App Privacy Notice
Effective date: 15 May 2026
This App Privacy Notice (the "Notice") describes how Bonzer ApS, CVR no. 38848267, Copenhagen, Denmark ("Bonzer", "we", "us") processes personal data in the Morrison platform (the "Platform"). It provides the information required of a controller under Articles 13–14 GDPR and, in respect of Customer Data processed on your behalf, supplements the data processing terms in Section 9 of our Terms of Service.
For the privacy practices that apply to the Morrison marketing website, see the Website Privacy Policy.
The Platform is currently offered as a closed beta and is evolving rapidly. The data flows, sub-processors, and retention periods described below reflect the current state of the Platform and may change as features are added, replaced, or removed. Bonzer will keep this Notice up to date and will communicate material changes as set out in Section 13.
1. Roles and responsibility
1.1 Account, billing, and operational data
Bonzer is the controller within the meaning of Article 4(7) GDPR for personal data processed to provide the Platform to you, manage your account, organisation, and seats, communicate with you, bill you, secure the service, and meet applicable legal obligations.
1.2 Customer Data
For personal data contained in Customer Data – for example, content crawled from your website, documents you upload, data fetched through your connected integrations, prompts, chat messages, and AI Outputs – Bonzer acts as processor within the meaning of Article 4(8) GDPR. You (or the organisation on whose behalf you use the Platform) are the controller of that data. The processing terms and instructions are set out in Section 9 of the Terms of Service, which constitute our data processing agreement under Article 28 GDPR.
1.3 Privacy contact
Bonzer ApS · Copenhagen, Denmark · CVR 38848267 Email: kontakt@bonzer.dk
2. Categories of personal data
The Platform processes the following categories of personal data.
2.1 Account and identity data
Provided by you and synchronised from our identity provider (Clerk): a Clerk user identifier, email address, given and family names, organisation name and slug, organisation membership and role, and account timestamps. Bonzer never sees or stores your password.
2.2 Authentication and session data
Session tokens issued by Clerk, sign-in events, IP address, user agent, and timestamps, used to authenticate API requests and secure your account.
2.3 Workspace configuration
Websites you add (URL, name, slug), data sources, crawl settings, URL segments, custom agents, agent templates, knowledge bases, workflow definitions, and per-organisation AI settings (for example, the model selected for chat or for a particular agent). Bonzer manages the credentials used to call AI providers; you do not supply your own AI provider keys.
2.4 Customer Content
Crawled pages. When you instruct the Platform to crawl a website, Bonzer fetches that website's publicly accessible pages and stores the URL, path, title, page body, extracted meta (description, canonical, Open Graph), the last-crawled timestamp, and a rolling content history used for change detection.
Uploaded documents. Documents you upload to a knowledge base or context store (PDF, DOCX, MD, TXT) are stored in object storage (Cloudflare R2). Their extracted text is stored in our database and is chunked, embedded, and indexed for semantic search.
Embeddings. Text chunks derived from your pages and documents are converted into vector embeddings and stored in our vector database (Pinecone & Turbopuffer) so the Platform can retrieve relevant context for chat and workflows.
2.5 Connected-integration data
When you connect Google Search Console, Google Analytics 4, Google Ads, Ahrefs, or another third-party integration, Bonzer stores the credentials issued by the provider (for OAuth integrations: refresh token, access token, scope, expiry, and the property, account, or customer you have selected; for API-key integrations such as Ahrefs: the endpoint URL and API key you provide). These credentials are encrypted at rest with AES under a server-managed key. Query results fetched on your behalf (for example, clicks, impressions, queries by URL) are cached transiently to power dashboards, chat, and workflows.
2.6 Chat sessions, analyses, and runs
Chat sessions and individual messages (role, content, tool calls, attachments), analyses, custom-agent execution logs, workflow runs, batch runs, and recommendation outputs. These records may incorporate personal data that you, your team, or your content authors include in prompts, documents, or website content.
2.7 Operational telemetry
Server request logs (IP address, user agent, route, status, latency, timestamp), background-job logs (BullMQ on Redis), and application error logs. Where configured, logs may be forwarded to a centralised log management provider (currently Axiom). Logs are used for security, abuse prevention, debugging, and quality monitoring.
2.8 Billing data
For paid plans, billing-contact data and Subscription metadata. Payment-instrument data (card numbers, bank details) is collected and processed directly by Stripe; Bonzer never sees or stores full card details.
2.9 Support data
Where you contact us through the in-Platform support messenger (Intercom), the messages you send, together with your name, email, and organisation, are processed in order to handle your enquiry.
3. Purposes and legal bases
Where Bonzer acts as controller, the legal basis under Article 6 GDPR is identified for each processing purpose.
3.1 Providing the Platform – Article 6(1)(b)
Authenticating users, provisioning workspaces, running crawls, indexing content, executing chat, agents and workflows, and returning results.
3.2 Billing and statutory record-keeping – Article 6(1)(b) and 6(1)(c)
Managing Subscriptions, processing payments through Stripe, issuing invoices, and meeting VAT, accounting, and audit obligations under Danish and EU law.
3.3 Securing the Platform – Article 6(1)(f)
Detecting fraud and abuse, enforcing rate limits and acceptable use, monitoring system health, and investigating security incidents. The legitimate interest is Bonzer's and its customers' interest in a secure, reliable service.
3.4 Service improvement and observability – Article 6(1)(f)
Debugging, performance monitoring, queue and crawler tuning, and producing Aggregated Data as defined in the Terms.
3.5 Communicating with you – Article 6(1)(b) and 6(1)(f)
Service notifications, security alerts, billing notices, and replies to support requests. Marketing communications, if any, rely on a separate basis (consent or soft opt-in) and you can object at any time.
3.6 Connecting third-party integrations – Article 6(1)(a)
Where you connect a third-party integration (for example, Google Search Console, Google Analytics 4, Google Ads, or Ahrefs), processing of the credentials and the data accessed under those credentials is based on your consent, given through the relevant provider's authorisation flow. You may withdraw that consent at any time by disconnecting the integration in the Platform or revoking access at the provider.
3.7 Processing on your instructions – Article 28
Where the Platform processes personal data contained in Customer Data, Bonzer does so as your processor on your documented instructions, as set out in Section 9 of the Terms.
4. AI processing
4.1 What is sent to AI providers
To produce AI Outputs – chat answers, analyses, recommendations, and embeddings – the Platform sends prompts and relevant excerpts of your content (pages, documents, integration data, and conversation history) to third-party AI model providers. The provider used for a given request depends on the model selected at the organisation, agent, or feature level.
4.2 Providers
OpenAI, Anthropic, Google (Gemini), and Perplexity are used as AI model providers. Embeddings are generated through OpenAI. The Tavily web-search service may be invoked by an AI agent or workflow when it needs to fetch information from the public web on your behalf. Where a provider offers an EU endpoint, Bonzer uses it.
4.3 Training and provider retention
Bonzer uses each provider's API offering. Under those providers' published terms applicable to API traffic, content sent through the API is not used to train their generally available models. Providers may retain prompts and completions for a short abuse-monitoring window per their respective policies. Bonzer does not opt your data into any training programme. If a provider materially changes its API terms, Bonzer will reassess use and update this Notice where required.
4.4 Disclaimers
AI Outputs may contain errors. Section 7 of the Terms describes the nature of AI Outputs and your responsibility to review them before relying on or publishing them.
5. Connected integrations
The Platform allows you to connect third-party data sources – such as Google Search Console, Google Analytics 4, Google Ads, and Ahrefs – so that the data they hold can be shown in the Platform and read by Morrison's AI agents and workflows on your behalf. This section describes how Bonzer requests, uses, stores, shares, and deletes the data it receives from those integrations.
5.1 How a connection is established
A connection is created only when you initiate it in the Platform. For OAuth-based integrations (currently the Google integrations), you are redirected to the provider's consent screen, where you grant Bonzer access to a specified scope. For API-key-based integrations (currently the Ahrefs MCP), you supply an endpoint URL and an API key issued to you by the provider.
5.2 Integrations and the access requested
| Integration | API | Scope or credential | Purpose |
|---|---|---|---|
| Google Search Console | Search Console API | OAuth scope https://www.googleapis.com/auth/webmasters.readonly | List the Search Console properties on your account so that you may select one, and read clicks, impressions, click-through rate, position, query, and page metrics for the URLs in your Morrison website. |
| Google Analytics 4 | Analytics Admin API and Analytics Data API | OAuth scope https://www.googleapis.com/auth/analytics.readonly | List the GA4 accounts and properties on your account so that you may select one, and read aggregate report data (sessions, users, events, conversions, custom dimensions and metrics) for the property you select. |
| Google Ads | Google Ads API | OAuth scope https://www.googleapis.com/auth/adwords | List the Google Ads customers accessible to your account so that you may select one, and read campaign, ad group, keyword, and performance data via read-only GAQL queries issued on your instruction. |
| Ahrefs | Ahrefs MCP | Customer-supplied endpoint URL and API key | Allow Morrison's AI agents to query Ahrefs data on your behalf when you, or a workflow you have configured, ask a question that requires it. |
5.3 How integration data is used
Bonzer uses data received through a connected integration solely to provide and improve the user-facing features that you, the user, requested when connecting it. In particular, Bonzer uses such data:
(a) to render dashboards, page details, segment views, and workflow outputs inside the Platform; (b) to allow Morrison's AI agents to read the data on your behalf when you, or a workflow you have configured, ask a question that requires it; and (c) to cache fetched results for short periods so that the Platform performs adequately.
Bonzer does not use integration data:
(a) to serve, target, or measure advertising; (b) to determine creditworthiness or for lending purposes; (c) to sell, rent, license, or transfer it to data brokers, information resellers, or any other third party for those parties' independent use; or (d) to train, develop, or evaluate generalised artificial-intelligence or machine-learning models, whether Bonzer's own or any third party's. The only AI processing applied to integration data is inference – the generation of an answer for you in your session – on the AI providers' API tiers described in Section 4, which contractually do not train on API content.
5.4 Sharing of integration data
Integration data is shared only with the infrastructure sub-processors listed in Section 6, and only to the extent necessary to operate the Platform. Specifically:
(a) the EU host that runs the Platform and its database (currently Railway) processes integration data for storage and computation; (b) Cloudflare may transit integration data as part of the network path; and (c) the AI provider you have selected (OpenAI, Anthropic, Google, Perplexity, or Tavily) processes integration data only when you, or a workflow you have configured, issue a prompt that requires it.
Integration data is not shared with any other third party.
5.5 Human access to integration data
Bonzer personnel do not read raw integration data fetched on your behalf, except (a) with your explicit consent, for example where you ask support to investigate a specific issue; (b) where strictly necessary to address a security or operational incident affecting your account or the integrity of the Platform; or (c) where required by applicable law. Such access is restricted to a small number of authorised employees and contractors and is logged.
5.6 Storage, encryption, and retention
Integration credentials (OAuth tokens, refresh tokens, and customer-supplied API keys) and integration metadata (such as the Search Console property, GA4 property, or Google Ads customer you selected) are stored in Bonzer's EU-hosted PostgreSQL database, encrypted at rest with AES under a server-managed key. Cached query results are stored in the same database and in Redis, both EU-hosted. Credentials and cached results are deleted when you disconnect the integration in the Platform or delete the website to which the integration is attached. Account-wide deletion follows the schedule in Section 8.
5.7 Revocation
You may revoke Morrison's access to a connected integration at any time by disconnecting it in the Platform (Integrations → [provider] → Disconnect). For Google integrations you may, additionally or alternatively, revoke access in your Google Account at https://myaccount.google.com/permissions.
5.8 Google API user data
Bonzer's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. The OAuth scopes Bonzer requests for the Google integrations are listed in section 5.2; the way data received under those scopes is used, shared, and protected is described in sections 5.3 to 5.7 of this Notice and applies in addition to any provider-specific terms.
6. Sub-processors
Bonzer engages the sub-processors listed below to operate the Platform. Each is bound by data-protection terms at least as protective as those in our agreement with you.
| Sub-processor | Purpose | Data shared | Location | Transfer safeguard |
|---|---|---|---|---|
| Clerk, Inc. | Identity and user management (sign-up, sign-in, sessions); webhook signatures (via Svix) | Name, email, profile fields, session metadata | US | EU-US Data Privacy Framework |
| Railway Corp. | Application hosting, managed PostgreSQL, managed Redis, background workers | All Account, Customer Data, and operational logs | EU | N/A (EU processing) |
| Cloudflare, Inc. | Object storage (R2) for uploaded documents, chat attachments, and public favicons; CDN | Uploaded context documents, chat attachments, favicon assets | EU / US | EU-US DPF; SCCs |
| Pinecone Systems, Inc. | Vector database for page and document embeddings (current) | Embedding vectors and chunk text derived from your content | EU / US | EU processing where available; SCCs |
| Turbopuffer, Inc. | Vector database for page and document embeddings (planned replacement for Pinecone) | Embedding vectors and chunk text derived from your content | EU / US | EU processing where available; SCCs |
| OpenAI, LLC | AI model processing (chat, analysis, embeddings) | Prompts, page and document excerpts, AI Outputs | US | EU-US Data Privacy Framework |
| Anthropic, PBC | AI model processing (Claude) | Prompts, page and document excerpts, AI Outputs | US | Standard Contractual Clauses |
| Google LLC | AI model processing (Gemini); Search Console, Google Analytics 4, and Google Ads access | Prompts and content sent to models; OAuth tokens and query results from Google APIs | EU / US | EU-US DPF; SCCs |
| Perplexity AI, Inc. | AI research tool used by the Content Agent | Research queries derived from your prompts | US | Standard Contractual Clauses |
| Tavily, Inc. | Web-search tool used by AI agents and workflows | Search queries derived from your prompts | US | Standard Contractual Clauses |
| SerpApi, LLC | Search-engine results data for workflow actions and (optionally) chat | Query terms and result metadata | US | Standard Contractual Clauses |
| Mendable AI, Inc. (Firecrawl) | Page fetch and extraction used by chat, workflows, and crawlers | URLs you instruct the Platform to fetch and the returned page content | US | Standard Contractual Clauses |
| Ahrefs Pte. Ltd. | SEO data via the Ahrefs MCP, only when you connect it | Queries the AI agent issues against the Ahrefs MCP, using the API key you supply | SG / US | Standard Contractual Clauses |
| Stripe, Inc. | Payment processing for paid plans | Billing-contact data and Subscription metadata; payment-instrument data is processed directly by Stripe | EU / US | EU-US Data Privacy Framework |
| Intercom, Inc. | In-Platform support messenger and customer communication | Your name, email, organisation, and the messages you send to support | EU / US | EU-US DPF; SCCs |
| Axiom, Inc. | Centralised log management (where configured) | Application and request logs, which may include request metadata | US | Standard Contractual Clauses |
Because the Platform is in closed beta and developing rapidly, Bonzer may add, replace, or remove sub-processors as the Platform evolves. Where this happens, Bonzer will update this Notice and, where the change is material, notify customers in the Platform or by email. Customers on a contractual subscription may rely on any specific advance-notice and objection rights set out in Section 9.6 of the Terms.
7. International transfers
The Platform is hosted in the European Union. Certain sub-processors – in particular AI model providers and identity infrastructure – process data in the United States. For those transfers Bonzer relies on (a) the EU-US Data Privacy Framework where the recipient is certified, and (b) the European Commission's Standard Contractual Clauses with appropriate supplementary measures. The adequacy of these safeguards is reviewed on an ongoing basis.
8. Retention
8.1 Account and identity data
Retained for the duration of your account and deleted within 30 days of account closure, save where retention is required by law (for example, tax or accounting records).
8.2 Customer Data (pages, documents, embeddings)
Retained for as long as the corresponding website, data source, knowledge base, or document remains in your workspace. When you delete an item, the related rows in PostgreSQL, vectors in our vector database (Pinecone & Turbopuffer), and objects in Cloudflare R2 are deleted in line with our deletion routines. Page content history is pruned according to our crawl-history policy and at the latest at account closure.
8.3 Connected-integration credentials
OAuth tokens and API keys are retained while the integration is connected and cleared on disconnect or website deletion. Cached query results are short-lived and refreshed on demand.
8.4 Chat, analyses, and workflow runs
Retained while your workspace exists, so that you can revisit history. Individual sessions and runs may be deleted from within the Platform; all such records are removed within 30 days of account closure.
8.5 Logs
Server and application logs are retained for up to 90 days, save where required for an ongoing investigation.
8.6 Billing records
Invoices and accounting records are retained for 5 years from the end of the financial year, as required by Danish bookkeeping law (bogføringsloven).
8.7 Backups
Database backups are retained on a rolling basis (typically up to 30 days). Deleted records persist in backups until the relevant backup expires, after which they are overwritten.
9. Security
Bonzer applies technical and organisational measures appropriate to the risk under Article 32 GDPR, including:
Encryption. TLS for all traffic in transit; encryption at rest for databases and object storage; AES encryption for sensitive credentials (for example, integration OAuth refresh tokens) under a server-managed key.
Access control. Authentication via Clerk; least-privilege access to production systems; per-website authorisation checks on every API request; audit logs for sensitive administrative actions.
Isolation. Per-organisation and per-website scoping in the database and the vector index; uploaded documents are scoped to the website that owns them.
Operational practices. Code review, dependency scanning, monitored backups, and an established incident-response process.
No system is completely secure. Personal data breaches are notified to the customer (where Bonzer acts as processor) without undue delay and in any event within 48 hours of becoming aware (Section 9.8 of the Terms), and to supervisory authorities and affected individuals where required under Articles 33–34 GDPR.
10. Your rights
For personal data Bonzer holds as controller, you have the right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), data portability (Article 20), and objection (Article 21) under the GDPR. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing (Article 7(3)). To exercise these rights, email kontakt@bonzer.dk.
For personal data Bonzer holds as processor on your behalf (Customer Data), please raise the request in the Platform – for example, by deleting the relevant item or contacting your organisation administrator. Bonzer will assist you in responding to data-subject requests in accordance with Article 28(3)(e) GDPR.
You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark – dt@datatilsynet.dk) or another competent supervisory authority in your place of residence.
11. Automated decision-making
The Platform produces AI-assisted analyses, recommendations, and content. These are decision-support outputs intended to be reviewed by you. Bonzer does not use the Platform to take decisions producing legal or similarly significant effects on individuals without human involvement (Article 22 GDPR).
12. Children
The Platform is intended for business use and is not directed at individuals under the age of 16. Customers must not use the Platform to process personal data of children where they do not have a lawful basis under Article 8 GDPR.
13. Changes to this Notice
Because the Platform is in closed beta and evolving rapidly, Bonzer expects to update this Notice from time to time. Non-material changes (for example, clarifying wording or adjusting the description of an existing sub-processor) take effect on publication. Material changes – for example, the introduction of a new category of personal data, a new purpose, or a new sub-processor that materially changes how Customer Data is processed – will be communicated via the Platform or by email before they take effect. The "Effective date" at the top of this page reflects the latest revision. Continued use of the Platform after the effective date constitutes acceptance.
14. Contact
Bonzer ApS Copenhagen, Denmark CVR: 38848267 Email: kontakt@bonzer.dk