We wrote this the way we'd want to read it: in plain English, without a law degree required. This covers two different experiences: our marketing site (the public pages at bndndbnd.com that anyone can browse) and the gift claim flow (the pages where someone redeems a gift we sent on a client's behalf). The claim flow is held to a much stricter standard — no marketing trackers, no ads, no profiling. We'll be clear throughout about which rules apply where.
If you're browsing our public website to learn about what we do, we collect standard analytics data so we can understand how visitors find and use the site:
| Information | How we get it |
|---|---|
| IP address, device, browser, operating system | Standard data sent by your browser to our analytics providers |
| Pages viewed, scroll depth, clicks, time on page | Logged by Google Analytics and Microsoft Clarity |
| Session recordings (anonymized cursor movement, clicks, scrolls) | Recorded by Microsoft Clarity. Form fields and sensitive text are masked. |
| Referral source (where you came from) | Read from the standard "referrer" HTTP header |
| Business demographics (industry, company size, role) — aggregated only | LinkedIn Insight Tag, only when you visit while logged into LinkedIn |
| Anything you type into a contact form | You enter it; we receive it by email |
We use this to improve the site and understand which channels (LinkedIn, search, referrals) bring us the right kind of visitors. We do not tie this to individual identities and we don't try to figure out who specifically visited.
The claim flow is a separate experience with stricter rules. We only collect what we actually need to get your gift to you. Here's the full picture:
| Information | How we get it |
|---|---|
| Name, email, company, job title | Provided to us by the company sending you the gift |
| Business delivery address (pre-filled, editable) | We look up your business address from publicly available sources — company websites, public business directories, professional listings — and pre-fill it on the claim form. You always see what we found and can confirm, edit, or replace it before anything ships. |
| Phone number (optional) | You enter this if needed for delivery coordination |
| Thank-you note (optional) | You write this if you choose to send one |
| Claim page activity | We log when the claim page was opened and when a gift was claimed |
That's the whole list for the claim flow. On claim pages we don't run third-party analytics, we don't fingerprint your browser, and we don't collect anything beyond what's in the table above.
Every piece of data we collect has a specific, single purpose:
Your name, email, company, and title come from the sender so we can personalize your gift experience and send you relevant emails (teaser, reveal, and delivery confirmation).
Your business address is looked up from publicly available sources (company websites, public business directories, professional listings) and pre-filled on the claim form. The goal is simple: instead of typing your address from scratch, you can confirm or correct what we found in one step. The final address is used exclusively to ship your gift. It's passed to the shipping carrier and to the bond&beyond operations team coordinating delivery. It goes nowhere else.
Your phone number, if you provide one, is used only for delivery coordination if the carrier needs to reach you.
Your thank-you note, if you write one, is shared with the person or company who sent you the gift. That's its only purpose. It's a nice thing to do.
Page activity is tracked so the company that sent you the gift can see their campaign performance (for example, "12 of 25 recipients claimed their gift"). No individual browsing data, no ad tracking.
About the address lookup: We only look up business addresses, never home addresses. The sources we use are public information that anyone with an internet connection can find. We do not buy data from data brokers, we do not use social media scraping, and we do not use any source that requires credentials or violates a site's terms of service. If you'd rather we not pre-fill an address, leave it blank on the claim form and enter your own — or skip the gift entirely. If you want to know exactly what we found about you, email bond@bndndbnd.com and we'll show you.
Three analytics providers process aggregated data about marketing site visits:
| Who | What they can see |
|---|---|
| Google (Google Analytics) | Page views, session data, traffic sources, and aggregated demographics. Google Privacy Policy. |
| Microsoft (Clarity) | Anonymized session recordings and heatmaps. Form fields and sensitive content are masked by default. Microsoft Privacy Statement. |
| LinkedIn (Insight Tag) | Aggregated visitor data tied to LinkedIn members who visit our site while signed in. Used for visitor demographics and ad measurement. LinkedIn Privacy Policy. |
Three groups, and here's exactly what each one sees:
| Who | What they can see |
|---|---|
| bond&beyond operations team | Everything needed to coordinate and deliver your gift: name, address, phone, email, and gift status |
| Shipping carrier | Your delivery address and name only, which is the minimum needed to deliver a package |
| The company that sent you the gift | Your name, whether you claimed your gift, and your thank-you note (if you wrote one). They do not see your home address. |
Important: The company that sent you the gift cannot see your delivery address. They see claim status and campaign metrics, not where you live. The three marketing-site analytics providers above do not receive any data from the claim flow.
A note on the marketing site: standard analytics tools (Google, Microsoft, LinkedIn) do use cookies and may enable LinkedIn to show you bond&beyond ads later if you visited our site. You can opt out via your browser settings, your LinkedIn ad preferences, or by declining cookies in the banner when one appears.
We don't hold onto your data longer than we need to.
Marketing site analytics data is retained by our analytics providers according to their own retention windows: Google Analytics is set to 14 months, Microsoft Clarity is approximately 13 months, and LinkedIn Insight Tag data is approximately 6 months.
Delivery addresses and phone numbers are automatically deleted 90 days after delivery confirmation. After that point, we no longer need them and we don't keep them.
Your name, email, and claim status are retained for campaign reporting purposes so the sender can see that their campaign was successful. If you'd like these deleted as well, just ask.
Thank-you notes are retained so the sender has a record of your message.
You can request full deletion of all your data at any time by emailing bond@bndndbnd.com. We'll confirm within 7 business days and complete the deletion promptly.
Regardless of where you're located, you can always:
Request a copy of your data. Email us and we'll send you everything we have on file for you within 7 business days.
Request correction. If anything we have on file is inaccurate, we'll fix it.
Request deletion. Ask us to delete everything and we'll do it. There's no catch, no fee, no hoops.
All requests go to bond@bndndbnd.com. We aim to respond within 7 business days.
If you're in the European Union, EEA, or UK, a few additional things are worth knowing:
Legal basis for processing: We process your data on the basis of legitimate interest, specifically fulfilling a gift delivery that was initiated on your behalf by the sending company.
Data location: Your claim flow data is stored and processed in the United States via Supabase (database) and Vercel (infrastructure). Marketing site analytics are processed by Google (Google Analytics), Microsoft (Clarity), and LinkedIn (Insight Tag) — all of which operate under their own GDPR compliance frameworks and Standard Contractual Clauses. All providers have appropriate data processing agreements in place.
Right to erasure: You can request deletion of all your data at any time. We'll comply promptly.
Right to object: If you have concerns about how we're processing your data, email us. We take these seriously.
Data from public sources: As required by GDPR Article 14, we want to be explicit: your business address may be obtained from publicly available sources (company websites, public business directories, professional listings) rather than directly from you. You have the right to know what we found, to correct it, or to ask us to delete it. Email bond@bndndbnd.com for any of these.
For GDPR-related inquiries, contact bond@bndndbnd.com.
Our service is intended for business use. We do not knowingly collect personal information from anyone under the age of 16. If you believe we've inadvertently collected information from a minor, please contact us immediately at bond@bndndbnd.com and we will delete it.
We keep this simple for a reason. If you have any questions about how we handle your data, or if you want to exercise any of your rights, reach out directly. A real person will respond.
Questions, data requests, or anything else privacy-related.
We respond within 7 business days.
This policy may be updated from time to time. We'll update the effective date at the top when it changes. Material updates will be communicated to affected recipients by email.