Privacy Policy

1. Introduction

Bloom Platform ("Bloom," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect information when you use our AI-powered business management platform, website, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Name and email address
• Organization name and details
• Profile picture (if provided)
• Account preferences and settings
• Authentication credentials (securely hashed)

2.2 Business Data

In the course of using the Service, you may provide:

• Customer and contact information (CRM data)
• Financial records, invoices, and payment information
• Project and task data
• Documents, files, and media uploads
• Communications and notes
• AI agent configurations and conversation logs

2.3 Usage Data

We automatically collect certain information when you use the Service:

• IP address and approximate location
• Browser type, device information, and operating system
• Pages visited, features used, and time spent
• Referring URLs and search terms
• Error logs and performance data

2.4 Payment Data

When you subscribe to a paid plan, our payment processor (Stripe) collects payment card details. We do not store full credit card numbers on our servers. We receive and store limited payment information from Stripe, including the last four digits of your card, card type, and billing address.

3. How We Use Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process transactions and send billing-related communications
• Power AI features, including AI agents and document processing
• Send you technical notices, updates, security alerts, and support messages
• Respond to your requests, comments, and questions
• Monitor and analyze trends, usage, and activities to improve the Service
• Detect, prevent, and address fraud, abuse, and technical issues
• Personalize your experience and provide recommendations
• Comply with legal obligations

We do not sell your personal information. We do not use your business data for advertising purposes.

4. Information Sharing

We share information with third parties only in the following circumstances:

4.1 Service Providers

We work with trusted third-party services that help us operate the Service:

• Supabase — Database hosting, authentication, and file storage
• Stripe — Payment processing and subscription management
• Resend — Transactional email delivery
• Vercel — Application hosting and analytics
• OpenAI / AI providers — AI model inference for agent features

These providers are contractually obligated to use your information only to provide their services to us and are bound by confidentiality obligations.

4.2 Legal Requirements

We may disclose information if required to do so by law, regulation, legal process, or governmental request.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

4.4 With Your Consent

We may share information with third parties when you explicitly authorize us to do so, such as when connecting third-party integrations (e.g., QuickBooks, Google Calendar).

5. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes (such as resolving disputes or enforcing our agreements).

Backups containing your data may persist for up to 90 days before being fully purged.

6. Security Measures

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security (RLS) to ensure data isolation between organizations
• Regular security audits and vulnerability assessments
• Secure authentication with support for OAuth and magic links
• Access controls and role-based permissions
• Regular backups with disaster recovery procedures

While we strive to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access — Request a copy of the personal information we hold about you
• Correction — Request that we correct inaccurate or incomplete information
• Deletion — Request that we delete your personal information
• Export — Request a portable copy of your data in a machine-readable format
• Restriction — Request that we restrict the processing of your information
• Objection — Object to our processing of your information in certain circumstances
• Withdrawal of consent — Withdraw your consent at any time where we rely on consent as the legal basis for processing

To exercise any of these rights, please contact us at privacy@bloomplatform.com. We will respond to your request within 30 days.

8. Cookies and Tracking

We use cookies and similar tracking technologies to operate and improve the Service:

• Essential cookies — Required for authentication, security, and core functionality. Cannot be disabled.
• Analytics cookies — Help us understand how visitors use the Service (via Vercel Analytics). These collect anonymized usage data.
• Preference cookies — Remember your settings and preferences (e.g., theme, sidebar state).

We do not use advertising or third-party tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Service from functioning properly.

9. Children's Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are between 13 and 18, you must have the consent of a parent or legal guardian to use the Service. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@bloomplatform.com.

10. International Data Transfers

The Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States or other countries where our service providers maintain facilities. By using the Service, you consent to the transfer of your information to these locations.

Where required by applicable law, we implement appropriate safeguards for international data transfers, such as standard contractual clauses or other legally recognized transfer mechanisms.

11. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. We encourage you to review this policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: