Legal

Security

Security is built into how Bloom works, not added on top. Here's what that means in practice.

Last updated: 16 May 2026 Found a vulnerability? hello@bloomseo.app

Your data is encrypted

All traffic between your browser and Bloom is encrypted in transit. Data stored on our servers - including your project data and any credentials you share for task fulfilment - is encrypted at rest. Passwords are never stored in plaintext; we use industry-standard hashing that makes brute-force attacks impractical.

Payments are handled by Stripe

All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. Your card details are entered directly on Stripe's secure pages and never pass through or touch our servers. We store only a transaction reference for your billing history.

Your workspace is yours alone

Every Bloom workspace is strictly isolated. You can only access the projects and data within your own account - there is no mechanism for one customer's data to be visible to another. Sessions expire after inactivity and are protected by cryptographically signed tokens.

Google connections are read-only

When you connect Google Search Console or Google Analytics 4, we request read-only access scoped to those services only. We cannot make changes to your Google account, and you can disconnect at any time from your Google Account security settings.

Data stays in Europe

Your data is stored and processed within the European Union. We do not transfer personal data outside of the UK/EU except where required to deliver the service (for example, payment processing by Stripe).

Responsible disclosure

If you believe you've found a security vulnerability in Bloom, please tell us before disclosing it publicly. Email hello@bloomseo.app with a description of the issue. We will acknowledge your report within 3 business days and work with you to resolve it promptly.

Please don't access, modify, or delete data belonging to other users while investigating. We appreciate responsible researchers and will credit those who report valid issues (with their permission).

What we will never do

  • Sell your data to third parties.
  • Use your website data to train AI models for purposes outside of delivering Bloom's service to you.
  • Store your payment card details.
  • Use your Google OAuth access for anything beyond the specific APIs you authorised.