Website Privacy Policy
This Website Privacy Policy (the “Notice”) describes how Bonzer ApS, CVR no. 38848267, Copenhagen, Denmark (“Bonzer”, “we”, “us”) processes personal data when you visit the Morrison marketing website at morrison.app(the “Site”). Bonzer is the controller for the processing described below within the meaning of Article 4(7) GDPR.
This Notice does not cover personal data processed inside the Morrison platform (the application). For that, see the App Privacy Notice.
1. Personal data we process
1.1 Site analytics (consent-gated)
When you accept non-essential cookies, the Site loads PostHog (hosted in the EU at eu.i.posthog.com) and HubSpot to measure how visitors interact with the Site (e.g. page views, referrer, session duration, approximate location, device type). Until you give consent, these tools either do not load (HubSpot) or remain in opted-out mode and capture no events (PostHog). No advertising identifiers are set.
1.2 Cookie-consent record
Your consent choice is recorded in a strictly necessary cookie (morrison_consent) and mirrored in localStorageso the consent banner does not reappear on every visit.
1.3 Waitlist sign-ups
If you join the Morrison waitlist, your email address is submitted to our identity provider, Clerk, Inc., which stores it on our behalf. In addition, an internal notification containing the email address, its domain, and a timestamp is sent to a private Slack channel so the team can follow up.
1.4 Server and request logs
Cloudflare and the Site’s application layer record technical metadata for each request, including IP address, user agent, requested path, HTTP status code, and timestamp. These logs are used for security, abuse prevention, and debugging.
Bonzer does not knowingly process any special categories of personal data (Article 9 GDPR) through the Site.
2. Cookies
The Site sets only the cookies listed below.
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| morrison_consent | Strictly necessary | Records your cookie-consent choice | 1 year |
| ph_* | Analytics (consent-gated) | PostHog product analytics (EU host) | Up to 1 year |
| __hs_*, hubspotutk | Analytics (consent-gated) | HubSpot site analytics | Up to 13 months |
Non-essential cookies are set only after you click “Accept” in the consent banner. You may withdraw consent at any time via the “Cookie Settings” link in the footer, which clears morrison_consent, opts you out of analytics, and reloads the page.
3. Purposes and legal bases
Under Article 6 GDPR, Bonzer relies on the following legal bases:
Operating and securing the Site. Article 6(1)(f) – legitimate interest in providing and protecting the Site.
Site analytics. Article 6(1)(a) – consent. You may withdraw consent at any time without affecting the lawfulness of prior processing (Article 7(3) GDPR).
Waitlist sign-ups. Article 6(1)(b) – steps taken prior to entering into a contract – and Article 6(1)(f) – legitimate interest in evaluating demand and contacting prospects.
Server and request logs. Article 6(1)(f) – legitimate interest in security, abuse prevention, and debugging.
4. Recipients and sub-processors
Bonzer engages the following sub-processors to operate the Site. Personal data is shared with them only to the extent required for the stated purpose, on the basis of written agreements that impose data-protection obligations equivalent to those owed to you.
| Recipient | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Cloudflare, Inc. | Site hosting (Workers), DNS, CDN, and request logs | EU / US | EU-US DPF; SCCs |
| Clerk, Inc. | Waitlist storage and identity infrastructure | US | EU-US Data Privacy Framework |
| PostHog, Inc. | Product analytics on an EU host (eu.i.posthog.com); consent-gated | EU | N/A (EU processing) |
| HubSpot, Inc. | Site analytics; consent-gated | US | EU-US Data Privacy Framework |
| Slack Technologies, LLC | Internal notification of waitlist sign-ups | US | EU-US Data Privacy Framework |
Bonzer does not sell personal data and does not use it for online advertising or profiling.
5. International transfers
Where personal data is transferred outside the European Economic Area, Bonzer relies on (a) the EU-US Data Privacy Framework where the recipient is certified, and (b) the European Commission’s Standard Contractual Clauses with appropriate supplementary measures. The adequacy of these safeguards is reviewed on an ongoing basis.
6. Retention
Consent record – 1 year, or until you reset it.
Site analytics – as configured at the provider: PostHog up to 1 year, HubSpot up to 13 months.
Waitlist email – retained by Clerk on our behalf until you create an account, the waitlist is closed, or you ask us to remove it.
Slack notifications – up to 90 days, in line with our Slack message-retention policy.
Server and request logs – up to 90 days.
7. Your rights
Under Articles 15–22 GDPR, you have the right to access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), and objection (Article 21) in respect of personal data we process about you. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing (Article 7(3) GDPR).
To exercise any of these rights, email privacy@bonzer.io. You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark – dt@datatilsynet.dk) or another competent supervisory authority in your place of residence.
8. Security
Bonzer applies technical and organisational measures appropriate to the risk under Article 32 GDPR, including TLS in transit, encryption at rest, least-privilege access controls, dependency scanning, and an established incident-response process. Personal data breaches are notified to supervisory authorities and, where required, to affected individuals in accordance with Articles 33–34 GDPR.
9. Changes
Bonzer may update this Notice from time to time. The “Effective date” at the top of this page reflects the latest revision. Material changes will be communicated on the Site or, where appropriate, by email.
10. Contact
Bonzer ApS
Copenhagen, Denmark
CVR: 38848267
Email: privacy@bonzer.io
See also: App Privacy Notice · Terms of Service.