Credit is not a credit reporting agency. We do not furnish information to credit bureaus. Disputes about the accuracy of your credit report should be directed to the relevant credit bureau (Equifax, Experian, or TransUnion) or to the creditor that reported the information.

9. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly. If you believe that a child under 18 has provided us with personal information, please contact us at support@boncredit.ai.

10. International Users

Our Services are intended for use within the United States and are governed by US law. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using our Services, you consent to the transfer and processing of your information in the United States.

11. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services, including financial product offers from our partners. We are not responsible for the privacy practices or content of these third-party services. When you click on a link to a third-party site or service, you leave our Services and are subject to that third party's privacy policy and terms. We encourage you to review the privacy policies of any third-party service before providing them with your personal information.

12. Automated Decision-Making and AI

BON Credit uses artificial intelligence and automated processing to analyze your financial data and generate personalized recommendations. This includes credit report analysis, debt repayment optimization, balance transfer suggestions, subscription detection, and spending categorization.

Our AI does not make decisions that produce legal or similarly significant effects on you. All recommendations are informational in nature. You retain full control over any financial decisions. We do not use automated decision-making to approve or deny you access to financial products, credit, or services.

You have the right to request information about the logic involved in automated processing of your data. Contact us at support@boncredit.ai to make such a request.

13. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no uniform standard for how DNT signals should be interpreted, our Website does not currently respond to DNT signals. However, we do not track our users across third-party websites and do not engage in cross-context behavioral advertising.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you through the App (via push notification or in-app message), by email, or by posting the updated Privacy Policy on our Website with a revised "Effective Date." Your continued use of our Services after the effective date of any updated Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Bhim Digital Inc.
Email: support@boncredit.ai
Website: www.boncredit.ai

For privacy rights requests, please email support@boncredit.ai with the subject line "Privacy Rights Request" and include your full name, email address associated with your account, and the specific right you wish to exercise.

If you are not satisfied with our response, you may have the right to lodge a complaint with your state's Attorney General or the relevant regulatory authority.

16. SMS and Mobile Communications

When you provide your phone number to receive a one-time passcode (OTP) or SMS verification code through BON Credit, you are opting in to receive transactional SMS messages solely for the purpose of identity verification and account authentication.

We will not sell, rent, share, or disclose your mobile phone number or SMS opt-in data to any third party for marketing or promotional purposes. Mobile opt-in data and consent information will not be shared with third parties or affiliates for their own marketing purposes.

Message frequency varies based on your account activity. Message and data rates may apply. Reply STOP to opt out at any time. Reply HELP for assistance.