Privacy Policy

Bloom.AI ("the Service") is operated by an individual developer ("I", "me", "my"). This Privacy Policy explains how I collect, use, store, and protect your personal information when you use the Service.

By creating an account or using the Service, you agree to the collection and use of information in accordance with this policy.

2.1 Account Information

• Name (as provided during sign-up)
• Email address
• Hashed password (if using email/password authentication)

2.2 OAuth Data

If you sign in using Google or GitHub, I receive your public profile information (name, email, avatar URL) as authorized by those providers. I do not receive or store your Google or GitHub password.

2.3 User Preferences & Interest Profile

• Topics, regions, and categories you select during onboarding or in your preferences
• Chat history with the AI assistant (stored to provide contextual responses)
• Notification preferences and display settings

2.4 Session & Technical Data

• Authentication session cookies (required for the Service to function)
• Basic request metadata (IP address, browser user-agent) as logged automatically by the hosting provider

2.5 Analytics

The Service uses Vercel Analytics, which collects anonymized usage data (page views, web vitals). No personally identifiable information is collected through analytics.

Your personal data is used exclusively to:

• Authenticate you and maintain your session
• Provide access to the dashboard and its features
• Personalize your news feed, event recommendations, and AI-powered insights
• Send account-related communications (e.g., magic link emails, password resets)
• Manage your account and role-based permissions

I do not sell, rent, or share your personal data with third parties for marketing purposes. I do not use your data for profiling or automated decision-making beyond the personalization features you explicitly configure.

The Service relies on the following third-party services that may process your data:

• Supabase (database hosting) — stores your account data. See Supabase Privacy Policy.
• Vercel (application hosting & analytics) — serves the application and collects anonymized analytics. See Vercel Privacy Policy.
• Google OAuth (optional sign-in) — used only if you choose to sign in with Google. See Google Privacy Policy.
• GitHub OAuth (optional sign-in) — used only if you choose to sign in with GitHub. See GitHub Privacy Statement.
• Anthropic (AI assistant) — powers the chat assistant feature. Conversations may be processed by Anthropic's API. See Anthropic Privacy Policy.

• Your data is stored in a PostgreSQL database hosted by Supabase with encryption at rest.
• Passwords are hashed using industry-standard algorithms and are never stored in plain text.
• All connections to the Service are encrypted via HTTPS/TLS.
• Session tokens are stored in secure, HTTP-only cookies.

While I take reasonable measures to protect your data, no system is 100% secure. I cannot guarantee absolute security.

• Account data is retained for as long as your account is active.
• Session data expires automatically after 7 days of inactivity.
• If you delete your account, all associated personal data will be permanently removed within 30 days.

Depending on your jurisdiction (including under GDPR, CCPA, and similar laws), you have the right to:

• Access — Request a copy of the personal data I hold about you.
• Correction — Request correction of inaccurate or incomplete data.
• Deletion — Request deletion of your personal data and account.
• Portability — Request your data in a structured, machine-readable format.
• Withdraw consent — Withdraw consent at any time by deleting your account.

To exercise any of these rights, contact me at the email address below. I will respond within 30 days.

The Service uses only strictly necessary cookies for authentication and session management. These cookies:

• Are required for the Service to function
• Cannot be used to track you across other websites
• Do not require separate consent under most cookie laws (they are exempt as essential cookies)

No advertising, tracking, or third-party marketing cookies are used.

The Service is not intended for use by anyone under the age of 16. I do not knowingly collect data from children. If you believe a child has provided data to the Service, please contact me so I can delete it.

Your data may be processed in countries other than your own (including the United States, where Supabase and Vercel operate). By using the Service, you consent to this transfer. These providers maintain appropriate safeguards for data protection.

I may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the Service after changes constitutes acceptance of the revised policy.

For any privacy-related questions or to exercise your data rights, contact me at:

Email: privacy@bloom-ai.com