Legal

Privacy Policy

How we collect, use, and protect your information when you use Bloom.

Effective date: 16 May 2026 Bloom SEO · United Kingdom Questions? hello@bloomseo.app

1. Who we are

Bloom is operated by Bloom SEO, a company registered in England and Wales. References to "Bloom", "we", "us", or "our" in this policy refer to Bloom SEO.

We are the data controller for personal data processed through bloomseo.app and app.bloomseo.app. Where we use third-party processors (Stripe, Google, AWS), they process data only on our instructions.

If you have any questions about this policy, contact us at hello@bloomseo.app.

2. What data we collect

Account data

When you create a Bloom account, we collect your name, email address, and a securely hashed password. We never store your password in plaintext.

Project and website data

You provide website URLs, keywords, and competitor domains when setting up projects. Bloom analyses these sites via Google Search Console and Google Analytics 4 APIs - only the data you explicitly authorise us to access.

Google integration data

If you connect Google Search Console or Google Analytics 4, we store OAuth tokens scoped to those services. We request read-only access. We do not access your Google account for any other purpose, and you can revoke access at any time from your Google Account settings.

Payment data

Payments are processed by Stripe (a PCI DSS Level 1 compliant processor). We do not store card numbers, CVV codes, or full payment details on our servers. We store a Stripe customer ID and a record of transactions for billing and legal purposes.

Usage and analytics data

We use Google Analytics 4 (GA4) to understand how people use our marketing site and application. GA4 collects anonymised data about pages visited, session duration, and events (such as signing up or initiating a checkout). We have configured GA4 with Consent Mode v2.

Communications

When you contact us by email or when we send you transactional emails (e.g. task completion notices, payment receipts), we store those communications.

Technical data

Our servers log standard access information: IP addresses, browser type, referring pages, and timestamps. Logs are retained for 30 days for security and debugging purposes.

3. How we use your data

  • To provide the service - running SEO audits, generating ranked task lists, storing your project data, and delivering Hand-to-Bloom fulfilment.
  • To process payments - billing for additional sites and Hand-to-Bloom tasks via Stripe.
  • To send transactional emails - payment receipts, task completion notices, and account security alerts.
  • To improve the product - aggregated, anonymised analytics help us understand which features are useful.
  • To comply with legal obligations - financial records, fraud prevention, and responding to lawful requests.

4. Legal basis for processing (UK GDPR)

  • Contract performance (Article 6(1)(b)) - processing your account and project data to deliver the service you signed up for.
  • Legitimate interests (Article 6(1)(f)) - analytics, fraud prevention, improving the product, and security monitoring.
  • Consent (Article 6(1)(a)) - analytics cookies on our marketing site (you can withdraw consent at any time).
  • Legal obligation (Article 6(1)(c)) - financial and tax records required by law.

5. Who we share your data with

We do not sell your personal data. We share it only with the following processors, bound by data processing agreements:

  • Amazon Web Services (AWS) - hosts our application servers, database (RDS), and file storage (S3) in the eu-west-2 region (London).
  • Stripe - processes payments. Stripe's privacy policy applies to card data.
  • Google - GA4 analytics (marketing site and app) and Google Search Console/GA4 API access for project analysis.
  • Postmark / email provider - sends transactional emails on our behalf.

We may also disclose data where required by law, court order, or to protect the rights and safety of Bloom, our users, or the public.

6. International transfers

Your data is primarily processed within the UK and EU (AWS eu-west-2). Some of our processors (Stripe, Google) may transfer data internationally. Where they do, they rely on Standard Contractual Clauses or equivalent UK adequacy mechanisms.

7. How long we keep your data

  • Account data - for the lifetime of your account, plus 90 days after deletion (to allow data export and resolve disputes).
  • Project data - retained while your account is active; deleted within 90 days of account closure.
  • Payment records - 7 years, as required by UK financial regulations.
  • Server logs - 30 days.
  • Google OAuth tokens - until you revoke access or close your account.

8. Your rights

Under UK GDPR, you have the right to:

  • Access - request a copy of the personal data we hold about you.
  • Rectification - ask us to correct inaccurate data.
  • Erasure - request deletion of your data (subject to legal retention requirements).
  • Portability - receive your data in a machine-readable format.
  • Restriction - ask us to restrict processing in certain circumstances.
  • Objection - object to processing based on legitimate interests.
  • Withdraw consent - at any time, where processing is based on consent.

To exercise any of these rights, email hello@bloomseo.app. We will respond within 30 days. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

Our marketing site uses cookies set by Google Analytics 4. We use Consent Mode v2, which means GA4 operates in cookieless mode unless you consent. The application (app.bloomseo.app) uses a session cookie for authentication - this is strictly necessary and does not require consent.

10. Changes to this policy

We may update this policy as our product evolves or legislation changes. Material changes will be notified by email or an in-app banner. The effective date at the top of this page reflects the most recent version.