Privacy & Cookie Policy
Effective Date: June 11, 2026
At BloomDash (referred to herein as "BloomDash", the "Platform", "we", "us", or "our"), your privacy is a foundational priority. We operate a SaaS-based client portal and an accompanying marketing website located at bloomdash.app (collectively, the "Services"). This Privacy & Cookie Policy (this "Policy") provides a comprehensive explanation of how we collect, process, use, store, transfer, and protect your personal information and metadata, as well as the choices and rights you possess under applicable data privacy frameworks, including the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Please read this Policy carefully. If you do not agree with our data handling methodologies, cookie controls, or system boundaries, you must immediately terminate your access to the client portal and discontinue your use of all associated resources.
1. Detailed Categorization of Collected Information
We collect various types of information to deliver, monitor, and optimize the Services. This information is categorized as follows:
A. Personal Data Provided Directly by You
We collect personal information that you voluntarily submit to the Platform when creating an account, configuring your agency profile, inviting team members or clients, submitting billing details, or requesting support. This includes:
- Account and Registration Details: First and last name, professional email address, hashed credentials, and optional profile pictures.
- Agency and Studio Profiles: Studio name, branding identifiers, custom portal subdomains or slugs, brand assets (including hex color codes, logos, typography settings, CSS tokens, and marketing messages), and custom domain configurations (including DNS CNAME mapping values).
- Client and Workspace Collaboration Data: Invitee names, invitee emails, project descriptors, task updates, milestone dates, communication logs, comments, feedback notes, and invoices.
- Billing Verification Data: Subscription tier selections, company name, billing email, country, state, zip code, and VAT or tax registration identifiers.
- Sensitive Billing and Credit Card Data Disclaimer: All credit card numbers, card expiration dates, card verification values (CVVs), bank routing numbers, and direct payment authorizations are collected and processed **exclusively and directly** by our secure third-party Merchant of Record, Dodo Payments, under PCI-DSS compliance frameworks. BloomDash does not host, store, or process full primary account numbers (PANs) or CVVs on our application databases.
- Support Tickets and Bug Reports: Ticket titles, descriptive steps, runtime error code screenshots, and screen recordings containing system information, which you choose to attach when raising a ticket.
B. Automatically Collected Technical Metadata (Usage Data)
When you visit our marketing website or log into the client portal dashboard, our servers and subprocessing monitoring tools automatically capture specific device, network, and navigation metadata. This includes:
- Network and Connection Properties: Internet Protocol (IP) address, approximate geographic coordinates (resolved at the country and city level on our secure server-side endpoint `/api/geo` and not kept in persistent logs), internet service provider (ISP), and connection latency times.
- Device and Software Configurations: User-agent strings, web browser types and versions, operating systems, screen resolutions, system language, and device identifiers.
- Application Telemetry: Navigation paths, page views, click coordinates, time spent on specific features, interaction timestamps, search queries, and session state sequences.
- System Reliability Logs: Javascript runtime errors, serverless edge function execution parameters, database query exceptions, memory leak metrics, and overall crash logs.
2. Cookie Architecture, Local Storage, and Privacy Toggles
BloomDash uses cookie variables, localStorage keys, and web beacons to maintain active user sessions, secure portal endpoints, store styling configurations, and analyze platform performance. We maintain a strict boundary between essential operational files and non-essential analytical scripts.
A. Marketing Website Tracking (bloomdash.app)
On our public marketing pages, non-essential third-party analytics trackers (such as PostHog) are blocked by default. These tools will only activate if you explicitly opt-in via our cookie consent banner. Upon selection, your preference is saved in your browser as a functional cookie named `bloomdash_cookie_consent` to ensure we respect your choices on subsequent visits.
B. Client Portal Authentication and Core Operation (bloomdash.app)
When accessing the client portal, we utilize cookies that are strictly necessary for security and core platform operations. These cookies are exempt from standard opt-in consent requirements because the portal cannot function without them. Specifically, we set:
- `sb-access-token`: A secure Json Web Token (JWT) that authenticates your request to our backend database.
- `sb-refresh-token`: A secure credential used to automatically refresh your database authentication session without requiring you to re-enter your credentials.
C. In-App Privacy Controls and localStorage Settings
Within your account portal settings page, you can customize your tracking preferences. These preferences are stored locally in your browser's localStorage using the following keys:
- `bloomdash_cookie_consent`: Records your explicit analytics choice (`accepted` or `rejected`). Analytics via PostHog are OFF by default and only activate when this is set to `accepted` — via the cookie banner or the portal privacy toggle. Any other state calls `posthog.opt_out_capturing()` to cease all telemetry recording.
- `nb_functional_cookies`: A flag controlling whether the portal stores UI preferences, dark/light mode configurations, and sidebar collapses.
- `nb_crash_reports`: A boolean flag managing whether runtime Javascript exceptions and stack traces are transmitted to Sentry. If set to `false`, the Sentry SDK is programmatically initialized to bypass crash logging.
3. Legal Bases and Specific Purposes of Data Processing
We process your personal information under the following legal bases in compliance with Article 6 of the GDPR:
- Performance of a Contract: We process your account registration, studio configuration, and workspace communication records to establish, maintain, and secure your client portal. This includes syncing subscription upgrades and renewal events via Dodo Payments.
- Legitimate Interests: We analyze usage telemetry and exception logs via Sentry to resolve code bugs, prevent database lockups, monitor infrastructure scaling, and protect the platform from fraudulent or abusive activities.
- Consent: When you opt-in to non-essential analytics tracking or marketing communications. You have the right to withdraw this consent at any time through your portal privacy settings.
- Legal Obligations: We retain transactional tax coordinates, billing histories, and verification logs to comply with financial regulations and audit requests.
4. Data Isolation and Row-Level Security (RLS)
BloomDash is designed around a secure multi-tenant architecture. All client portal databases (hosted via Supabase) enforce PostgreSQL Row-Level Security (RLS) policies. Every read, write, update, and delete operation is constrained by the authenticated user's organization identifier. This security boundary ensures that:
- No client guest account can view, modify, or list tasks, message feeds, or comments belonging to another company's workspace.
- File attachments and deliverables uploaded to storage buckets are assigned to unique paths protected by RLS rules, and are accessed using secure, time-limited signed URLs that exceed sixty (60) minutes.
- Database administrative bypass credentials are not accessible by browser clients, and serverless edge functions operate under strict privilege boundaries.
5. Data Retention, Archiving, and Purging Protocols
We retain your personal data only for as long as your account remains active, or as required to fulfill the business operations outlined in this Policy:
- Active Account Data: Data in your active workspaces is stored indefinitely while your account is active. If you cancel your subscription, your data is retained in a dormant state for a standard period of ninety (90) days to allow you to re-activate your account or download your assets. After ninety (90) days, the database entries and associated storage bucket files are flagged for deletion.
- Onboarding & Draft Sessions: Temporary onboarding inputs and uncompleted file uploads are automatically purged from our temporary buckets within seven (7) days of session inactivity.
- Billing History: Core invoicing metadata, transaction IDs, and tax records are archived for a minimum period of seven (7) years to comply with tax laws.
- Backups: Full database backups are encrypted and stored in secondary regions for disaster recovery. Backups are rotated and overwritten every thirty (30) days, meaning deleted data may remain in backup archives for up to thirty days post-deletion.
6. Third-Party Subprocessors and Data Transfers
We do not sell, trade, rent, or monetize your personal data. We disclose specific categories of information to our verified subprocessors solely to deliver, secure, and monitor the Services. All subprocessors are contractually bound by Data Processing Addendums (DPAs) incorporating standard contractual clauses (SCCs) to ensure equivalent data protection levels.
| Subprocessor | Purpose of Processing | Data Location | Compliance Standard |
|---|---|---|---|
| Supabase, Inc. | Database hosting, authentication services, workspace records, and secure storage buckets. | Ireland (EU) | GDPR Compliant, SCCs, SOC2 |
| Vercel Inc. | Application routing, web hosting, serverless API execution, and custom domain SSL configurations. | United States | GDPR Compliant, SCCs, ISO 27001 |
| PostHog, Inc. | Product usage analytics, navigation mapping, and interaction telemetry. | United States | GDPR Compliant, SCCs, CCPA Compliant |
| Sentry | Real-time Javascript error tracking, crash monitoring, and API diagnostic reports. | United States | SCCs, SOC2, CCPA Compliant |
| Resend, Inc. | Transactional emails, OTP codes, portal invites, and custom notifications. | United States | SCCs, GDPR Compliant |
| Dodo Payments, Inc. | Merchant of Record, subscription billing processing, invoice distribution, and tax compliance. | United States | PCI-DSS Level 1, SCCs, GDPR Compliant |
| Linear Orbit, Inc. | Internal support ticket synchronization and bug management. | United States | SCCs, SOC2 |
| Google LLC | Optional single sign-on — only if you choose to authenticate with your Google account. | United States | GDPR Compliant, SCCs |
| Microsoft Corporation | Optional single sign-on — only if you choose to authenticate with your Microsoft account. | United States | GDPR Compliant, SCCs |
| Firma.dev | Electronic-signature processing for the Signatures feature — only when you send an agreement for signing. Receives the signer's name and email and the document being signed. | United States | SCCs, GDPR Compliant, eIDAS/ESIGN |
| Groq, Inc. | AI inference for the Agent assistant — processes the prompts you type into the assistant to generate responses. Conversations are not stored. Do not enter personal data you do not wish to share. | United States | SCCs |
| Nango | Third-party integration authorization (OAuth) — only when you connect an external app (e.g. Notion, Calendly). Manages the connection tokens for the tools you choose to embed. | United States | SCCs, GDPR Compliant |
All subprocessors operating outside of the European Economic Area (EEA) are contractually bound to standard contractual clauses (SCCs) or other legally recognized adequacy transfer frameworks to ensure compliance with global privacy regulations (such as GDPR).
7. Your Rights Under GDPR & CCPA
Depending on your country or state of residence (including the EEA, UK, and California), you may possess legal rights regarding your personal data. These rights include:
- Right of Access: The right to request copies of the personal data we hold about you.
- Right to Rectification: The right to require us to correct any inaccurate or incomplete personal data.
- Right to Erasure (Right to be Forgotten): The right to request the deletion of your personal data under certain conditions.
- Right to Data Portability: The right to obtain your data in a structured, commonly used, machine-readable format.
- Right to Restrict or Object: The right to limit how we process your personal data, or object to specific processing operations.
- Right to Opt-Out: Under CCPA, you have the right to opt-out of the "sale" or "sharing" of your personal information (BloomDash does not sell or share your data for commercial gain).
- Right to Non-Discrimination: We will not discriminate against you in pricing, service quality, or availability for exercising your privacy rights.
To exercise any of these rights, please submit a written request to us at hi@bloomdash.app. We will verify your identity and respond within thirty (30) days in accordance with applicable laws.
8. Children's Privacy
The Services are intended for individuals who are at least 18 years of age. We do not knowingly collect, store, or process personal data from children under the age of 18. If you become aware that a minor has provided us with personal information, please contact us immediately at hi@bloomdash.app so we can delete it.
9. Changes to This Policy
We may update this Privacy & Cookie Policy from time to time. When we make updates, we will adjust the "Last updated" date at the top of this page. We recommend checking this page periodically to stay informed about how we protect your information. Your continued use of the Services following updates constitutes your acceptance of the revised policy.
10. Contact Us
If you have any questions, concerns, or complaints regarding our privacy practices, cookie configurations, or data handling, please reach out to us at hi@bloomdash.app.