Bonmoniq legal
Privacy Policy
- Last updated
- 2026-06-21
This English version is provided for information as a free translation. The French version is the official legal version. If there is any conflict, the French version prevails.
Identity of the controller
Bonmoniq is the data controller for personal data processed to operate the website, provide the Service, manage accounts, handle billing, maintain security, and communicate with users.
| Information | Detail |
|---|---|
| Controller | Bonmoniq SASU |
| Legal form | SASU, Société par Actions Simplifiée Unipersonnelle (single-shareholder) |
| SIREN | 104 435 557 |
| Head-office SIRET | 104 435 557 00012 |
| RCS | Paris |
| Registered address | 47 rue Vivienne, 75002 Paris, France |
| Legal representative | Dmitrii Poroshkov, President |
| Privacy contact | privacy@bonmoniq.com |
| Legal contact | legal@bonmoniq.com |
| Data protection officer | No DPO is designated; privacy@bonmoniq.com is the data-protection point of contact |
Data categories
Bonmoniq processes account data, billing data, connection logs, usage data, support data, and cookie-related data as necessary to operate the website and Service.
Purposes, legal bases and retention
| Purpose | Legal basis (Article 6 GDPR) | Retention |
|---|---|---|
| Provide the Service, manage the Account and Users | Performance of the contract, Art. 6(1)(b) | Duration of the contract, then up to 6 months on the zero-euro tier before deletion |
| Billing, invoicing and accounting | Legal obligation, Art. 6(1)(c) | 10 years (French Code de commerce, Art. L123-22) |
| Security, fraud prevention, abuse limitation, connection logs | Legitimate interest, Art. 6(1)(f) - securing the network and the Service | Up to 12 months for security and connection logs |
| Customer support | Performance of the contract, Art. 6(1)(b) | Duration of the contract plus a limited evidential period |
| Direct communications to existing business customers | Legitimate interest, Art. 6(1)(f) - promoting similar services | Until objection, then suppression-list only |
| Non-essential cookies and marketing, if activated | Consent, Art. 6(1)(a) | See the Cookie Policy |
Where Bonmoniq relies on legitimate interest, a balancing test is carried out and is available on request. Where Bonmoniq relies on consent, it can be withdrawn at any time, as easily as it was given, without affecting processing carried out before withdrawal (Article 7(3) GDPR).
Processors and sub-processors
| Processor | Service | Location | Safeguards |
|---|---|---|---|
| Cloudflare Inc. | Delivery of the website and Service interface, DNS, CDN, DDoS protection, network security and edge caching | United States, with a global edge network | Standard Contractual Clauses, DPF where certified and applicable contractual safeguards |
| Cloudflare Web Analytics | Cookieless audience measurement and Core Web Vitals | United States, with a global edge network | Cookieless analytics meeting CNIL exemption conditions |
| Stripe Technology Europe Limited | Payment processing when enabled | Ireland, EU (registered office: 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2) | EU processor, GDPR-native |
| Qonto / Olinda SAS | Business banking and related payment services | France, EU | Payment institution regulated by the ACPR, GDPR-native |
| Twilio Inc. | Telephony number provisioning, voice and SMS routing for US and international numbers | United States | Standard Contractual Clauses and EU-US Data Privacy Framework |
| Sinch AB | Telephony number provisioning, voice and SMS routing for EU numbers | Sweden, EU | EU processor, GDPR-native |
| Telnyx LLC / Telnyx Ireland Limited | Telephony number provisioning, voice and SMS routing | United States and Ireland, EU | Standard Contractual Clauses and EU-US Data Privacy Framework for US processing |
The AI voice agent runs on Bonmoniq's own infrastructure using Bonmoniq's own language models; AI conversation content is not disclosed to any third-party AI provider.
Planned integrations: Bonmoniq plans to offer WhatsApp Business messaging. This feature is not active yet. When it is activated, Meta Platforms Ireland Limited will act as a sub-processor (with onward transfers to the United States), and this policy and the sub-processor list will be updated before the feature is enabled.
Bonmoniq does not sell users' personal data.
Data processed by AI voice agents
When the Customer enables an AI voice agent in the Service, conversations are processed on Bonmoniq's own infrastructure using Bonmoniq's own language models. AI conversation content is not transmitted to, or processed by, any third-party AI provider.
Bonmoniq uses US technology for website delivery and network security (Cloudflare). Telephony number provisioning and voice and SMS routing rely on a mix of EU and US carriers depending on the country of the number (see the sub-processor table above); transfers to US carriers are governed by the safeguards described below.
Bonmoniq is designed to support AI disclosure at the beginning of each call so that Customers can prepare for the transparency obligations in Article 50 of the EU AI Act, which apply from 2 August 2026.
Call recording, transcription and people you contact
Where the Customer enables call recording or transcription, the recorded or transcribed content may contain special categories of data (Article 9 GDPR) spoken by participants. For this content the Customer is the controller and is responsible for informing participants and obtaining any consent required by the applicable recording-consent rules. Bonmoniq acts as processor under the Data Processing Agreement and processes this content on its own infrastructure.
Bonmoniq also processes limited data about people the Customer calls or messages and about inbound callers, such as phone numbers, timestamps and routing metadata, to operate and secure the Service. Where Bonmoniq acts as controller for these purposes, it relies on its legitimate interest in operating and securing the network (Article 14 GDPR); the data is obtained through the Customer's use of the Service.
Transfers outside the EU
Some processors and carriers are established in the United States or may process technical, support, security, telephony, or payment data from the United States. Transfers outside the EU are governed by the safeguards set out in Articles 44 to 49 GDPR, principally the Standard Contractual Clauses and, where the recipient is certified, the EU-US Data Privacy Framework. Voice and SMS traffic for EU numbers is routed through EU-based carriers; voice and SMS traffic for US and international numbers, together with certain routing metadata (such as calling and called numbers, timestamps and signalling data), may be processed by US carriers under those safeguards. AI conversation content is processed on Bonmoniq's own infrastructure and is not routed to any third-party AI provider.
US providers and the CLOUD Act
Bonmoniq cannot guarantee complete independence from US law. Providers established in the United States, or their US parent companies, may be subject to US legislation such as the CLOUD Act, which can in principle require them to disclose data they hold regardless of where it is stored. Bonmoniq reduces this risk through data minimisation, encryption in transit and at rest, EU-based routing of voice and SMS for EU numbers, contractual safeguards (Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework), and by keeping AI processing on its own infrastructure.
Retention
Account data is retained for the contractual relationship and a limited post-termination period where necessary for evidence, security, and legal obligations. Billing data and invoices are retained for the legally required accounting period. Connection logs are retained for security and legal purposes. Free-tier data after cancellation may be deleted after 6 months in accordance with the Fair Use Policy and GDPR obligations.
Rights of data subjects
Under Articles 15 to 22 GDPR, data subjects may exercise rights of access, rectification, erasure, restriction, portability, objection, and consent withdrawal by contacting privacy@bonmoniq.com.
In particular, data subjects have the right to object at any time, on grounds relating to their particular situation, to processing based on legitimate interest (Article 21 GDPR), and to withdraw consent at any time without affecting processing carried out before withdrawal (Article 7(3) GDPR).
Bonmoniq does not take decisions producing legal or similarly significant effects based solely on automated processing, including by the AI voice agent (Article 22 GDPR).
Data subjects may lodge a complaint with the CNIL (www.cnil.fr) and also with the supervisory authority of their own EU or EEA country of residence or workplace.
Security
Bonmoniq applies TLS for communications, access control for production systems, strong authentication for administrative accounts, logging of security events, and contractual controls with relevant processors.
Cookies
Cookies and trackers are described in the Cookie Policy. Non-essential cookies are placed only after consent where required.
Governing law and jurisdiction
This Privacy Policy is governed by French law and EU data protection law. For disputes between professionals, the Paris Commercial Court has exclusive jurisdiction, subject to mandatory contrary provisions.
Last updated: 21 June 2026 For any question regarding this document, contact us at privacy@bonmoniq.com.