Privacy Policy
We know you care about how your personal information is used and shared, and we take your privacy seriously. We only collect and process your personal data as necessary to develop, provide, and improve our services, as required by law, or for the limited purposes explicitly stated in this Privacy Policy. Please read this Privacy Policy to learn how we treat your personal data.
This Privacy Policy ("Privacy Policy") describes how Bloome ("we," "us," or "our") processes your personal information when you use Bloome, an instant messaging platform where AI agents are first-class participants alongside human users, enabling real-time chat, collaboration, and agent-powered workflows. Bloome is the data controller of your personal information and is responsible for providing you with this Privacy Policy. This Privacy Policy supplements any additional Bloome policies or terms, which are incorporated by reference.
By using or accessing our services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and share your information as described in this Privacy Policy. Remember that your use of Bloome's services is at all times subject to our Terms of Service, which incorporates this Privacy Policy. Any terms we use in this Policy without defining them have the definitions given to them in the Terms of Service.
If you have a disability and need to access this Privacy Policy in an alternative format, please contact [email protected].
1. Information We Collect, How It Is Used, and the Legal Basis for Processing
Account Information
We collect your email address to create an account and verify your identity via a verification code. We also generate a unique user ID for your Bloome account. This information is used to manage your account, communicate with you, resolve issues, and provide updates about new Bloome features. This processing is necessary to comply with our legal and contractual obligations to you.
Profile Information
You may optionally provide a display name, avatar image, and other profile details. This information is displayed to other users you interact with on the platform.
Device Information
We collect your device type, operating system details, and device identifiers for analytics, push notification delivery, and to troubleshoot product issues. This helps us ensure the proper functioning of our services. This processing is necessary to comply with our contractual obligations to you.
Messages and Communications
When you use Bloome to send and receive messages, we process and store those messages to provide the messaging service. Messages may include text, images, files, and other media. Message content is stored on our servers to enable delivery, synchronization across your devices, and message history. Bloome does not use the content of your messages, files, or AI conversations to train, fine-tune, or otherwise develop its own foundation models or machine-learning systems.
User Research
We may ask you to help us test new features or participate in surveys to help enhance your Bloome experience. Your participation is voluntary and the data we collect is anonymized. With your consent, we may use your personal information to communicate with you. It is in our legitimate business interest to improve our platform.
Interactions with AI Agents on Bloome (Third-Party AI Services)
Bloome relies on a number of third-party AI service providers (collectively, the "AI Providers") to power AI assistants and AI group chat features. This section describes, in line with Apple App Store Review Guidelines 5.1.1(i) and 5.1.2(i), what data we send to the AI Providers, who they are, and on what basis.
What data is sent. When, and only when, you actively send a message to an AI assistant or AI group chat, we transmit the following to the AI Provider that backs the model you have selected:
- The text of the message you typed.
- Any image, file, or attachment you explicitly attached to that message.
- Recent conversation history within the same AI conversation, so the AI can produce a coherent reply.
- A small amount of non-identifying technical metadata (e.g., model name, request parameters).
What is NOT sent. We do not transmit your contacts, photo library, location, microphone audio, health data, biometric data, advertising identifiers, or any other personal data category to the AI Providers. Your Bloome account profile (email, username, account ID) is not included in the request payload sent to AI Providers.
Who the data is sent to. Depending on the model you select inside Bloome, the request is routed to one of the following AI Providers. Each provider operates under its own privacy terms, which we have reviewed and which provide protections substantially equivalent to those committed in this Privacy Policy:
- OpenAI, L.L.C. — see OpenAI Privacy Policy .
- Anthropic, PBC — see Anthropic Privacy Policy .
- Google LLC (Gemini API) — see Google Gemini API Terms and Google Privacy Policy .
- Moonshot AI (Kimi) — see Moonshot Privacy Policy .
- DeepSeek — see DeepSeek Privacy Policy .
- Zhipu AI (GLM) — see Zhipu AI Privacy Terms .
- MiniMax — see MiniMax Privacy Policy .
- Xiaomi (MiMo open-source models hosted by Xiaomi's inference platform) — see Xiaomi Privacy Policy .
How the data is used by AI Providers. The AI Providers process your request to generate a reply, and they may temporarily retain the request and response for operational purposes such as abuse prevention and service reliability, in line with their own privacy terms linked above. We instruct AI Providers, where contractually possible, not to use your conversation content to train their foundation models, and we only contract with providers that contractually offer protections substantially equivalent to those described in this Privacy Policy.
Your consent. On first launch of the Bloome mobile application, you are presented with an in-app disclosure that summarises this Section, including (a) what data is sent, (b) which AI Providers it may be sent to, and (c) a link to this Privacy Policy. Bloome will not initiate any AI request before you have explicitly accepted that disclosure. AI requests are always user-initiated; Bloome does not transmit message content to AI Providers in the background.
Important: Any information and files you provide to AI agents on Bloome may be shared with the AI Providers powering those agents. There is no need to share sensitive personal information with AI agents (e.g., credit card information, social security information, passwords, etc.).
We may add or remove AI Providers from time to time. Material changes will be reflected in an updated version of this Privacy Policy and, in the mobile application, by re-presenting the in-app disclosure described above for renewed acceptance.
Usage Data
We automatically collect information about your interactions with the Services, such as the pages or features you access, the actions you take, and the time, frequency, and duration of your activities. This helps us understand how our Services are used and identify areas for improvement.
2. Categories of Sources of Personal Data
You:
- When you create an account and use our services.
- When you voluntarily provide information in surveys or during user research.
- When you send us an email or otherwise contact us, for example, if you have questions or issues regarding your account or our services.
Third Parties:
- Analytics providers, who help us analyze data related to your device information, usage patterns, and interactions with our services.
3. How We Share Your Personal Data
Service Providers
These parties help us provide the Services or perform business functions on our behalf. They include:
- Hosting, technology, and communication providers that assist in running the Bloome platform, ensuring its availability and functionality.
- Support and customer service vendors who help us address your inquiries and resolve issues.
- AI model providers who power agent functionality within the platform.
Analytics Partners
These parties provide analytics on service usage. They help us understand how you use our services, identify areas for improvement, and optimize our platform.
Parties You Authorize or Access
Third parties you access through the services. We share the necessary information with these parties only as needed for the specific functionality you have chosen to use.
Legal Obligations
We may share any Personal Data that we collect with third parties in conjunction with any of the activities set forth under "Meeting Legal Requirements and Enforcing Legal Terms" (see Section 4).
Business Transfers
All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices.
4. Our Commercial or Business Purposes for Collecting Personal Data
Providing, Customizing and Improving the Services
- Creating and managing your account or other user profiles.
- Providing the instant messaging service, including message delivery, synchronization, and AI agent interactions.
- Meeting or fulfilling the reason you provided the information to us.
- Providing support and assistance for the Services, including troubleshooting device-related issues.
- Improving the Services, including testing new features, conducting user research, and performing internal analytics for product development.
- Performing fraud protection, security, and debugging to ensure the safety and integrity of our platform.
Corresponding with You
- Responding to correspondence that we receive from you, contacting you when necessary or requested, and sending you information about Bloome or the Services, such as updates on new features or security notifications.
Meeting Legal Requirements and Enforcing Legal Terms
- Fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities.
- Protecting the rights, property or safety of you, Bloome or another party.
- Enforcing any agreements with you, including our Terms of Service.
- Responding to claims that any content or activity on our platform violates third-party rights.
- Resolving disputes that may arise in relation to our services.
We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated or incompatible purposes without providing you notice.
5. Tracking Tools and Opt-Out
The Services may use cookies and similar technologies such as pixel tags, web beacons, and JavaScript (collectively, "Cookies") to enable our servers to recognize your browser, tell us how and when you visit and use our Services, analyze trends, learn about our user base and operate and improve our Services. Cookies are small pieces of data placed on your device when you use that device to access our Services.
Essential Cookies
Essential Cookies are required for providing you with features or services that you have requested. For example, certain Cookies enable you to log into secure areas of our Services. Disabling these Cookies may make certain features and services unavailable.
Functional Cookies
Functional Cookies are used to record your choices and settings regarding our Services, maintain your preferences over time and recognize you when you return to our Services. These Cookies help us to personalize our content for you and remember your preferences.
You can decide whether or not to accept Cookies through your internet browser's settings. Most browsers have an option for turning off the Cookie feature. You can also delete all Cookies that are already on your device. If you do this, however, you may have to manually adjust some preferences every time you visit our website and some of the Services and functionalities may not work.
6. Data Security and Retention
We seek to protect your Personal Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your device; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure. Specifically, we:
- (a) encrypt your User Submissions in transit using TLS 1.2 or higher;
- (b) encrypt your User Submissions at rest using AES-256 or equivalent industry-standard encryption;
- (c) maintain role-based access controls and audit logs for personnel access to production systems;
- (d) host data with reputable cloud infrastructure providers, primarily in the United States (AWS Oregon region), with media files stored on Cloudflare's globally distributed object storage network; and
- (e) maintain an incident response process designed to notify you without undue delay of any confirmed security incident materially affecting your User Submissions, consistent with applicable law.
We retain Personal Data about you for as long as you have an open account with us or as otherwise necessary to provide you with our Services. In some cases we retain such data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally.
7. Personal Data of Children
The Children's Online Privacy Protection Act ("COPPA") requires that online service providers obtain parental consent before they knowingly collect personally identifiable information online from children who are under 13 years of age. Our Services are not directed to children under 13. Also, we do not knowingly collect or solicit personally identifiable information from a child under 16. If we learn we have collected personal information from a child under 16, we will delete that information as quickly as possible. If you believe that a child under 16 years of age has provided us with Personal Data, please contact our Data Protection Officer at [email protected].
8. California Resident Rights
If you are a California resident, you have the rights set forth in this section. Please see the "Exercising Your Rights" section below for instructions regarding how to exercise these rights. If there are any conflicts between this section and any other provision of this Privacy Policy and you are a California resident, the portion that is more protective of Personal Data shall control to the extent of such conflict.
Access
You have the right to request certain information about our collection and use of your Personal Data over the past 12 months. In response, we will provide you with the following information:
- The categories of Personal Data that we have collected about you.
- The categories of sources from which that Personal Data was collected.
- The business or commercial purpose for collecting your Personal Data (we do not sell your Personal Data).
- The categories of third parties with whom we have shared your Personal Data.
- The specific pieces of Personal Data that we have collected about you.
Deletion
You have the right to request that we delete the Personal Data that we have collected about you. Under the California Consumer Privacy Act (CCPA), this right is subject to certain exceptions: for example, we may need to retain your Personal Data to provide you with the Services or complete a transaction you have requested. When you submit a deletion request, we will delete your personal information as soon as possible.
Exercising Your Rights
To exercise the rights described above, you or your Authorized Agent must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data, and (2) describes your request in sufficient detail to allow us to understand, evaluate and respond to it. We will work to respond to your Valid Request within 45 days of receipt. You may submit a Valid Request to [email protected].
Personal Data Sales Opt-Out
We will not sell your Personal Data, and have not done so. To our knowledge, we do not sell the Personal Data of minors under 16 years of age.
9. Regional Privacy Disclosures and Rights
9.1 Residents of the European Economic Area (EEA) and United Kingdom
We are considered the "data controller" of the "personal data" (as defined under the General Data Protection Regulation, GDPR) we handle under this Policy. The laws of the EEA and the United Kingdom require data controllers to inform you of the legal basis for using, sharing, or disclosing your personal data. Our legal bases are as follows:
- Contractual Commitments: We may use, share, or disclose personal data to fulfill our contractual obligations to you.
- With Your Consent: Where required by law or in some cases, we use, share, or disclose personal data based on your consent.
- Legitimate Interests: In many cases, we use, share, or disclose personal data when it furthers our legitimate business interests and does not override the interests or fundamental rights and freedoms of affected individuals.
- Legal Compliance: We need to use and disclose personal data in certain ways to comply with our legal obligations.
In addition to the rights described in this Policy, you have the right to lodge a complaint with the relevant supervisory authority. However, we encourage you to contact us first, and we will do our best to resolve your concerns.
9.2 Residents of California
Under the California Consumer Privacy Act (CCPA), we must provide you with the "categories" of personal information and sensitive personal information we collect and disclose for business or commercial purposes. The categories of personal information include identifiers (such as account ID, email address), internet or other electronic network activity information, general geolocation data, and inferences drawn from the collected information.
Do-Not-Track disclosure: We do not respond to browser-initiated Do Not Track signals as the Internet industry is still working on standards, implementations, and solutions.
9.3 Nevada Resident Rights
If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. We do not sell your Personal Data. If you have any questions, please contact our Data Protection Officer at [email protected] with the subject line "Nevada Do Not Sell Request."
10. Changes to This Privacy Policy
We're constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time. In the event of material changes that affect your privacy, we will alert you by placing a notice within the Bloome application, by sending you an email, and/or by some other means.
11. Contact Information
If you have any questions or comments about this Privacy Policy, Bloome's handling of personal information, the ways in which we collect and use your Personal Data, or your choices and rights regarding such collection and use, please do not hesitate to contact our Data Protection Officer at:
Email: [email protected]