PRIVACY POLICY

1. PERSONAL DATA CONTROLLER

EYELLION LTD, a company registered under number HE 438880 in Limassol, Cyprus, having its registered address at Fragklinou Rousvelt, 140, 3011, will be the controller of your personal data.

2. CATEGORIES OF PERSONAL DATA WE COLLECT

We collect data you give us voluntarily (for example, when you enter your name, email). We also collect data automatically (for example, your IP address) and may receive data about you from third parties.

2.1. Data you give us

You provide us information about yourself during account creation and service use. This includes name, email address, quiz answers, and learning preferences.

2.2. Data provided by third parties

When you use 'Sign in with Apple', we receive personal data from your Apple ID account. This data may include your name and verified email address. You may choose to share your real email address or an anonymous one using the private email relay service. For detailed information about signing in with Apple, visit their privacy documentation.

When using Facebook login, we receive data from your Facebook account, including profile image, name, and Facebook ID. Unless you opt out on the Facebook Login screen, we will also collect other data, such as email address. For more information, refer to the Facebook Permissions Reference and Facebook Data Policy. You can manage your connected apps on Facebook's Apps and Websites page.

For Google sign-in, we receive your name, email address, and profile picture from your Google Account. You can control these permissions through Google's Apps Permissions page. For more details about Google's data processing, review their Privacy Policy.

2.3. Data we collect automatically

2.3.1. Source tracking

We collect data about your referring app or URL (the source where you found our service).

2.3.2. Device and Location data

We collect technical data including language settings, IP address, time zone, device type and model, operating system, internet service provider, mobile carrier, hardware ID, and your interactions with advertisements within our Service.

2.3.3. Usage data

We record your interactions with our Service, including feature usage, content engagement, session duration, and purchase activities.

2.3.4. Advertising and Tracking Identifiers

We may collect advertising identifiers through cookies, pixels, and similar technologies used by our advertising partners (such as Meta/Facebook Pixel). These identifiers help us measure advertising effectiveness and deliver relevant content. You can manage these through your browser settings or our cookie consent manager.

2.3.5. Transaction data

For payments through our Service, financial account data is processed by our third-party providers. While we don't store complete credit card numbers, we receive transaction-related data including date, time, amount, and payment method type.

2.3.6. Cookies

We use cookies and similar tracking technologies to enhance your experience. These include session cookies (temporary) and persistent cookies (remain until expiration or deletion). These assist in remembering your preferences and analyzing usage patterns.

3. FOR WHAT PURPOSES WE PROCESS YOUR PERSONAL DATA

3.1. To provide our Service

We process your personal data to deliver and maintain our Service efficiently. For hosting and backend operations, we utilize Amazon Web Services (AWS), which adheres to rigorous security standards. For details, consult the AWS Data Processing Addendum.

We employ Cloudflare to optimize content delivery, enhance application performance, and provide additional security features such as DDoS protection and Web Application Firewall. Review Cloudflare's practices in their Privacy Policy.

Supabase manages our database infrastructure, ensuring secure data storage and management. For more information, refer to their Data Processing Addendum.

3.2. To customize your experience

We process your learning preferences, quiz responses, and interaction patterns to deliver personalized educational content and recommendations tailored to your learning journey.

3.3. To manage your account

We process your data to secure account access and send essential notifications about security, payments, technical updates, and policy changes.

3.4. To provide customer support

Through Zendesk, we optimize conversations between users and support agents. This includes processing emails, purchase details, and feedback to provide efficient assistance.

3.5. To research and analyze Service usage

We employ Google Analytics and Google Tag Manager for service analysis. Review Google's practices in their Data Processing Terms.

Amplitude helps us understand user behavior and optimize features. Learn more in their Privacy Notice and Data Processing Addendum.

3.6. To send marketing communications

We utilize Reteno for marketing campaigns, enabling you to receive information about new features and special offers. You may unsubscribe through the footer of marketing emails.

3.7. To personalize our ads

We partner with platforms like Facebook Business Manager to deliver targeted advertisements. You may see our ads on Facebook or Instagram based on your interactions with our Service.

How to manage personalized advertising:

iOS: Settings → Privacy → Apple Advertising → Personalized Ads

Android: Settings → Privacy → Ads → Opt out of Ads personalization

macOS: System Preferences → Security & Privacy → Privacy → Apple Advertising → Personalized Ads

Windows: Start → Settings → Privacy → Let apps use advertising ID

Additional opt-out resources:

- Network Advertising Initiative

- Digital Advertising Alliance

- Digital Advertising Alliance (Canada)

- Digital Advertising Alliance (EU)

- DAA AppChoices page

Browser Settings:

- Internet Explorer

- Firefox

- Chrome

- Safari web and iOS

3.8. To process payments

We use Paddle and Stripe for payment processing, adhering to strict financial security standards. Review Paddle's Data Sharing Addendum and Stripe's Data Processing Agreement.

3.9. To enforce our Terms of Use and prevent fraud

We process data to maintain platform security, prevent unauthorized access, and ensure compliance with our terms of service.

3.10. To comply with legal obligations

We process data as required by applicable laws and regulations, including responding to legal requests from authorized authorities.

4. UNDER WHAT LEGAL BASES WE PROCESS YOUR PERSONAL DATA

This section applies specifically to users in the European Economic Area (EEA). For each purpose described in Section 3, we process your personal data under the following legal bases:

4.1. Your consent

Under this legal basis, we process data for marketing communications and push notifications. You maintain the right to withdraw consent at any time through the unsubscribe link in our emails or device notification settings.

4.2. Performance of our contract with you

Under this legal basis, we:

- Provide our Service according to our Terms and Conditions

- Customize your learning experience

- Provide customer support

- Process your payments

- Communicate regarding service usage

4.3. Legitimate interests

We rely on legitimate interests for:

- Service analysis and improvement, with our legitimate interest being the enhancement of user experience and feature optimization

- Advertisement personalization, with our legitimate interest being the promotion of our Service in a targeted manner

- Terms enforcement and fraud prevention, with our legitimate interest being the protection of our rights and service integrity

4.4. Legal obligations

We process data to comply with applicable laws and regulatory requirements.

5. WITH WHOM WE SHARE YOUR PERSONAL DATA

5.1. Service Providers

We share data with trusted third parties that assist in service operation, including:

- Hosting and backend providers (Amazon Web Services, Supabase, Vercel)

- Security and performance services (Cloudflare)

- Error monitoring and diagnostics (Sentry)

- Communication providers (Zendesk, Reteno)

- Analytics services (Google Analytics, Amplitude)

- Advertising and measurement networks (Meta platforms, including Facebook Pixel)

- Cookie consent management (CookieYes)

- Payment processors (Paddle, Stripe)

- Development and maintenance service providers

5.2. Law Enforcement and Legal Requirements

We may share personal data to comply with legal obligations, protect our rights, respond to law enforcement requests, or address security concerns. This includes sharing information with courts, law enforcement agencies, regulatory authorities, and other public bodies when legally required.

5.3. Business Transfers

In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the business transaction. We will notify you of any change in applicable policies.

6. HOW YOU CAN EXERCISE YOUR PRIVACY RIGHTS

To maintain control over your personal data, you have the following rights:

Accessing, reviewing, and correcting your data

You may review and modify personal data previously provided through the Service.

Deletion requests

You may request erasure of your personal data as permitted by law. In cases where we must retain certain data for legal compliance, we will inform you of such obligations.

Restricting processing

You may request limitations on the processing of your personal data or object to certain types of processing.

Additional rights for EEA users:

If you are based in the EEA, you have additional rights including:

- The right to lodge complaints with supervisory authorities

- Data portability rights to receive your data in a machine-readable format

To exercise any of these rights, please contact us at support@bloomd.app.

7. AGE LIMITATION

Our Service is designed for users aged 16 and above. We do not knowingly process personal data from individuals under 16 years of age. If we become aware that we have inadvertently collected personal information from someone under 16, we will take appropriate steps to delete such information from our records promptly. If you believe we might have collected data from or about someone under 16, please contact us immediately.

8. INTERNATIONAL DATA TRANSFERS

In providing our Service, we may transfer personal data to countries other than the country in which the data was originally collected. When transferring data from the European Economic Area (EEA) to countries not deemed to provide adequate data protection, we implement appropriate safeguards to protect your personal information.

For international transfers, we rely on legally approved mechanisms, including:

Standard Contractual Clauses (SCCs): When transferring personal data outside the EEA, we implement the Standard Contractual Clauses approved by the European Commission. You can review these clauses at the European Commission's official website.

We maintain strict data protection standards regardless of where your data is processed and ensure that all service providers adhere to these standards through appropriate contractual commitments.

9. CHANGES TO THIS PRIVACY POLICY

We reserve the right to modify this Privacy Policy as our Service evolves and to maintain compliance with emerging legal requirements. When we make material changes to this policy, we will notify you through email or prominent notifications within our Service before the changes take effect. This provides you with an opportunity to review the revised policy and decide whether to continue using our Service under the updated terms.

Your continued use of Bloomd after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your personal information.

10. FOR CALIFORNIA RESIDENTS

This section supplements the rest of this Privacy Policy and applies solely to residents of California, as required by the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").

10.1. Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA/CPRA:

- Identifiers: name, email address, IP address, cookie identifiers, advertising pixel identifiers, account credentials

- Internet or electronic network activity: browsing history within the Service, interactions with content, session duration, feature usage, referring URLs

- Commercial information: purchase history, subscription details, payment method type, transaction amounts

- Geolocation data: approximate location derived from IP address, time zone

- Inferences: learning preferences, content recommendations, and personalized learning plans derived from quiz responses and usage patterns

- Sensory data: profile photos provided via third-party sign-in (Google, Facebook, Apple)

10.2. How We Use Personal Information

We use the categories of personal information listed above for the business and commercial purposes described in Section 3 of this Privacy Policy.

10.3. Sale and Sharing of Personal Information

We do not "sell" personal information as defined by the CCPA/CPRA in exchange for monetary consideration. However, our use of advertising technologies (such as Meta/Facebook Pixel) may constitute "sharing" of personal information for cross-context behavioral advertising under the CPRA. The categories of personal information that may be shared for this purpose include identifiers and internet activity data. You may opt out of this sharing as described in Section 10.5 below.

10.4. Your California Privacy Rights

As a California resident, you have the following rights under the CCPA/CPRA:

- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.

- Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions.

- Right to Correct: You may request correction of inaccurate personal information we maintain about you.

- Right to Opt-Out of Sharing: You may opt out of the sharing of your personal information for cross-context behavioral advertising purposes.

- Right to Limit Use of Sensitive Personal Information: If we collect sensitive personal information beyond what is necessary to provide the Service, you may request that we limit its use.

- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you the Service, charge you different prices, or provide a different level of quality because you exercised your privacy rights.

10.5. How to Exercise Your Rights

To submit a request to know, delete, or correct, please email us at support@bloomd.app with "California Privacy Rights Request" in the subject line. Include your full name and the email address associated with your account. We will verify your identity before processing your request and respond within 45 days.

To opt out of the sharing of your personal information for cross-context behavioral advertising, you may adjust your cookie preferences through our cookie consent manager (powered by CookieYes) or contact us at the email above.

10.6. California "Shine the Light"

Under California Civil Code Section 1798.83, you may also request information about how we share certain categories of personal data with third parties for their direct marketing purposes. To submit such a request, email us at support@bloomd.app.

11. DATA RETENTION

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, including providing our Service, complying with legal obligations, resolving disputes, and enforcing our agreements. In determining appropriate retention periods, we consider multiple factors including:

The nature and sensitivity of the personal data, potential risks from unauthorized use or disclosure, the purposes for which we process the data and whether these purposes can be achieved through alternative means, applicable legal and regulatory requirements, and prevailing industry standards for data retention.

When personal data is no longer necessary for these purposes, we securely delete or anonymize it in accordance with our data retention policies and applicable law.

12. HOW "DO NOT TRACK" REQUESTS ARE HANDLED

Our Service does not currently support "Do Not Track" (DNT) browser signals. While we continuously evaluate new technologies for protecting user privacy, we cannot make any guarantees regarding our future implementation of DNT or similar privacy control mechanisms. To understand how third-party services used by our platform handle DNT signals, please consult their respective privacy policies.

You can learn more about DNT at All About DNT.

13. CONTACT US

For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact us at: