Privacy & Cookie Policy

Effective Date: June 11, 2026

At BloomDash (referred to herein as "BloomDash", the "Platform", "we", "us", or "our"), your privacy is a foundational priority. We operate a SaaS-based client portal and an accompanying marketing website located at bloomdash.app (collectively, the "Services"). This Privacy & Cookie Policy (this "Policy") provides a comprehensive explanation of how we collect, process, use, store, transfer, and protect your personal information and metadata, as well as the choices and rights you possess under applicable data privacy frameworks, including the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Please read this Policy carefully. If you do not agree with our data handling methodologies, cookie controls, or system boundaries, you must immediately terminate your access to the client portal and discontinue your use of all associated resources.

1. Detailed Categorization of Collected Information

We collect various types of information to deliver, monitor, and optimize the Services. This information is categorized as follows:

A. Personal Data Provided Directly by You

We collect personal information that you voluntarily submit to the Platform when creating an account, configuring your agency profile, inviting team members or clients, submitting billing details, or requesting support. This includes:

  • Account and Registration Details: First and last name, professional email address, hashed credentials, and optional profile pictures.
  • Agency and Studio Profiles: Studio name, branding identifiers, custom portal subdomains or slugs, brand assets (including hex color codes, logos, typography settings, CSS tokens, and marketing messages), and custom domain configurations (including DNS CNAME mapping values).
  • Client and Workspace Collaboration Data: Invitee names, invitee emails, project descriptors, task updates, milestone dates, communication logs, comments, feedback notes, and invoices.
  • Billing Verification Data: Subscription tier selections, company name, billing email, country, state, zip code, and VAT or tax registration identifiers.
  • Sensitive Billing and Credit Card Data Disclaimer: All credit card numbers, card expiration dates, card verification values (CVVs), bank routing numbers, and direct payment authorizations are collected and processed **exclusively and directly** by our secure third-party Merchant of Record, Dodo Payments, under PCI-DSS compliance frameworks. BloomDash does not host, store, or process full primary account numbers (PANs) or CVVs on our application databases.
  • Support Tickets and Bug Reports: Ticket titles, descriptive steps, runtime error code screenshots, and screen recordings containing system information, which you choose to attach when raising a ticket.

B. Automatically Collected Technical Metadata (Usage Data)

When you visit our marketing website or log into the client portal dashboard, our servers and subprocessing monitoring tools automatically capture specific device, network, and navigation metadata. This includes:

  • Network and Connection Properties: Internet Protocol (IP) address, approximate geographic coordinates (resolved at the country and city level on our secure server-side endpoint `/api/geo` and not kept in persistent logs), internet service provider (ISP), and connection latency times.
  • Device and Software Configurations: User-agent strings, web browser types and versions, operating systems, screen resolutions, system language, and device identifiers.
  • Application Telemetry: Navigation paths, page views, click coordinates, time spent on specific features, interaction timestamps, search queries, and session state sequences.
  • System Reliability Logs: Javascript runtime errors, serverless edge function execution parameters, database query exceptions, memory leak metrics, and overall crash logs.

2. Cookie Architecture, Local Storage, and Privacy Toggles

BloomDash uses cookie variables, localStorage keys, and web beacons to maintain active user sessions, secure portal endpoints, store styling configurations, and analyze platform performance. We maintain a strict boundary between essential operational files and non-essential analytical scripts.

A. Marketing Website Tracking (bloomdash.app)

On our public marketing pages, non-essential third-party analytics trackers (such as PostHog) are blocked by default. These tools will only activate if you explicitly opt-in via our cookie consent banner. Upon selection, your preference is saved in your browser as a functional cookie named `bloomdash_cookie_consent` to ensure we respect your choices on subsequent visits.

B. Client Portal Authentication and Core Operation (bloomdash.app)

When accessing the client portal, we utilize cookies that are strictly necessary for security and core platform operations. These cookies are exempt from standard opt-in consent requirements because the portal cannot function without them. Specifically, we set:

  • `sb-access-token`: A secure Json Web Token (JWT) that authenticates your request to our backend database.
  • `sb-refresh-token`: A secure credential used to automatically refresh your database authentication session without requiring you to re-enter your credentials.

C. In-App Privacy Controls and localStorage Settings

Within your account portal settings page, you can customize your tracking preferences. These preferences are stored locally in your browser's localStorage using the following keys:

  • `bloomdash_cookie_consent`: Records your explicit analytics choice (`accepted` or `rejected`). Analytics via PostHog are OFF by default and only activate when this is set to `accepted` — via the cookie banner or the portal privacy toggle. Any other state calls `posthog.opt_out_capturing()` to cease all telemetry recording.
  • `nb_functional_cookies`: A flag controlling whether the portal stores UI preferences, dark/light mode configurations, and sidebar collapses.
  • `nb_crash_reports`: A boolean flag managing whether runtime Javascript exceptions and stack traces are transmitted to Sentry. If set to `false`, the Sentry SDK is programmatically initialized to bypass crash logging.

3. Legal Bases and Specific Purposes of Data Processing

We process your personal information under the following legal bases in compliance with Article 6 of the GDPR:

  • Performance of a Contract: We process your account registration, studio configuration, and workspace communication records to establish, maintain, and secure your client portal. This includes syncing subscription upgrades and renewal events via Dodo Payments.
  • Legitimate Interests: We analyze usage telemetry and exception logs via Sentry to resolve code bugs, prevent database lockups, monitor infrastructure scaling, and protect the platform from fraudulent or abusive activities.
  • Consent: When you opt-in to non-essential analytics tracking or marketing communications. You have the right to withdraw this consent at any time through your portal privacy settings.
  • Legal Obligations: We retain transactional tax coordinates, billing histories, and verification logs to comply with financial regulations and audit requests.

4. Data Isolation and Row-Level Security (RLS)

BloomDash is designed around a secure multi-tenant architecture. All client portal databases (hosted via Supabase) enforce PostgreSQL Row-Level Security (RLS) policies. Every read, write, update, and delete operation is constrained by the authenticated user's organization identifier. This security boundary ensures that:

  • No client guest account can view, modify, or list tasks, message feeds, or comments belonging to another company's workspace.
  • File attachments and deliverables uploaded to storage buckets are assigned to unique paths protected by RLS rules, and are accessed using secure, time-limited signed URLs that exceed sixty (60) minutes.
  • Database administrative bypass credentials are not accessible by browser clients, and serverless edge functions operate under strict privilege boundaries.

5. Data Retention, Archiving, and Purging Protocols

We retain your personal data only for as long as your account remains active, or as required to fulfill the business operations outlined in this Policy:

  • Active Account Data: Data in your active workspaces is stored indefinitely while your account is active. If you cancel your subscription, your data is retained in a dormant state for a standard period of ninety (90) days to allow you to re-activate your account or download your assets. After ninety (90) days, the database entries and associated storage bucket files are flagged for deletion.
  • Onboarding & Draft Sessions: Temporary onboarding inputs and uncompleted file uploads are automatically purged from our temporary buckets within seven (7) days of session inactivity.
  • Billing History: Core invoicing metadata, transaction IDs, and tax records are archived for a minimum period of seven (7) years to comply with tax laws.
  • Backups: Full database backups are encrypted and stored in secondary regions for disaster recovery. Backups are rotated and overwritten every thirty (30) days, meaning deleted data may remain in backup archives for up to thirty days post-deletion.

6. Third-Party Subprocessors and Data Transfers

We do not sell, trade, rent, or monetize your personal data. We disclose specific categories of information to our verified subprocessors solely to deliver, secure, and monitor the Services. All subprocessors are contractually bound by Data Processing Addendums (DPAs) incorporating standard contractual clauses (SCCs) to ensure equivalent data protection levels.

Swipe to view all columns
SubprocessorPurpose of ProcessingData LocationCompliance Standard
Supabase, Inc.Database hosting, authentication services, workspace records, and secure storage buckets.Ireland (EU)GDPR Compliant, SCCs, SOC2
Vercel Inc.Application routing, web hosting, serverless API execution, and custom domain SSL configurations.United StatesGDPR Compliant, SCCs, ISO 27001
PostHog, Inc.Product usage analytics, navigation mapping, and interaction telemetry.United StatesGDPR Compliant, SCCs, CCPA Compliant
SentryReal-time Javascript error tracking, crash monitoring, and API diagnostic reports.United StatesSCCs, SOC2, CCPA Compliant
Resend, Inc.Transactional emails, OTP codes, portal invites, and custom notifications.United StatesSCCs, GDPR Compliant
Dodo Payments, Inc.Merchant of Record, subscription billing processing, invoice distribution, and tax compliance.United StatesPCI-DSS Level 1, SCCs, GDPR Compliant
Linear Orbit, Inc.Internal support ticket synchronization and bug management.United StatesSCCs, SOC2
Google LLCOptional single sign-on — only if you choose to authenticate with your Google account.United StatesGDPR Compliant, SCCs
Microsoft CorporationOptional single sign-on — only if you choose to authenticate with your Microsoft account.United StatesGDPR Compliant, SCCs
Firma.devElectronic-signature processing for the Signatures feature — only when you send an agreement for signing. Receives the signer's name and email and the document being signed.United StatesSCCs, GDPR Compliant, eIDAS/ESIGN
Groq, Inc.AI inference for the Agent assistant — processes the prompts you type into the assistant to generate responses. Conversations are not stored. Do not enter personal data you do not wish to share.United StatesSCCs
NangoThird-party integration authorization (OAuth) — only when you connect an external app (e.g. Notion, Calendly). Manages the connection tokens for the tools you choose to embed.United StatesSCCs, GDPR Compliant

All subprocessors operating outside of the European Economic Area (EEA) are contractually bound to standard contractual clauses (SCCs) or other legally recognized adequacy transfer frameworks to ensure compliance with global privacy regulations (such as GDPR).

7. Your Rights Under GDPR & CCPA

Depending on your country or state of residence (including the EEA, UK, and California), you may possess legal rights regarding your personal data. These rights include:

  • Right of Access: The right to request copies of the personal data we hold about you.
  • Right to Rectification: The right to require us to correct any inaccurate or incomplete personal data.
  • Right to Erasure (Right to be Forgotten): The right to request the deletion of your personal data under certain conditions.
  • Right to Data Portability: The right to obtain your data in a structured, commonly used, machine-readable format.
  • Right to Restrict or Object: The right to limit how we process your personal data, or object to specific processing operations.
  • Right to Opt-Out: Under CCPA, you have the right to opt-out of the "sale" or "sharing" of your personal information (BloomDash does not sell or share your data for commercial gain).
  • Right to Non-Discrimination: We will not discriminate against you in pricing, service quality, or availability for exercising your privacy rights.

To exercise any of these rights, please submit a written request to us at hi@bloomdash.app. We will verify your identity and respond within thirty (30) days in accordance with applicable laws.

8. Children's Privacy

The Services are intended for individuals who are at least 18 years of age. We do not knowingly collect, store, or process personal data from children under the age of 18. If you become aware that a minor has provided us with personal information, please contact us immediately at hi@bloomdash.app so we can delete it.

9. Changes to This Policy

We may update this Privacy & Cookie Policy from time to time. When we make updates, we will adjust the "Last updated" date at the top of this page. We recommend checking this page periodically to stay informed about how we protect your information. Your continued use of the Services following updates constitutes your acceptance of the revised policy.

10. Contact Us

If you have any questions, concerns, or complaints regarding our privacy practices, cookie configurations, or data handling, please reach out to us at hi@bloomdash.app.

We use only strictly-necessary cookies by default. With your consent, we’d also use privacy-friendly analytics to understand how the site is used. You can change this anytime. Privacy Policy