Bloom Space
Get the app

Effective May 8, 2026 · Last updated May 8, 2026

Privacy Policy

Bloom Space (“Bloom”, “we”) is built around the idea that the internet should feel safer. This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and the rights you have over it. It applies to the Bloom mobile app, our website, and related services.

The short version.We collect the minimum we need to run a safe social sanctuary. We don't sell your personal data. We don't run third-party advertising. Your traffic is encrypted in transit (TLS 1.2+) and at rest on our servers (AES-256). Like Discord, Slack and Reddit, your direct messages are stored on our servers so our Trust & Safety team can act on reports — they are not end-to-end encrypted today. We are working on end-to-end encryption for voice and video calls. See §9 Encryption for the full picture. You can export or delete your data at any time from inside the app.

1. Who is the Data Controller

Bloom Space is the data controller for personal data processed through the Service. You can contact our privacy team at privacy@bloomspace.app. For users in the EU/UK, we will appoint a Data Protection Officer / EU Representative as required.

2. What we collect

2.1 Information you give us

  • Account data — email address, sign-in identifier (Google ID, Apple ID), date of birth (required at sign-up to enforce a 13+ minimum age and to apply minor-account safeguards), display name, persona names.
  • Profile data — avatar, bio, pronouns, sanctuary memberships, persona settings.
  • Content you create — posts, stories, clips, voice room recordings (only when you choose to record), direct messages, reactions, comments. Direct messages are stored on Bloom servers in a form our staff can access under our internal access-control policy; see §9 Encryption.
  • Support data — messages you send to our help team and any attachments.

2.2 Information collected automatically

  • Device data — device model, OS version, app version, language, time zone, crash logs.
  • Usage data — sanctuaries you visit, features you use, session duration, in-app events. Used in aggregate to improve the product.
  • IP address — recorded with each request and stored on the device record (lastIpAddress) so we can flag unusual sign-ins. Retained for the lifetime of that device record (cleared when you remove the device or delete your account).
  • Coarse location (city / country) derived from IP — automatically derived from your IP address for fraud prevention and aggregate analytics (e.g. country-level usage statistics). This is not optional and is collected for every authenticated request. We never store the raw IP alongside aggregate analytics counters; only the country / region code is retained beyond 90 days, and only in aggregate form.
  • Cookies & similar — only essential cookies on the website; no advertising or third-party tracking cookies.

2.3 Location data — exact use cases

Bloom never collects precise location in the background and never uses it for advertising. Precise location (GPS, latitude/longitude) is only read when you tap a feature that needs it. The table below lists every place location data appears in Bloom, the specific use case, the legal basis (GDPR Art. 6), the retention period, and who can see it.

SignalExact use caseLegal basisPrecision storedRetentionWho can see it
Chat location shareYou tap “Share location” in a direct message or sanctuary channel; your current coordinates are attached to that one message.Contract (delivering the chat feature you initiated).Rounded to ~110 m on the server before storage; raw GPS is discarded.Until the message is deleted by either party (max 12 months for abuse-flagged messages).Recipients of that conversation.
Post / moment / clip location tagYou explicitly tag a post, story, moment or clip with the place where it was captured.Contract.Place name, city, state, country, plus rounded coordinates.Deleted with the post; backups purged within 90 days.Anyone the post is visible to (according to that post’s visibility scope).
Profile locationYou enter a city / state / country on your profile editor.Contract.City / state / country strings (text). Default is empty.While set; cleared when you remove it or delete the account.Other users, subject to your profile privacy settings.
Nearby place search (POI lookup)You tap “Add location” while creating a post or message; your coordinates are sent to a geocoding provider to fetch nearby place names.Contract.Coordinates are forwarded to the active provider for the request only and are not persisted on Bloom servers.Cached place metadata (no user link) is kept indefinitely as reference data.The active geocoding provider (see Section 4); never shared with other users.
Coarse IP-derived locationFraud / abuse detection and country-level product analytics.Legitimate interest (security, service improvement).Two-letter country / region code only.Aggregate counters; per-event country code retained up to 90 days.Internal Trust & Safety and analytics teams only.
Device IP addressRecorded on each sign-in to detect unusual access on your device record.Legitimate interest (account security).Full IP, on the device record only.Lifetime of the device record; cleared on device removal or account deletion.You (in security log) and our security team.

Background location: Bloom does not request, declare, or use any background-location permission on iOS or Android. Location is only read while the app is in the foreground and only after you tap one of the actions listed above.

2.4 Permissions we may ask for (mobile)

  • Camera — to take photos, record clips, and (when you join one) participate in video calls or video voice-rooms. Only used while the camera surface is open and you have started the action. Disclosed in our App Store and Google Play data-safety listings.
  • Microphone — for voice rooms, voice and video calls, voice notes, and clip audio. Only active for the duration of the recording or call. Disclosed in our App Store and Google Play data-safety listings.
  • Photos / Media — to let you pick existing media to upload.
  • Notifications — to send you push notifications you have opted in to.
  • Contactsstrictly optional. Bloom never requires contacts access in order to use the app or any feature. We only request it when you tap “Find friends”, we match locally on the device, and we do not upload your contact list to our servers.
  • Location (when in use) — only requested when you tap one of the four flows in Section 2.3 (chat share, post tag, nearby-place search, profile location). We do not request “always” / background location.

2.5 Sensitive data

We do not require you to share sensitive data (race, religion, health, sexuality, political opinion). If you choose to share such data in your content, you are doing so voluntarily and consent to it being processed for the purpose of operating the Service.

3. How we use your data

We use your personal data to:

  • Provide, operate and maintain the Service (legal basis: contract);
  • Authenticate accounts and prevent fraud, abuse and unauthorized access (legitimate interest / legal obligation);
  • Show you the right content within sanctuaries you belong to (contract);
  • Moderate content and enforce our Terms (legitimate interest / legal obligation);
  • Send transactional and safety notifications (contract);
  • Send optional product updates if you opt in (consent);
  • Improve the Service via aggregated analytics and crash reporting (legitimate interest);
  • Comply with legal obligations and respond to lawful requests (legal obligation).

4. Who we share data with

We do not sell your personal data. We share limited data with:

  • Cloud infrastructure providers (e.g. AWS, Google Cloud, Cloudflare) for hosting, storage and content delivery, under strict data processing agreements.
  • Authentication providers (Google Sign-In, Apple Sign-In) for sign-in.
  • Communications providers for sending email and push notifications.
  • Real-time voice infrastructure (e.g. LiveKit) for voice rooms; recordings happen only when you start them.
  • Geocoding / map providers — when you tap “Add location” we forward your coordinates to the geocoding provider currently active for your region (one of: OpenStreetMap Nominatim, Google Places, or Mapbox) so it can return nearby place names. The active provider is configurable; coordinates are not retained by Bloom for this lookup.
  • Trust & Safety partners for image safety scanning (e.g. CSAM detection) and abuse classification. When a user reports a direct message, the reported message and a small amount of surrounding context may be shared with these partners and with our internal reviewers.
  • Law enforcement when legally required, with a valid order. We publish a transparency report.
  • Successors in the event of a merger, acquisition or asset sale, subject to the same protections.

5. International transfers

Your data may be processed in countries other than where you live, including the United States and the European Union. Where we transfer EU/UK personal data outside the EEA/UK, we rely on Standard Contractual Clauses, the UK Addendum, or other lawful mechanisms.

6. How long we keep data

  • Account data — for as long as your account is active.
  • Content — until you delete it; deletions propagate within 30 days, with up to 90 days for encrypted backups.
  • Direct messages — kept until either party deletes them; we may keep abuse-flagged messages longer for safety review (max 12 months).
  • Voice room recordings — only kept if you explicitly save them.
  • Location data — see the per-purpose retention column in Section 2.3. Briefly: chat / post location follows the underlying message or post; profile location is kept until you change it; IP-derived country code is kept up to 90 days per event; device IP is kept for the lifetime of the device record.
  • Support tickets — up to 24 months.
  • Logs — typically 30–90 days.

7. Your rights

Depending on where you live (EU, UK, California, India, Brazil, etc.) you have some or all of the following rights:

  • Access — request a copy of your data.
  • Correction — fix data that is wrong or out of date.
  • Deletion — request that we erase your data.
  • Portability — receive your data in a machine-readable format.
  • Objection / restriction — object to certain processing.
  • Withdraw consent — at any time, where processing is based on consent.
  • Lodge a complaint with your local data protection authority.
  • California / CPRA — right to know, delete, correct, limit use of sensitive personal information, and not be discriminated against for exercising these rights.

You can exercise most rights from Settings → Privacy → Your data or by emailing privacy@bloomspace.app.

8. Children & minor safety

Bloom's minimum age is 16 globally, lowered to 13in the United States and other jurisdictions where 13 is lawful with COPPA-equivalent safeguards. We do not knowingly collect personal information from children under 13. If we learn that a user is under 13 (or under 16 in regions where 16 applies), we delete the account and the associated data.

8.1 Age verification

Every account must enter a real date of birthat sign-up. This is not a single “tap to confirm I'm 13+” checkbox — we collect day, month and year, store the resulting age band, and use it to drive the safeguards below. Repeatedly entering inconsistent dates of birth, or being reported as under-age, results in account lock and a request for proof of age before reinstatement. The date of birth itself is only used for age-gating and applicable legal compliance; it is not shown to other users and is not used for advertising.

8.2 Safeguards for users aged 13–17

Accounts identified as belonging to a minor (13–17) are subject to the followingnon-overridable safeguards, applied automatically on the server:

  • Direct messages from strangers are blocked by default. Inbound DMs and message-requests from users who do not share an active sanctuary with the minor are rejected at the server. The minor's messagePrivacy preference is locked to “mutual sanctuary” and cannot be relaxed.
  • No in-app purchases or subscriptions are offered to minor accounts. Any paid feature requires an adult account.
  • No targeted advertising. Bloom does not run third-party advertising on any account; minor accounts additionally cannot receive any sponsored placement.
  • Strict default content filters on feeds, search and clip recommendations that cannot be turned off.
  • Reduced notification frequency and a daily-time-spent reminder.
  • Discoverability is limited — minor profiles are not surfaced to adults outside of shared sanctuaries.

8.3 Parental contact

Parents or guardians who believe a child under 13 is using the Service can contact safety@bloomspace.app to request immediate account deletion and erasure of associated personal data. We respond to verified parental requests within 7 days.

9. Encryption — what is and isn't protected

We want to be precise here, because “encrypted” is often used loosely. The following is an accurate description of how Bloom protects your content today, and what we are working on next. If anything in this section is ever overstated in marketing copy, this section governs.

9.1 In transit

All traffic between your device and Bloom — REST API calls, WebSocket events, media uploads and downloads, voice and video signalling — is encrypted using TLS 1.2 or higher with modern cipher suites. Certificates are issued by recognised public CAs.

9.2 At rest

Account data, posts, comments, direct messages and other server-side records are stored on managed databases and object storage with disk-level AES-256 encryption. Backups are encrypted with separate keys held by our cloud provider under our control.

9.3 Direct messages and channel messages

Direct messages (1-on-1 and group DMs) and sanctuary channel messages are stored on Bloom servers in a form that our authorised staff can access. They are not end-to-end encrypted. This is the same model used by Discord, Slack, Reddit and most mainstream community platforms, and we have made this trade-off deliberately so that:

  • You can report abuse in a DM and our Trust & Safety team can act on it.
  • We can comply with lawful orders in the limited circumstances where we are required to.
  • Sanctuary moderators and our staff can moderate channel content for safety.
  • You can read your own history after reinstalling the app or signing in on a new device.

Internal access to message content is governed by least-privilege controls, audit logging, and our access policy described in §10 Security. We do not proactively read your DMs, we do not use them to train advertising or recommendation models, and we do not sell their content.

Encryption is never used to obscure rule-breaking content. When end-to-end encryption ships for voice and video (§9.5), it will not exempt anyone from our App Policy. Reported content remains actionable, metadata-based abuse signals continue to operate, and accounts that misuse encrypted surfaces to evade moderation will be removed.

9.3.1 Stranger DMs and public group chats

  • No anonymous messaging to strangers by surprise. Personas are visible to recipients, every message includes the sender's persona handle and a Report action, and the receiving user always knows who is messaging them. We do not offer a “send anonymous DM” feature.
  • Adult accounts can opt to receive message-requests from users outside their sanctuaries; these arrive in a separate “Requests” tray that must be accepted before a real conversation begins. Minor accounts (13–17) cannot receive these requests at all (see §8.2).
  • Public sanctuary channels and group chats are moderated. Every public sanctuary has at least one human moderator with kick / ban / mute / message-delete tools, server-side rate limits, automated CSAM and abuse classifiers, and a one-tap report flow. Sanctuaries that lose active moderation are restricted from public discovery until moderation is restored. Bloom does not launch public chats as un-moderated free-for-alls.
  • Sanctuary roles and permissions (owner, moderator, member, restricted) are enforced server-side and let community owners structure who can post, who can speak in voice, and who can DM members of the community.

9.4 Direct-message media (images, voice notes, files)

Media you attach to a direct message is encrypted on your device with a device-local keybefore it is uploaded to our servers. We store the encrypted blob; we do not store the key. This is sometimes called “client-side encryption at rest”. It is notend-to-end encryption — the recipient's device cannot derive the key from our servers, so cross-device sharing of encrypted media relies on additional infrastructure that is still being built. Practical consequences today:

  • If you delete and reinstall the app, previously encrypted media may not be recoverable on the new install.
  • Some encrypted media may not appear on a second device signed into the same account.
  • The plaintext content of the message itself (text, mentions, reactions) is still stored as described in §9.3.

9.5 Voice and video calls (today and roadmap)

Voice rooms and video calls today are relayed through a Selective Forwarding Unit (SFU) operated using LiveKit. Streams are encrypted in transit (DTLS-SRTP) but the SFU can, in principle, see the media. Recordings are only created when a host explicitly enables them.

We are working on end-to-end encryption for voice and video callsusing an MLS-based scheme similar in spirit to Discord's DAVE protocol. When this ships, the SFU will only see opaque encrypted frames and only call participants will hold the keys needed to decrypt. We will update this section, in-app, and our changelog when this is live; until you see that update, please assume voice and video are not end-to-end encrypted.

9.6 Internal access controls

Bloom employees and contractors do not have access to your data by default. Access to production systems and message content is granted on a need-to-know basis, requires multi-factor authentication, is logged, and is reviewed periodically. Trust & Safety staff can review reported messages; engineers may access narrow slices of data to debug or restore service. We will challenge or push back on government requests we believe are unlawful or overbroad.

10. Security

In addition to the encryption described in §9, we apply strict access controls, least privilege, secret rotation, regular dependency scanning, regular penetration testing, and a documented incident-response process. No system is perfectly secure; please use a strong, unique password and enable available account-protection features.

11. Apple App Store & Google Play disclosures

This section summarises information also reflected on our store listings:

  • Data linked to you — account identifiers, contact info (email), user content, identifiers, usage data, diagnostics.
  • Data not linked to you — aggregated, de-identified analytics and diagnostics.
  • Data used to track younone. Bloom does not track users across other companies' apps and websites, does not share identifiers with data brokers or ad networks, and our iOS Privacy Manifest declares NSPrivacyTracking = false. Because we do not perform tracking as defined by Apple's App Tracking Transparency framework, we do not show the ATT prompt; if we ever introduce a feature that would require tracking, we will request your permission via the standard ATT system prompt before doing so.
  • Google Play Data Safety — our Data Safety form on the Play Console declares the same categories as this policy: account info, user content, app activity, device IDs and crash diagnostics, plus user-initiated precise location and IP-derived coarse location. None of these are sold or shared with third parties for advertising.
  • Permissions disclosed in store listings — Camera and Microphone are declared in both Privacy Nutrition Labels (App Store) and Data Safety (Play) because Bloom uses them for voice rooms, voice and video calls, voice notes, clip recording and photo/video capture as described in §2.4.
  • Family / Kids — Bloom is not designed for children and is not part of any Family or Kids program.

12. Changes to this policy

We will notify you of material changes in-app or by email at least 14 days in advance. Continued use after the effective date means you accept the updated policy.

13. Contact

Privacy questions: privacy@bloomspace.app. EU/UK residents may also contact our DPO at dpo@bloomspace.app.