Skip to content
Skip to content

Privacy Policy

Last updated: June 12, 2026

1. Data controller

PACIFIK'AI (French Polynesia) operates Bonfire and is the data controller for your account and platform data. You can reach us about privacy at [email protected]. Each community ("tenant") you join is a separate controller for the content its members post inside it.

2. Data we collect

Account data (email, name, profile, avatar), community content you create (posts, messages, comments), membership and role data, billing metadata (plan, subscription status — card data is handled by our payment providers, not us), and technical/usage data (IP, device, log and — only with your consent — analytics and session data).

3. Purposes and legal bases

We process data to: provide the service and your account (Art. 6(1)(b) contract); keep the platform secure, prevent abuse and debug errors (Art. 6(1)(f) legitimate interest); bill paid plans (Art. 6(1)(b)/(c)); and — only where you have accepted non-essential cookies (Art. 6(1)(a) consent) — measure product usage and record diagnostic session replays. You can withdraw consent at any time via the cookie banner.

4. Sub-processors

We rely on these processors, each under a data-processing agreement:

  • Supabase — database, authentication and storage (encryption at rest and in transit).
  • Brevo — transactional email (sign-up, recovery, invitations, digests).
  • Freemius — Merchant of Record for platform subscriptions (billing & card data).
  • Stripe — payment processing where a community enables its own member billing.
  • PostHog — product analytics (EU region), loaded only with your consent.
  • Sentry — error monitoring; session replay loads only with your consent and masks text.

5. Retention

Account and content data are kept while your account is active and deleted within 30 days of account deletion (backups roll off within 90 days). Billing records are kept as required by law. Consent-gated analytics data is retained per the processor's default (PostHog/Sentry) and dropped when you withdraw consent.

6. International transfers

Where data is processed outside your region, transfers rely on the processor's Standard Contractual Clauses / adequacy mechanisms.

7. Your rights

You have the right to access, rectify, erase, restrict, port and object to processing of your personal data, and to withdraw consent. Email [email protected] to exercise them. You may lodge a complaint with your local data-protection supervisory authority.

8. Contact

For any privacy-related question, contact us at [email protected].

Founders Together