Privacy at Bonusly
At Bonusly, security and data privacy aren’t just checkboxes - they’re a core part of how we operate. We know that when you entrust us with your team’s data, you expect us to protect it. This article outlines our general privacy and security practices, answers common questions, and points you to additional resources to help your team feel confident using Bonusly.
For our full security documentation and access to compliance reports, visit bonusly.com/security, and review our Privacy policy.
What data does Bonusly collect?
Bonusly only collects the minimum amount of information necessary to operate your recognition program effectively. Required fields include:
First name
Last name
Work email address
Additional optional fields used to enable specific features include:
Department
Office location
Hire date (for work anniversary celebrations)
Birth month and day (for birthday celebrations)
You are always in control of the user data shared with Bonusly. Information can be uploaded manually, imported via SFTP integration, or synced through HRIS connections.
How is personal data protected?
All data, including any personally identifiable information (PII), is securely stored and processed in AWS US-East region data centers. Bonusly maintains:
SOC 2 Type II compliance
GDPR and CCPA compliance
Compliance under EU-U.S., Swiss-U.S., and UK extension Data Privacy Frameworks
Role-based access controls with strict internal permissions
Secure SFTP, HTTPS encryption, and audit logging
Access to sensitive data is limited to authorized personnel only. Policies and procedures are reviewed internally at least every 6 months to ensure we meet evolving privacy standards.
How does Bonusly handle 1:1 meeting data?
Bonusly's 1:1 feature lets any two people at your organization have private conversations—complete with talking points, check-ins, notes, and optional meeting transcripts. Here's how we protect this content:
Only you and your 1:1 partner can see your meeting data. Shared notes, check-ins, transcripts, and summaries are visible only to the two of you. Private notes stay completely personal—the other person won't see them.
Admins can't access your conversations. Company admins can't browse or search individual 1:1 notes or transcripts, even with access to other analytics tools. They see only aggregate engagement and adoption metrics (like how many 1:1s are happening across the company), never the underlying conversation content.
Data exports are rare and controlled. For organizations on the Organization plan, global admins can submit a request through Bonusly Support if they need a scoped export of 1:1 content between two specific people—for example, to fulfill a data subject access request or meet legal obligations. These requests are:
Reviewed and processed by Bonusly's support and security teams
Logged and handled according to our privacy and security policies
Limited in scope to the specific people and timeframe required
What about Bizy? When you use Bizy to prepare for a 1:1, it can access shared notes, past meeting summaries, and transcripts -- but only for meetings where you are a participant. Bizy follows the same access rules as the 1:1 feature itself: it can't see meetings you're not part of, and it can't see your partner's private notes.
How do we notify customers of policy changes?
We notify Global Admins via email at least 30 days in advance of any data privacy policy changes taking effect, giving your organization time to review and adjust as needed.
How do we use AI and what does it mean for data privacy?
AI in Bonusly is designed with user privacy in mind. Here's how we handle data across our AI-powered features.
Bizy: direct AI chat
Bizy is an AI assistant you can chat with directly inside Bonusly. It helps with recognition, 1:1 prep, team insights, and answering questions about Bonusly. Because Bizy is a conversational AI experience, it's worth understanding how your data is handled:
What Bizy can access:
Your recognition history (given and received)
1:1 meeting notes, summaries, and transcripts -- only for meetings where you are a participant
Check-in trends, milestones, and goals
Org structure and team relationships
Advice -- only advice you've given, received, or that's been shared with you
What Bizy cannot access:
Meetings you're not a participant in
Your 1:1 partner's private notes
Advice not shared with you
Sensitive account fields like passwords, tokens, or IP addresses
How conversations are handled:
Your Bizy conversations are stored so you can return to them later
Only you can see your conversations -- company admins cannot browse or search them
You can delete any conversation at any time from the chat panel
Your name and email are included in the prompt so Bizy can personalize responses
What data is sent to AI providers:
Your messages, Bizy's responses, and any data retrieved by Bizy's tools are processed by our AI providers (currently OpenAI and Anthropic)
Our AI providers do not train their models on Bonusly data
We send only the data needed to answer your question -- Bizy retrieves information on demand, not in bulk
Behind-the-scenes AI features
For features like recognition suggestions, meeting summaries, and advice improvement, we send only the minimum text needed to generate a result -- for example, the text of a recognition post or meeting transcript. These features don't involve free-form chat and process only the specific content they're working with.
Business verification (KYB)
When a company signs up, we may use AI to run compliance checks using public business information and customer-provided details (company name, domain, billing address). This is business-level screening only -- we don't use individual employee data, recognition content, or 1:1 transcripts for risk scoring.
Customer support
Our support team uses an AI-powered assistant to help answer questions faster. It can reference limited account context using secure, short-lived session access that expires automatically, and is only used to retrieve the minimum information needed to answer your question. With proper admin authorization, it can complete tightly scoped actions (like refunding a failed reward redemption), and those actions are logged. If the assistant can't resolve your issue, it routes you to a human.
What we don't do with AI
We don't use AI to make employment or performance decisions about individuals
Our AI providers don't train their models on your data
We don't replace human judgment in compliance or support decisions -- humans always have final say
We don't send private 1:1 notes, HR performance data, or full recognition feeds to AI models for risk scoring
Learn more about our AI vendors' data handling:
Who manages security at Bonusly?
Our cross-functional security team includes:
CTO (also serves as Data Protection Officer)
SVP of Engineering
Senior CloudOps Engineer
Head of People Operations
Senior Talent Partner
This team oversees our compliance programs, vendor vetting, and incident response protocols ensuring we always meet the highest standards for your data.
Can users request access or deletion of their data?
Yes. In line with GDPR and CCPA regulations, individuals can access, update, or delete their personal information from Bonusly upon request. Admins can also manage user data directly via the Admin Panel.
Where can I learn more?
For detailed information, compliance documentation, and downloadable certification reports, visit our official trust page: https://bonusly.com/security
If you have additional questions or would like to speak with our security and compliance team, reach out to your Customer Success Manager or contact Bonusly Support.