Privacy Policy
Last Updated: June 12, 2026
1. Introduction
Murdock Solutions LLC d/b/a BonusBell ("BonusBell," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use www.bonusbell.com and related services (collectively, the "Platform").
BonusBell provides gambling-related informational tools, educational resources, staged live-odds tools, calculators, and bonus-tracking features. We are not a gambling operator — we do not accept wagers, process gambling transactions, or operate any games of chance involving real money.
By using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform. This Privacy Policy is incorporated into and subject to our Terms of Service.
2. Definitions
- "Personal Information" means information that identifies, relates to, or could reasonably be linked to you or your household, as defined under applicable state privacy laws.
- "Processing" means any operation performed on Personal Information, including collection, use, storage, disclosure, and deletion.
- "Service Provider" means a third party that processes Personal Information on our behalf pursuant to a written contract.
- "Practice Games" means our educational simulation games that use virtual currency with no real-money value.
3. Information We Collect
In plain English: We collect what you give us (account info, preferences, saved workflows), what your device tells us automatically (IP, browser, cookies), and limited authentication metadata when you sign in with email, Google, or Apple. BonusBell does not currently sell public paid memberships. If paid access opens later, Stripe will handle payment details and we will not see your full card number.
Information You Provide Directly
- Account Information: Email address, password, display name, profile photo
- Profile Data: State/location, gambling preferences, saved platforms, manual platform notes, social links
- Saved Workflow Data: Betting notes, saved slips, tracked bonuses, preferences, and platform selections you choose to store in your account.
- Responsible Gaming Data: Self-exclusion selections, PGSI (Problem Gambling Severity Index) self-assessment responses, activity limit preferences, and session duration settings
- User Content: Posts, picks, comments, ratings, and other content you submit
- Communications: Support tickets, feedback, contact form submissions, and email correspondence
- Age Verification: Confirmation that you are 18 years of age or older
- Payment Information: BonusBell does not currently sell public paid memberships or require a credit card for free accounts. If you later opt in to a paid plan or have a legacy billing record, billing is handled by Stripe, Inc. We never receive, process, or store your full credit card number, CVV, or banking details. We receive only billing status and limited transaction metadata needed to administer that opt-in or legacy record.
Information Collected Automatically
- Device Data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences
- Usage Data: Pages viewed, features used, click patterns, session duration, referring URLs, and navigation paths
- Location Data: General geographic location (jurisdiction and country level) derived from your IP address via ip-api.com — used to display platforms relevant to your selected region. We do not collect precise GPS location.
- Push Notification Subscriptions: If you opt in to push notifications, we store browser push subscription details with your Supabase device preferences to deliver notifications to your device
- Client-Side Storage: We use localStorage (calculator settings, theme preference, UI state) and sessionStorage (temporary form data) in your browser. This data remains on your device and is not transmitted to our servers unless you explicitly submit it.
- Practice Game Data: Game selections, simulated bet amounts, and strategy choices within our Practice Games are processed entirely client-side using your browser's Web Crypto API. This data is not transmitted to or stored on our servers.
- Cookies and Similar Technologies: See Section 6 for detailed cookie information
- Log Data: Server logs including access times, error reports, and request metadata, retained for 30 days
Information from Third Parties
- OAuth Providers: If you use Google or Apple sign-in, we may receive your email address, name, profile photo, provider account identifier, and authentication metadata from the OAuth provider when supplied. We do not receive your Google or Apple password.
- Analytics Services: Aggregated and anonymized usage data from Google Analytics 4 and Vercel Analytics
- Referral Data: Information about how you were referred to our Platform (e.g., UTM parameters, referring domains)
4. How We Collect Information
We collect information through the following methods:
- Direct Collection: When you create an account, update your profile, submit content, contact support, request launch-status updates, or later opt in to a paid plan if one becomes available
- Automated Collection: Through cookies, server logs, analytics tools, and similar technologies as you interact with the Platform
- Third-Party Sources: From analytics services, referral tracking, and OAuth authentication providers when you choose Google or Apple sign-in.
- Derived Data: We derive your jurisdiction-level location from your IP address to display region-appropriate platform availability. This is an automated process — see Section 11 for your rights regarding automated decisions.
5. How We Use Your Information
We use your information for the following purposes:
Service Provision
- Create, maintain, and secure your account
- Provide personalized platform recommendations based on your selected jurisdiction and preferences
- Deliver push notifications (if you opt in)
- Administer legacy billing records or future opt-in paid plans through Stripe if paid access becomes available
- Manage responsible gaming features (self-exclusion, activity limits, PGSI assessments)
Communication
- Send transactional emails (account verification, password resets, subscription confirmations)
- Respond to support inquiries and feedback
- Send marketing communications (with your consent; you may opt out at any time)
Improvement and Analytics
- Analyze usage patterns to improve the Platform
- Monitor performance, uptime, and error rates
- Conduct A/B testing and feature development
Legal and Safety
- Enforce our Terms of Service and prevent fraud or abuse
- Comply with legal obligations, including tax and regulatory requirements
- Protect the rights, safety, and property of BonusBell, our users, and the public
8. Third-Party Services
The following third-party services process data in connection with the Platform:
| Service | Data Shared | Purpose |
|---|---|---|
| Supabase | Account data, profile data, saved content, session metadata | Authentication, database, account storage |
| Browser Push API | Push subscription details stored with Supabase device preferences | Optional browser notification delivery |
| Stripe, Inc. | Billing status and limited transaction metadata only for legacy records or future opt-in paid plans | Legacy/future paid-plan billing if enabled (PCI DSS Level 1) |
| Google Analytics 4 | Anonymized usage data | Analytics |
| Vercel | Performance data, IP (anonymized) | Hosting, edge delivery, analytics |
| SendGrid (Twilio) | Email address, name | Transactional and marketing emails |
| SportsGameOdds | None (inbound data only) | Sports odds data provider |
| ip-api.com | IP address | Geolocation (jurisdiction-level region detection) |
| Google / Apple OAuth | OAuth identifiers, email, name, profile image, and session metadata when provided | Optional social sign-in authentication |
Each third-party service processes data under its own privacy policy. We encourage you to review their policies. BonusBell is not responsible for the privacy practices of third-party services.
9. Data Retention
In plain English: We keep your data only as long as needed. Account info goes away within 30 days of deletion. Self-exclusion records are permanent (that's by design — to protect you). Payment records stay for 7 years because tax law requires it.
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account information | Until deletion request + 30 days | Service provision |
| product analytics events | Until you clear them or delete your account | User control |
| Self-exclusion records | Permanent (irreversible by design) | Responsible gaming obligation |
| PGSI assessment data | Until account deletion | Responsible gaming |
| Subscription / payment records | 7 years after last transaction | Tax and legal compliance |
| Server logs | 30 days | Security and debugging |
| Analytics data (GA4) | 26 months | Analytics retention setting |
| Push notification tokens | Until you unsubscribe or delete your account | Service provision |
| Cookie consent preferences | 1 year | Legal compliance |
| Practice game data | Client-side only (never transmitted) | N/A — stays on your device |
After account deletion, some anonymized or aggregated data may be retained for analytics purposes. Anonymized data cannot be linked back to you.
10. Data Security
We implement reasonable administrative, technical, and physical security measures to protect your information, including:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
- Encryption at rest: Account and product data stored in Supabase/Postgres is encrypted at rest under Supabase's managed infrastructure
- PCI DSS Level 1 compliance: If paid access is enabled later or a legacy billing record exists, payment processing is handled by Stripe, which maintains PCI DSS Level 1 certification. BonusBell never receives or stores raw credit card data.
- Authentication security: Passwords are hashed using industry-standard algorithms through Supabase Auth. Google and Apple OAuth sign-in is handled through Supabase Auth and the selected OAuth provider; BonusBell never receives your Google or Apple password.
- Access controls: Role-based access controls limit employee and administrator access to Personal Information on a need-to-know basis
- Infrastructure: Our Platform is hosted on Vercel with Supabase-managed database and authentication infrastructure
However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information.
Data Breach Notification
In the event of a data breach that compromises your Personal Information, we will:
- Notify affected users via email and/or prominent Platform notice
- Comply with applicable breach notification laws, including Virginia (Va. Code § 18.2-186.6 — notification without unreasonable delay, not to exceed 60 days from discovery)
- Provide a description of the breach, the types of information involved, steps we are taking, and contact information for questions
- Notify applicable regulators or attorneys general as required by law
11. Your Privacy Rights
In plain English: No matter which supported BonusBell market you live in, you can access, correct, or delete your data. Many regions give you additional rights like data portability and the right to opt out. We never discriminate against you for exercising your privacy rights.
Universal Rights (All Users)
Regardless of your place of residence, you have the right to:
- Access: Request a copy of the Personal Information we hold about you
- Correction: Request correction of inaccurate Personal Information via your settings or by contacting us
- Deletion: Request deletion of your account and associated data by contacting privacy@bonusbell.com or through your account settings. We will process your request within 30 days.
- Opt-Out of Marketing: Unsubscribe from marketing emails at any time by clicking "unsubscribe" in any email or updating your notification preferences
- Push Notification Control: Disable push notifications through your device settings or notification preferences
Automated Decision-Making
We use automated processing to determine your jurisdiction-level region from your IP address, which affects which gambling platforms are displayed as available to you. This is an informational display — it does not prevent you from accessing any feature of BonusBell itself. You may manually select a different supported region in your profile settings.
Exercising Your Rights
To exercise any privacy right, contact us at privacy@bonusbell.com. We will verify your identity before processing your request. We will not discriminate against you for exercising your privacy rights.
12. California Privacy Rights (CCPA/CPRA)
In plain English: California residents get extra rights under the CCPA: you can see exactly what data we have, tell us to delete it, and opt out of any "sale" (though we don't sell your data). We respond within 45 days.
If you are a California resident, you have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA, Cal. Civ. Code § 1798.100 et seq.):
Categories of Information Collected
- Identifiers: Email address, IP address, display name, account ID
- Commercial Information: Legacy billing status, future opt-in subscription history, and transaction records where applicable (via Stripe)
- Internet/Electronic Activity: Browsing history on the Platform, interaction data, search history
- Geolocation Data: Jurisdiction-level region derived from IP address
- Inferences: Platform preferences, regional availability filtering
Your CCPA/CPRA Rights
- Right to Know / Access: Request the categories and specific pieces of Personal Information we have collected about you
- Right to Delete: Request deletion of your Personal Information
- Right to Correct: Request correction of inaccurate Personal Information
- Right to Opt-Out of Sale/Sharing: We do not sell your Personal Information. We do not share your Personal Information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Information: We do not use sensitive personal information for purposes beyond what is necessary to provide the services
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights
How to Exercise: Contact us at privacy@bonusbell.comwith the subject line "CCPA Request." We will verify your identity and respond within 45 days (with one 45-day extension if necessary).
Authorized Agents: You may designate an authorized agent to submit requests on your behalf. The agent must provide proof of authorization (such as a signed letter or power of attorney).
13. Virginia Privacy Rights (VCDPA)
If you are a Virginia resident, you have rights under the Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.):
- Right to Access: Confirm whether we are processing your Personal Information and access that data
- Right to Correct: Correct inaccuracies in your Personal Information
- Right to Delete: Request deletion of your Personal Information
- Right to Data Portability: Obtain a copy of your Personal Information in a portable, readily usable format
- Right to Opt Out: Opt out of the processing of your Personal Information for targeted advertising, the sale of your data, or profiling that produces legal or similarly significant effects
How to Exercise: Contact us at privacy@bonusbell.comwith the subject line "VCDPA Request." We will respond within 45 days (with one 45-day extension if reasonably necessary).
Right to Appeal: If we decline your request, you have the right to appeal. Submit your appeal to privacy@bonusbell.com with the subject line "VCDPA Appeal." We will respond within 60 days. If your appeal is denied, you may file a complaint with the Virginia Attorney General at oag.state.va.us.
14. Additional State Privacy Rights
The following states have enacted comprehensive consumer privacy laws. If you are a resident of any of these states, you may have additional rights similar to those described in Sections 12 and 13:
| State | Law | Key Rights |
|---|---|---|
| Colorado | Colorado Privacy Act (CPA) | Access, correct, delete, portability, opt-out of targeted ads/sale/profiling |
| Connecticut | CT Data Privacy Act (CTDPA) | Access, correct, delete, portability, opt-out, appeal |
| Texas | TX Data Privacy & Security Act (TDPSA) | Access, correct, delete, portability, opt-out, appeal |
| Oregon | Oregon Consumer Privacy Act (OCPA) | Access, correct, delete, portability, opt-out of profiling |
| Montana | MT Consumer Data Privacy Act (MCDPA) | Access, correct, delete, portability, opt-out |
| Tennessee | TN Information Protection Act (TIPA) | Access, correct, delete, portability, opt-out |
| Indiana | IN Consumer Data Protection Act (ICDPA) | Access, correct, delete, portability, opt-out |
| Kentucky | KY Consumer Data Protection Act (KCDPA) | Access, correct, delete, portability, opt-out |
| Rhode Island | RI Data Transparency & Privacy Protection Act (RIDPA) | Access, correct, delete, portability, opt-out |
To exercise your rights under any of these laws, contact us at privacy@bonusbell.comwith the subject line indicating your state (e.g., "Colorado Privacy Request"). We will verify your identity and respond within the timeframe required by your state's law.
Right to Appeal: If we decline your request, most state laws provide a right to appeal. Submit appeals to privacy@bonusbell.comwith "Privacy Appeal" in the subject line.
15. Children's Privacy
The Platform is intended for users who are at least 18 years of age. We do notknowingly collect, use, or disclose Personal Information from children under 18, in compliance with the Children's Online Privacy Protection Act (COPPA).
We do not knowingly collect Personal Information from anyone under 18. If we become aware that we have inadvertently collected information from a person under 18, we will promptly delete that information.
If you are a parent or guardian and believe your child has provided us with Personal Information, please contact us immediately at privacy@bonusbell.com and we will take steps to delete that information.
16. International Users
The Platform is operated from and primarily intended for users in the United States, Puerto Rico, Canada, Mexico, and other supported BonusBell markets. If you access the Platform from outside those supported markets, your information may be transferred to, stored, and processed in the United States, Canada, Mexico, or other countries where our service providers operate, where data protection laws may differ from those in your country.
By using the Platform, you consent to the transfer of your information to those locations. We do not specifically target users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with GDPR-equivalent regulations. If you are located in such a jurisdiction, please be aware that we may not comply with all local data protection requirements.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes (such as new categories of data collected, new third-party sharing, or changes to your rights), we will provide at least thirty (30) days' advance notice via email to the address associated with your account and/or a prominent notice on the Platform before the changes take effect.
For non-material changes (such as formatting updates, clarifications, or corrections of typographical errors), we may update the Privacy Policy without advance notice.
Your continued use of the Platform after any changes constitutes acceptance of the updated Privacy Policy. If you disagree with any changes, your remedy is to stop using the Platform and request deletion of your account.
18. Contact Us
If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about our data practices, please contact us:
Murdock Solutions LLC d/b/a BonusBell
Privacy inquiries: privacy@bonusbell.com
General support: support@bonusbell.com
Legal inquiries: legal@bonusbell.com
We aim to respond to all privacy-related inquiries within 30 days. For state-specific requests (CCPA, VCDPA, etc.), we will respond within the timeframe required by applicable law.
Version History
- June 12, 2026: Updated authentication and storage disclosures to reflect Supabase Auth/Postgres as the primary account system, described Google/Apple OAuth as optional Supabase Auth providers, and described optional browser push notifications through Supabase device preferences.
- February 26, 2026: Complete rewrite — expanded from 12 to 18 sections. Added Stripe payment processing, multi-state privacy rights (CCPA/CPRA, VCDPA, CPA, CTDPA, TDPSA, OCPA, MCDPA, TIPA, ICDPA, KCDPA, RIDPA), detailed data retention schedule, third-party services table, cookie categories, GPC/DNT policy, breach notification procedures, and responsible gaming data disclosure.
- January 3, 2026: Initial publication.

