Privacy Policy

Last updated: 12 May 2026

Boonful ("we", "us") is a publishing platform that lets creators publish products — books, courses, videos, podcasts, newsletters, apps — and lets readers subscribe to and pay for those products. This policy explains what we collect, why, how we use it, and your rights.

1. Information we collect

We only collect what is needed to operate the service:

• Account information. Your email address, display name, and password hash when you sign up. Optional profile photo if you upload one.
• Content you publish. If you publish products on Boonful, the text, images, audio, video, and metadata you upload.
• Subscription and follow records. When you subscribe to a creator or follow them, we record that relationship.
• Payment information. Card data is never seen or stored by Boonful — payments are processed by Stripe, who hold all card details. We retain only the Stripe customer ID, the transaction ID, and the amount.
• Operational logs. Standard request logs (IP address, user-agent, timestamp) for debugging, abuse prevention, and security. Logs are retained for up to 90 days.
• Cookies. A single first-party session cookie to keep you logged in. No third-party advertising cookies, no tracking pixels, no cross-site identifiers.

2. Why we collect it

• To create and authenticate your account.
• To deliver the products and features you sign up for.
• To send transactional email (account verification, password reset, login alerts, receipts, and per-user notifications you triggered).
• To process payments for paid products via Stripe.
• To prevent fraud and abuse.
• To comply with legal obligations.

3. Email we send

We send transactional email only — account verification, password resets, security alerts, receipts, and notifications you triggered through your own activity on the platform. We do not send newsletters, marketing campaigns, drip sequences, or cold outreach from your address.

Non-critical messages include a one-click unsubscribe header (RFC 8058) and a visible unsubscribe link. Security and account-critical messages follow the standard transactional exception.

4. Sharing with third parties

We do not sell your personal information. We share it only with the processors required to operate the service:

• Stripe — payment processing (stripe.com/privacy).
• Amazon Web Services (SES) — outbound transactional email (aws.amazon.com/privacy).
• Cloudflare — hosting, CDN, DNS, and email routing (cloudflare.com/privacypolicy).

Each processor is bound by their own data-protection commitments and processes data only under our instructions.

5. Your rights

You can, at any time:

• Access a copy of the personal data we hold about you.
• Correct anything that is inaccurate.
• Delete your account and the personal data associated with it.
• Export your data in a portable format.
• Object to or restrict certain processing.
• Lodge a complaint with your local data-protection authority (in the UK, the ICO).

Email privacy@boonful.io to exercise any of these rights. We respond within 30 days.

6. Data retention

Account data is retained for as long as your account is active. Request logs are retained for up to 90 days. When you delete your account, we delete the personal data associated with it within 30 days, except where we are legally required to retain certain records (for example, payment receipts under tax law).

7. Children

Boonful is not directed at children under 13 (or 16 in the EU/UK). We do not knowingly collect personal information from children under that age. If you believe a child has provided us with personal information, please email privacy@boonful.io and we will delete it.

8. International transfers

Our servers and processors are located in the United Kingdom, the European Union, and the United States. Where personal data is transferred outside the UK or EU, we rely on appropriate safeguards (Standard Contractual Clauses or equivalent).

9. Security

All traffic to Boonful is encrypted in transit (HTTPS). Passwords are stored hashed (never in clear text). Database backups and stored files are encrypted at rest. Access to production systems is limited to authorised personnel and protected by multi-factor authentication.

10. Changes to this policy

If we make material changes to this policy, we'll update the "Last updated" date above and, where appropriate, notify you by email. Continued use of Boonful after a change means you accept the updated policy.

11. Contact