BONUSBANDIT

POLICY · WHAT WE COLLECT AND WHY

Privacy policy

The short version: this site sets no cookies, shows no ads, and sells no data. We collect anonymous traffic counts, plus whatever you choose to hand us directly, which today means an email address if you subscribe to the newsletter and the contents of a report if you submit one. That is the whole list. Effective July 1, 2026.

Analytics: anonymous and cookieless

We measure traffic with Plausible, a cookieless analytics tool. It counts pageviews, referrers, and a small set of anonymous events (for example that an affiliate link was clicked, or that a newsletter form was submitted) so we can tell which pages are useful. The event data carries page paths and operator slugs, never anything that identifies you. There is no cross-site tracking and no advertising profile, which is why you see no cookie banner. Plausible's own practices are in its data policy.

We can also enable Cloudflare Web Analytics, which works the same way: cookieless, aggregate, no personal profiles.

Monetized links route through /go/, and that redirect checks which US state you are connecting from (using Cloudflare's network-level geolocation) so we can send you to the legality guide instead of an operator your state has restricted. Each redirect decision is logged for 90 days: the operator slug, your country and state code, the decision made, and a one-way fingerprint built by hashing your browser's user agent and IP address together. The raw IP address and user agent are never stored. We use that log to audit the state gate and to spot click fraud, nothing else.

If you subscribe to the newsletter

Signing up stores one piece of personal data: your email address. It lands in our own database alongside which form you used (footer, sticky bar, or exit prompt), an optional operator slug if you signed up from an operator page, and the signup time. No name, no payment details, no third-party list service.

To stop abuse, the signup endpoint keeps a salted one-way hash of the submitting IP address and allows one signup per minute per address. The raw IP is never stored. The list is write-only from the browser: the form can add an address but nothing on the public site can read the list back, so it cannot be scraped through us.

We never sell or share the list, and every email we send includes an unsubscribe link. You can also ask us to delete your address outright at the contact address below.

If you report an experience

The report form (and the smaller form on each operator page) stores exactly what you type: the operator, what happened, the amount and date if you give them, and your email address if you choose to leave one. Your email is used only to follow up on your report and is never published. A screenshot, if you attach one, goes into a private storage bucket that has no public access; a human reviews it through a short-lived signed link, and it is never posted without your consent.

Report submissions use the same anti-abuse pattern as the newsletter: a salted one-way hash of your IP for rate limiting, with the raw address never stored. Every report is read by a person before anything derived from it appears on the site, and no report changes a Trust Score, which comes from the published methodology only.

Where the data lives

The site is served by Cloudflare, which processes standard request data (IP address, user agent) to deliver pages and block attacks, the way any host or CDN does. Our database, including the newsletter list and submitted reports, runs on Supabase. Those two providers plus Plausible are the complete list of services that touch visitor data on our behalf.

What stays on your device

A few convenience flags are kept in your browser's local storage, for example that you dismissed the newsletter bar or a promo notice so we do not show it again. These flags never leave your device and we cannot read them from our side.

Our Reddit app

Bonus Bandit Dailies, our app on Reddit, posts a daily bonus roundup to r/BonusBandit. It reads a public feed from this site and posts; it does not collect, store, or process any personal data from Reddit users. Your use of Reddit itself is governed by Reddit's privacy policy.

What we never do

No cookies set by us. No ad networks. No selling, renting, or trading personal data. No data brokers. No tracking you across other sites. This site is for adults (21+) and is not directed at children; we do not knowingly collect data from anyone under 21.

Your choices and contact

Unsubscribe from any email with the link in its footer, or email us to have your address or a submitted report deleted. Questions about anything on this page go to noah.rafkin@bonusbandit.win. I read and answer these myself.

If a data practice changes, this page changes with it and the effective date above is updated. Material changes get a note in the public changelog.