Privacy Policy

Last updated: 2026-05-28 — Version 3

bona is a tool for newsletter operators to share live media kits and send post-send sponsor reports. This page explains what data we collect, why, and what we do with it.

What we collect

From operators (you)

  • Email address (when you sign up).
  • API keys (encrypted at rest, never logged, decrypted only at use).
  • Newsletter metadata pulled from your platform (publication name, post titles, post performance metrics).
  • Usage data (what pages you visit in the dashboard, what features you use, errors you hit). Tracked in PostHog.
  • Billing information, processed by Stripe. We never see or store full credit card numbers.
  • Any information you put in support emails.

From kit page viewers (sponsors who view your shared URLs) and any other public page

bona uses PostHog (a product-analytics service) on every page of bona.works, loaded first-party through k.bona.works. On kit pages and elsewhere on the public site, PostHog records:

  • Page-view events (which page, when, the referrer).
  • A session replay — a recording of the page’s DOM events, scrolls, hovers, and clicks. Input values are masked at the recording layer; any element marked data-private is also masked. Mouse movements and click positions are recorded. Canvas content is not.
  • Web vitals (LCP, CLS, INP, FID, TTFB) for performance monitoring.
  • Browser type, language, and viewport size.
  • An opaque PostHog distinct-id, device-id, and session-id stored in browser cookies/localStorage (see the Cookie Policy for the exact storage keys and how to opt out).
  • On /kit/… pages: bona’s server also sets bona_sid_anon, an HMAC-signed anonymous identifier (no IP, no user-agent, no PII). The in-page PostHog script bootstraps with the same identifier so a returning sponsor is not counted twice across the server-side capture and the client-side script.

We do NOT collect, store, or transmit sponsor email addresses, IP addresses (server-side capture is processed by PostHog with the standard first-party defaults; the address is not stored in our database), or names from kit-page views.

Sponsors can opt out by enabling Do Not Track in their browser (we honor the DNT signal — no PostHog cookies are set and no events are sent), by blocking ph_* and bona_sid_anon cookies, or by using a tracker-blocking browser extension. The kit page renders and functions identically when analytics is blocked.

From sponsors (when you schedule a slot for them)

  • Sponsor name and email (entered by you).
  • Their email is used only to send the post-send report.

What we don’t collect

  • Subscriber email addresses from your newsletter platform. We pull aggregate stats only.
  • Subscriber names, demographics, or any per-person data.
  • Phone numbers.
  • Physical addresses (unless you opt to share for invoicing).
  • Any data we don’t need to provide the service.

What we do with it

  • Provide the service: show you your dashboard, render your kit pages, send post-send reports.
  • Improve the product: look at usage patterns to find friction.
  • Communicate: send transactional emails (login links, billing receipts, error alerts), and (if you opt in) occasional product updates.
  • Bill you: through Stripe.

What we don’t do with it

  • We never sell your data.
  • We never use your data to train AI models.
  • We never share your data with third parties except service providers (PostHog, Stripe, Resend, Fly.io) who process it on our behalf.
  • We never use subscriber email addresses for any purpose. We don’t have access to them.

Where it lives

  • Hosted on Fly.io (US regions primarily, multi-region as we scale).
  • Postgres database (Fly.io managed).
  • File storage (Cloudflare R2).
  • Analytics (PostHog Cloud, US region).
  • Payments (Stripe).
  • Email delivery (Resend).

All providers are vetted for their privacy practices and (when applicable) sign Data Processing Agreements with us.

Your rights

You can:

  • See your data: every piece we have on you is exportable as CSV/JSON from your account.
  • Delete your data: account deletion removes all your data within 30 days, except where we’re legally required to retain (e.g., billing records for 7 years).
  • Stop us using your data: opt out of analytics tracking via account settings; we’ll respect Do Not Track headers.
  • Ask us anything: email privacy@bona.works and you’ll get a real human reply.

Children

This service is not directed at users under 16. We do not knowingly collect data from children.

How long we keep data

  • Active operator data: as long as your account is active.
  • Cancelled accounts: 30 days for restoration, then deleted.
  • Billing records: 7 years (US tax requirement).
  • Aggregated analytics: indefinitely (cannot be linked back to individuals).

Changes to this policy

We’ll email all current operators 30 days before any material change. Minor wording fixes don’t get an email.

Contact

Privacy questions: privacy@bona.works. General support: support@bona.works.

← Back to bona