Bunting Labs, Inc. Privacy Policy

Last Updated: March 20, 2026

This Privacy Policy (this "Policy") describes how Bunting Labs, Inc. ("Bunting Labs," "Atonomo," "we," "our," or "us") collects, uses, discloses, and otherwise processes personal information in connection with our website located at https://www.atonomo.com (the "Site"), the Atonomo product, and any related services, features, content, and communications that link to or reference this Policy (collectively, the "Services").

Atonomo is an AI agent that reviews data such as product analytics, session replays, and codebase information to identify possible improvements. Where we process personal information on behalf of a customer in providing Atonomo, we do so as a processor or service provider subject to our agreement with that customer, including any applicable data processing agreement.

By accessing or using the Services, you acknowledge the practices described in this Policy.

1. Scope of This Policy

This Policy applies to personal information we collect:

  • directly from you;
  • automatically when you use the Services;
  • from our customers in connection with our provision of Atonomo; and
  • from third parties and service providers that help us operate the Services.

This Policy does not apply to third-party websites, services, or applications that are not operated or controlled by us, even if they are linked from our Services.

2. Personal Information We Collect

We collect the following categories of personal information, depending on how you interact with us.

A. Information you provide directly

We may collect personal information you provide to us, such as:

  • identifiers and contact information, including your name, work email address, phone number, mailing address, company name, and account credentials;
  • account and profile information, such as organization name, role, preferences, and billing-related information;
  • communications and inquiry information, including the contents of messages you send to us, support requests, demo requests, survey responses, and other correspondence;
  • customer-submitted content and related data, including data that you or your organization uploads, connects, transmits, or makes available through Atonomo, such as product analytics data, session replay data, codebase materials, prompts, inputs, outputs, configuration data, and other business data; and
  • any other information you choose to provide.

B. Information we collect automatically

When you use the Services, we and our service providers may automatically collect information such as:

  • device and network information, including IP address, browser type, operating system, device identifiers, language settings, and general location information derived from IP address;
  • usage and activity data, including pages viewed, features used, clicks, session activity, referring and exit URLs, date and time stamps, and other log data;
  • performance and diagnostic information, including crash logs, error reports, and telemetry; and
  • cookie and similar technology data, as described below.

C. Information we receive from customers and other third parties

We may receive personal information from:

  • our customers and their authorized users;
  • analytics, infrastructure, authentication, and security providers;
  • referral partners, marketing sources, or publicly available sources; and
  • other third parties you direct to share information with us.

If you use Atonomo through or on behalf of an organization, that organization may provide us with personal information about you or authorize us to access information it controls.

D. Categories of personal information we may process on behalf of customers

In providing Atonomo, we may process categories of personal information that customers choose to submit to the Services. Depending on the customer's implementation, this may include:

  • names and contact information;
  • account or transactional information;
  • user activity and analytics information, such as device information, IP addresses, usage events, or session replay data;
  • location information; and
  • other personal information contained in customer-submitted materials.

Atonomo is not intended for the routine processing of special category data under Article 9 of the GDPR or comparable highly sensitive personal information unless expressly agreed in writing.

3. Cookies and Similar Technologies

We use cookies, pixels, local storage, web beacons, and similar technologies to operate the Services, remember user preferences, authenticate users, understand how the Services are used, and improve performance.

These technologies may collect information about your browsing and usage activity over time and across different sessions, such as pages visited, links clicked, approximate location, browser information, and device identifiers.

You can control cookies through your browser settings and, where applicable, through cookie consent tools we may make available. If you disable certain cookies or similar technologies, some parts of the Services may not function properly.

4. How We Use Personal Information

We use personal information for the following purposes:

  • to provide, operate, maintain, secure, and improve the Services;
  • to create and manage accounts and authenticate users;
  • to provide Atonomo's analysis, recommendations, and related outputs;
  • to process transactions, administer subscriptions, and provide customer support;
  • to respond to inquiries, requests, and communications;
  • to monitor usage, analyze trends, troubleshoot issues, and improve user experience;
  • to develop new features, products, and services;
  • to protect the Services, our rights, and the rights of others, including to detect, investigate, and prevent fraud, abuse, or security incidents;
  • to comply with legal, regulatory, contractual, and enforcement obligations;
  • to send administrative, service-related, and, where permitted by law, marketing communications; and
  • to create aggregated, statistical, or de-identified information that does not reasonably identify an individual and to use that information for lawful business purposes.

We may combine information collected from different sources and use the combined information in accordance with this Policy.

5. Our Legal Bases for Processing

Where the GDPR, UK GDPR, or similar laws apply, we generally rely on one or more of the following legal bases:

  • performance of a contract, including providing the Services and fulfilling our obligations to customers and users;
  • legitimate interests, such as operating and improving our business and Services, securing our systems, communicating with customers, and preventing fraud;
  • consent, where required by law; and
  • compliance with legal obligations.

More than one legal basis may apply to the same processing activity.

6. How We Disclose Personal Information

We may disclose personal information to the following categories of recipients:

A. Service providers and subprocessors

We disclose personal information to vendors, contractors, and subprocessors that provide services on our behalf, such as hosting, infrastructure, content delivery, analytics, authentication, observability, communications, AI model processing, workflow orchestration, browser automation, software development, and support services.

Our current or anticipated subprocessors and service providers may include Trigger.dev, Cloudflare, Anthropic, Amazon Web Services, Google, Microsoft, PostHog, OpenAI, Vercel, Hyperbrowser (The Prompting Company, Inc.), Clerk, Slack, GitHub, Modal, Langfuse, OpenRouter, and DigitalOcean, as applicable to the Services we provide.

B. Customers and authorized users

If you use the Services through an organization, we may disclose personal information to that organization and its authorized administrators or users.

C. Corporate transactions

We may disclose personal information in connection with an actual or proposed financing, merger, acquisition, reorganization, sale of assets, bankruptcy, or similar corporate transaction.

D. Legal and safety disclosures

We may disclose personal information where we believe doing so is necessary or appropriate to:

  • comply with applicable law, regulation, legal process, or governmental request;
  • enforce our agreements, policies, or terms;
  • detect, investigate, prevent, or address fraud, security, or technical issues; or
  • protect the rights, property, safety, and security of Bunting Labs, our customers, users, or others.

E. With your direction or consent

We may disclose personal information to other parties at your direction or with your consent.

F. De-identified and aggregated information

We may disclose aggregated or de-identified information that does not reasonably identify you.

7. AI and Automated Processing

Atonomo uses automated systems, including AI models and related tools, to analyze submitted materials and generate recommendations, insights, and other outputs.

We do not use personal information to make solely automated decisions about individuals that produce legal or similarly significant effects in the context of this Policy.

Customers are responsible for reviewing outputs and determining how to use them in their own operations.

8. Data Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Policy, including to provide the Services, comply with legal obligations, resolve disputes, enforce our agreements, and maintain appropriate business records.

Retention periods may vary depending on the nature of the information, how it is used, the sensitivity of the information, the risk of harm from unauthorized use or disclosure, and applicable legal requirements.

Where we process personal information on behalf of a customer, we retain that information in accordance with our contractual obligations, the customer's instructions, and applicable law.

9. Data Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, loss, misuse, alteration, or disclosure.

No method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

10. International Transfers

We are based in the United States and may process personal information in the United States and other countries where we or our service providers operate.

Those countries may have data protection laws that differ from the laws of your jurisdiction. Where required by applicable law, we implement appropriate safeguards for international data transfers, including contractual protections.

11. Your Privacy Rights

Depending on where you live, you may have rights under applicable privacy laws, including the right to:

  • know whether we process your personal information;
  • access and obtain a copy of your personal information;
  • correct inaccurate personal information;
  • delete personal information;
  • receive a portable copy of certain personal information;
  • object to or restrict certain processing;
  • withdraw consent where processing is based on consent;
  • opt out of certain uses of personal information where such rights apply; and
  • appeal a denial of your request, where applicable.

To exercise a privacy right, please contact us at support@buntinglabs.com.

We may need to verify your identity before processing your request. You may also designate an authorized agent to submit requests on your behalf where permitted by law, subject to verification and applicable documentation requirements.

If we deny your request, you may appeal that decision by emailing support@buntinglabs.com with the subject line "Privacy Rights Appeal."

Important note for end users of our customers

If we process your personal information on behalf of one of our customers, we may need to direct your request to that customer, because that customer controls how your personal information is processed in connection with its use of Atonomo.

12. Marketing Communications

We may send you service-related and administrative communications. We may also send marketing or promotional communications where permitted by law.

You can opt out of marketing emails by using the unsubscribe link in the message or by contacting us at support@buntinglabs.com. Even if you opt out of marketing communications, we may still send you transactional or service-related messages.

13. Third-Party Links and Services

The Services may contain links to third-party websites, services, plug-ins, or integrations. We do not control and are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

14. Children's Privacy

The Services are intended for business use and are not directed to children under 13. We do not knowingly collect personal information directly from children under 13. If you believe a child has provided personal information to us, please contact us at support@buntinglabs.com and we will take appropriate steps.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in our Services, legal obligations, or privacy practices. When we do, we will post the updated Policy and revise the "Last Updated" date above. If required by law, we will provide additional notice.

16. Contact Us

If you have questions or concerns about this Policy or our privacy practices, please contact us at:

Bunting Labs, Inc.
Email: support@buntinglabs.com

Supplemental Notice for U.S. State Privacy Laws

This section supplements the rest of the Policy and applies to residents of states with applicable privacy laws, such as California, Colorado, Connecticut, Virginia, Utah, and other jurisdictions that provide similar rights.

Categories of personal information collected

In the preceding 12 months, we may have collected the following categories of personal information:

  • identifiers and contact information;
  • commercial or transaction information;
  • internet or other electronic network activity information;
  • geolocation information derived from IP address or usage;
  • professional or employment-related information;
  • audio, electronic, visual, or similar information included in customer-submitted materials such as session replay content;
  • inferences drawn from personal information to create recommendations or analytics; and
  • other information that identifies or could reasonably be linked to an individual.

Purposes of collection, use, and disclosure

We collect, use, and disclose these categories for the business and commercial purposes described above, including providing the Services, operating our business, analyzing and improving performance, securing the Services, communicating with users and customers, complying with law, and supporting corporate transactions.

Categories of recipients

We may disclose these categories of personal information to:

  • service providers and contractors;
  • subprocessors;
  • customers and their authorized users;
  • advisors and professional service providers;
  • government entities, regulators, law enforcement, or others where legally required; and
  • parties involved in corporate transactions.

Sensitive personal information

We do not use or disclose sensitive personal information for purposes that would require a right to limit under applicable law.

Shine the Light

California residents may request information about certain disclosures of personal information to third parties for their own direct marketing purposes by contacting us at support@buntinglabs.com. We do not currently disclose personal information to third parties for their own direct marketing purposes.