Privacy Policy

Last updated: 1/15/2026

1. Our Core Privacy Principle: We Don't See Your Data

Because of our peer-to-peer and end-to-end encrypted architecture, we cannot access, view, or decrypt your photos, videos, comments, or messages. This is not a choice we make—it's technically impossible by design:

• Client-Side Encryption: Your content is encrypted on your device before transmission using strong encryption algorithms
• Direct Device-to-Device Transfer: Content travels directly from your device to recipient devices without passing through our servers
• Private Key Control: Only you and your intended recipients possess the keys to decrypt the content
• Zero-Knowledge Architecture: Even if compelled, we cannot provide access to your content because we don't have it and cannot decrypt it

This data is encrypted on your device and decrypted only on the recipient's device. It is never stored on our servers in any form.

2. Information We Do NOT Collect

Unlike traditional photo sharing platforms, Bloom is designed to collect as little information as possible. Here's what we explicitly do not collect:

3. Information We May Collect

To provide and maintain the Service, we collect only the minimal information necessary for the app to function:

3.1 Account Information

To create and maintain your account, we may collect:

• Phone Number or Email Address: Used solely for authentication, account recovery, and to allow friends to find you on Bloom
• Username and Display Name: Your chosen identity visible to your contacts
• Profile Picture: If you choose to set one, stored on your device and shared with your contacts through the same P2P encryption
• Account Creation Date: For service maintenance and account management purposes

3.2 Technical and Diagnostic Information

To ensure app stability and improve performance, we may collect limited technical data (only if you opt-in):

• Crash Reports: Anonymous error logs when the app crashes, containing no personal information or content
• Performance Metrics: Aggregated, anonymized data about app performance (e.g., load times, memory usage)
• Device Information: Basic device type, operating system version, and app version to ensure compatibility
• Network Information: Connection type (WiFi, cellular) to optimize data transfer, but not your IP address or specific network details

Note: All diagnostic information is aggregated, anonymized, and cannot be tied back to your personal identity or account.

3.3 Connection Metadata

To facilitate peer-to-peer connections, we temporarily process:

• Connection Requests: Minimal signaling data to establish secure P2P connections between devices
• Online Status: Whether you're currently online to enable real-time sharing (not stored long-term)

This metadata is processed in real-time and not permanently stored. It contains no information about the content being shared.

4. How We Use Information

The limited information we do collect is used exclusively for:

• Service Provision: Authenticating your account and enabling you to connect with contacts
• Security: Protecting against unauthorized access, fraud, and abuse
• App Improvement: Fixing bugs, improving stability, and enhancing user experience based on anonymized usage patterns
• Communication: Sending you important service updates, security alerts, or account-related notifications
• Legal Compliance: Meeting our legal obligations when required by law

5. On-Device AI and Machine Learning

Bloom's Smart AI Feed is a unique feature that demonstrates our privacy commitment:

• 100% Local Processing: All AI analysis, photo organization, facial recognition, and smart feed generation happen exclusively on your device using on-device machine learning models
• Zero Data Transmission: No photos, metadata, embeddings, or AI processing results are ever transmitted to our servers or any third-party AI services
• No Cloud AI: Unlike other photo apps, we don't use cloud-based AI services from Google, Amazon, or any other provider
• User Control: You can enable or disable AI features at any time in your device settings without affecting core functionality
• Model Updates: When we improve AI models, they're downloaded to your device and run locally

6. Data Sharing and Third Parties

6.1 We Don't Share Your Personal Information

Bloom does not sell, rent, trade, or share your personal information with third parties for their marketing purposes. The limited data we collect stays with us.

6.2 Service Providers

We may work with trusted service providers who help us operate the Service. These providers:

• Have access only to the minimal information necessary to perform their specific functions
• Are contractually obligated to maintain confidentiality and security
• Cannot use your information for any purpose other than providing services to Bloom
• Are regularly audited for compliance with our privacy standards

Examples may include authentication services, infrastructure providers, or anonymous analytics platforms.

6.3 Legal Requirements

We may disclose information if required by law, such as:

• In response to valid legal process (subpoena, court order)
• To protect the rights, property, or safety of Bloom, our users, or the public
• To prevent fraud or security threats

However, due to our end-to-end encryption, we cannot provide access to your photos, videos, or messages even if legally compelled, as we don't have the ability to decrypt them.

7. Your Control and Privacy Rights

You have complete control over your data and privacy:

7.1 Content Control Features

• Disable Forwarding: Prevent recipients from resharing your photos and videos
• Delete for Everyone: When you delete content, deletion requests are sent to all recipient devices, fulfilling your "right to be forgotten" within the Bloom ecosystem
• Group Management: Full control over who can see your shared content in private groups
• Blocking: Block users to prevent all future communication and sharing

7.2 Data Rights

Depending on your location, you may have the following rights:

• Right to Access: Request a copy of the limited personal information we hold about you
• Right to Correction: Update or correct your account information at any time
• Right to Deletion: Delete your account and associated data from our systems
• Right to Portability: Export your account information in a machine-readable format
• Right to Opt-Out: Disable optional features like crash reporting or analytics
• Right to Object: Object to certain data processing activities

To exercise these rights, contact us at hello@hellobloom.xyz or through the in-app settings.

7.3 Account Deletion

You can delete your account at any time through the app settings. Upon deletion:

• Your account information will be permanently removed from our systems within 30 days
• Content stored on your device will remain until you manually delete it
• Content you've shared that exists on recipient devices will remain under those recipients' control (due to the P2P nature of sharing)
• You can create a new account with the same credentials if you change your mind

8. Data Security

Security is integral to everything we do:

• End-to-End Encryption: Industry-standard encryption protocols for all content transmission
• Secure Authentication: Multi-factor authentication options and secure credential storage
• Regular Security Audits: Third-party security assessments and penetration testing
• Minimal Data Retention: We keep data only as long as necessary for service operation
• Secure Infrastructure: Encrypted data in transit and at rest (for the minimal data we do store)
• Access Controls: Strict internal access policies limiting who can access what systems

While we implement strong security measures, no system is completely immune to security risks. We encourage users to maintain strong passwords and enable security features.

9. International Data Transfers

Because Bloom operates on a peer-to-peer architecture, your content is transmitted directly between devices and may cross international borders based on where you and your recipients are located. The minimal account data we collect may be stored on servers in [Your Jurisdiction] and is protected by appropriate safeguards when transferred internationally.

10. Children's Privacy

Protecting children's privacy is critically important to us:

• Our Service is not intended for children under the age of 13
• We do not knowingly collect personally identifiable information from children under 13
• If we become aware that we have inadvertently collected information from a child under 13, we will take immediate steps to delete such information
• Parents or guardians who believe their child has provided information to us should contact us at hello@hellobloom.xyz
• Users between 13 and 18 should have parental or guardian consent before using the Service

11. Region-Specific Privacy Information

11.1 For European Union Users (GDPR)

If you're in the EU/EEA, you have additional rights under GDPR:

• The right to lodge a complaint with your local data protection authority
• The right to withdraw consent at any time
• The right to restrict processing of your personal data
• Our legal basis for processing: consent, contract performance, and legitimate interests

11.2 For California Users (CCPA/CPRA)

California residents have specific rights under the CCPA:

• We do not sell personal information and have not sold it in the past 12 months
• You have the right to opt-out of the sale of personal information (though we don't sell it)
• You have the right to know what personal information we collect and how we use it
• You will not be discriminated against for exercising your privacy rights

12. Cookies and Tracking Technologies

The Bloom mobile application does not use cookies. We do not use third-party tracking technologies, advertising pixels, or analytics scripts that track your behavior across websites and apps. The website (hellobloom.xyz) may use essential cookies for basic functionality, but we do not use advertising or tracking cookies.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For material changes, we will provide prominent notice through the app or via email at least 30 days before the changes take effect
• We will never reduce your privacy rights without your explicit consent
• You are advised to review this Privacy Policy periodically

Continued use of the Service after changes indicates your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us: