Last updated: 2026-05-23
Privacy Policy
BonBon respects your privacy. This document describes the data we collect, how we use it, your rights, and the protections we put in place.
1. Data we collect
We collect: (a) account information (phone, full name); (b) vehicle information (plate, make/model, service history); (c) payment information (the garage's bank account — encrypted AES-256-GCM); (d) anonymised usage data (PostHog product analytics — no ad targeting); (e) approximate location (only when you grant permission, used to suggest nearby garages).
2. How we use it
We use data to: operate the service (booking, payment reconciliation), send service and inspection reminders, improve the product, and prevent fraud. We do not share data for advertising purposes and we do not use data for targeted advertising.
3. Sharing
We share data only with: (a) the garage you're using (limited to what's required); (b) infrastructure providers — AWS (hosting), PostHog Cloud EU (analytics) — bound by data processing agreements; (c) law enforcement under valid written request.
4. Security
Sensitive data (bank info, OTPs) is encrypted at rest with AES-256-GCM and in transit with TLS 1.3. Access is role-controlled and audit-logged. Passwords are hashed with bcrypt cost 12.
5. Retention
Data is retained for the duration of your use. After account deletion, personal data is removed from production in 7 days and from backups in 30 days. Invoices and transaction logs are kept under Vietnamese accounting law (up to 10 years), then auto-deleted.
6. Your rights
You may: (a) access and export your data (JSON); (b) correct inaccurate data; (c) delete your account; (d) withdraw consent; (e) lodge a complaint with the data protection authority. Email support@bonbon.com.vn — handled within 30 days.
7. Children
BonBon is not intended for users under 16. We do not knowingly collect data from children. Parents who discover an account belonging to a minor should contact us for deletion.
8. Third-party services
We use PostHog Cloud EU (analytics — respects Do Not Track), AWS Singapore (hosting), Firebase Cloud Messaging (push notifications). Each has its own privacy policy and is bound by a DPA with BonBon.
9. Policy changes
When we change the policy, we notify users by email and in-app at least 14 days before effective date. Past versions are retained and available on request.
Data summary
Summary of data categories we process — aligned with Google Play Data Safety and Apple Privacy Nutrition Label disclosures.
| Category | Specific data | Purpose |
|---|---|---|
| Personal identifiers | Full name, phone number | Account authentication, contact with garages |
| Contact info | Email (optional) | E-receipts, service notifications |
| Vehicle info | Plate, make/model, odometer | Service history and reminders |
| Financial info | Garage's bank account number | Display QR for owner-to-garage transfer |
| Location | Approximate location (with permission) | Suggest nearby garages |
| Usage data | In-app actions (anonymous) | Product improvement, fraud prevention |
Questions? Contact us at support@bonbon.com.vn.