BananaBondBananaBond
← Back to home

Privacy Policy

Effective Date: 22 March 2026

BananaBond is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, and your rights under the General Data Protection Regulation (GDPR) and Maltese data protection law.

2.1 Who We Are (Data Controller)

BananaBond is operated by an individual based in Malta. As data controller, we determine how and why your personal data is processed. Contact: help@bananabond.com

2.2 Data We Collect

We collect the following categories of personal data:

  • Identity & account data: name, email address, and authentication credentials — collected via Clerk
  • Payment data: billing information, transaction records — processed by Stripe (we do not store raw card details)
  • Usage data: study progress, deck interactions, session activity — stored in our Convex database
  • User-generated content: flashcard decks and content you create or upload
  • Communications: messages you send to us for support purposes
  • Analytics data: page views, session duration, device type — collected via Google Analytics

2.3 Legal Basis for Processing (GDPR Article 6)

  • Contract performance: to provide the Service you have signed up for (Art. 6(1)(b))
  • Legitimate interests: to improve the platform, prevent abuse, and ensure security (Art. 6(1)(f))
  • Legal obligation: to comply with applicable laws including tax and consumer protection requirements (Art. 6(1)(c))
  • Consent: for non-essential analytics and cookies, where required (Art. 6(1)(a))

2.4 Third-Party Processors

We share data with the following processors, each subject to appropriate data protection agreements:

  • Clerk (auth.clerk.com) — authentication and identity management
  • Stripe (stripe.com) — payment processing
  • Convex (convex.dev) — backend database and server functions
  • Cloudinary (cloudinary.com) — image and media hosting
  • OpenAI (openai.com) — AI-powered flashcard generation and answer marking
  • Google Analytics (Google LLC) — usage analytics. Data may be transferred to the United States under Standard Contractual Clauses
  • Resend (resend.com) — transactional email delivery
  • Vercel (vercel.com) — hosting and deployment

2.5 International Data Transfers

Some processors listed above are based outside the European Economic Area (EEA), including the United States. Where such transfers occur, we rely on European Commission Standard Contractual Clauses (SCCs) or adequacy decisions to ensure an adequate level of protection for your data.

2.6 Data Retention

We retain personal data for as long as your account is active or as necessary to provide the Service. Account data is deleted within 30 days of account deletion. Payment records are retained for 7 years in accordance with Maltese tax law. Analytics data is retained per Google Analytics' default retention settings.

2.7 Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of the data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your data (‘right to be forgotten’)
  • Right to restriction — request that we limit processing of your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at: help@bananabond.com. We will respond within 30 days. You also have the right to lodge a complaint with the Office of the Information and Data Protection Commissioner (IDPC) in Malta.

2.8 Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted data transmission (TLS), access controls, and secure third-party infrastructure. No system is completely secure; if you become aware of any breach, please notify us promptly.

2.9 Children's Privacy

Students under 18 may use the Service with parental or guardian consent. We do not knowingly collect data from children under 13. If we become aware that data has been collected from a child under 13 without parental consent, we will delete it promptly.

2.10 Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the platform or by email. Continued use of the Service after changes constitutes acceptance.