Privacy Policy

Last updated: May 28, 2026

We take the protection of your data seriously. In this privacy policy we explain transparently what data we process, what we use it for, and what rights you have. If you have any questions, reach out to us at any time.

1. Data controller

The data controller responsible for the processing of personal data within the meaning of Art. 4(7) GDPR is:

bloomnow (in the process of incorporation as bloomnow FlexCo)
represented by Anna Christine Enzinger
Unter Bregarten 22/1
2482 Münchendorf, Austria
Email: ace@bloomnow.ai

As soon as bloomnow FlexCo is registered in the Austrian commercial register, responsibility will transfer to the FlexCo. We will update this policy accordingly.

2. Data protection contact

Roxane Hunot, co-founder of bloomnow, is the internal point of contact for all data protection matters.

Email: rh@bloomnow.ai

You can address any question about the processing of your data directly to her.

3. General principles

We only process personal data to the extent necessary to provide our website and services and to fulfil legal obligations. Processing is carried out only on one of the following legal bases under Art. 6(1) GDPR:

  • (a) consent
  • (b) performance of a contract or pre-contractual measures
  • (c) compliance with a legal obligation
  • (f) legitimate interests

For special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data) we process data exclusively on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR.

4. Processing activities in detail

4.1 Visiting the website (server logs)

When you visit our website, our hosting provider automatically records technical data that your browser transmits:

  • IP address (shortened or anonymized where technically possible)
  • date and time of the request
  • page or file requested
  • browser and operating system used
  • referrer URL

This data is processed to provide the website technically, to ensure its stability and security and to defend against attacks. The legal basis is Art. 6(1)(f) GDPR (legitimate interest). Server logs are deleted after a maximum of 30 days.

4.2 Cookies and consent management

We use cookies on our website — small text files stored in your browser. We distinguish between:

  • Strictly necessary cookies required for the website to function. Legal basis: Art. 6(1)(f) GDPR.
  • Optional cookies (e.g. for web analytics or embedded content) that are only set with your consent. Legal basis: Art. 6(1)(a) GDPR.

Optional cookies (in particular for web analytics and audience measurement, and for measuring advertising performance) are only set after you have consented via our cookie banner. We do not use a third-party tool for this, but a lightweight in-house consent solution combined with Google Consent Mode v2. Until you consent, analytics- and advertising-related storage access (in particular cookies) remains disabled; in this state Google services run without cookies and without recognising you.

We store your choice locally in your browser (localStorage) so the banner does not reappear on every visit. You can withdraw or adjust any consent given at any time, with effect for the future, via the "Cookie settings" link in the footer of every page. Withdrawing is as easy as giving consent.

4.3 Web analytics and marketing (Google services)

On the basis of your consent (Art. 6(1)(a) GDPR) we use the following services provided by Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland; parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). You can withdraw your consent at any time via "Cookie settings" in the footer.

Google Tag Manager. We use Google Tag Manager to deliver the tags (scripts) below in a managed way. Tag Manager itself does not set cookies and does not collect personal data for analytics purposes; it only controls the consent-based loading of the other services.

Google Analytics 4. We use Google Analytics 4 to understand how our website is used (e.g. pages visited, time on page, approximate location, device and browser information). A pseudonymous identifier (client ID) and your truncated IP address are processed; we do not directly attribute this to you. We operate Google Analytics with IP truncation enabled and without combining it with other data sources.

Google Ads (conversion tracking and remarketing). We measure the performance of our ads (e.g. whether a sign-up follows an ad click) and may serve advertising on that basis. Google may set cookies for this purpose if you have consented.

The data collected by these services may be transferred to the USA. For this we rely on the EU-US Data Privacy Framework (Google LLC is certified) and additionally on standard contractual clauses pursuant to Art. 46 GDPR. For more information, see Google's privacy policy at policies.google.com/privacy.

4.4 Waitlist sign-up (early access)

When you sign up for early access, we process the following data in order to inform you about the launch of bloomnow and to send you a confirmation:

  • name (optional)
  • email address
  • language preference (German or English)
  • time of sign-up

After sign-up you receive a confirmation email. The legal basis is your consent under Art. 6(1)(a) GDPR. You can unsubscribe at any time by sending a message to rh@bloomnow.ai. After you unsubscribe, we delete your data within 30 days, unless a statutory retention obligation applies.

To manage the waitlist and send confirmation emails we use an in-house solution built on Google Apps Script and Gmail (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; parent company Google LLC, USA). The data is stored in a Google Sheet in the EU region. As soon as we switch to a dedicated newsletter tool, we will list the provider here.

4.5 Embedded videos and social embeds

Our website contains embedded YouTube videos (e.g. introduction videos and voices from our advisory board). When you click the video thumbnail we load the YouTube player and your browser establishes a connection to YouTube's servers, transmitting at least your IP address.

Providers and possible transfers to third countries:

  • YouTube: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; parent company Google LLC, USA

The legal basis is your consent under Art. 6(1)(a) GDPR, which you give by clicking the thumbnail. For transfers to the United States we rely on the EU-US Data Privacy Framework, provided the respective provider is certified under it, and additionally on standard contractual clauses pursuant to Art. 46 GDPR.

4.6 Email communication

If you write to us by email, for instance to beta@bloomnow.ai, ace@bloomnow.ai or rh@bloomnow.ai, we process the personal data contained in your message in order to handle your request.

The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures or performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in responding).

Emails are deleted once the reason for the communication no longer applies and no statutory retention obligations stand in the way.

5. Hosting and sub-processors

5.1 Hosting

Our website is delivered through Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA) via its European edge locations. We have entered into a data processing agreement with Vercel pursuant to Art. 28 GDPR. As Vercel is a US-based company, we additionally rely on the EU-US Data Privacy Framework as well as standard contractual clauses pursuant to Art. 46 GDPR for any data transfer.

The backend infrastructure of our app (database, authentication, storage) runs on Supabase (Supabase Inc., 970 Toa Payoh North, Singapore), with servers located in Frankfurt in the AWS eu-central-1 region. Personal data of our app users is stored exclusively within the EU. We have entered into a data processing agreement with Supabase pursuant to Art. 28 GDPR. As Supabase has a US parent company, we additionally rely on the EU-US Data Privacy Framework and on standard contractual clauses pursuant to Art. 46 GDPR.

5.2 Overview of sub-processors

We use the following processors:

  • Vercel Inc. (USA) — website hosting and delivery via European edge locations
  • Supabase Inc. (Singapore; servers in EU/Frankfurt) — database, authentication and storage for the app
  • Google Ireland Ltd. (Ireland) — Google Apps Script and Gmail to manage the waitlist and send confirmation emails
  • Google Ireland Ltd. (Ireland) — Google Tag Manager, Google Analytics 4 and Google Ads for web analytics and advertising performance measurement (only after consent)
  • Mistral AI (France) — AI model for the in-app chat (activated once the corresponding part of the app launches)
  • Resend Inc. (USA) — transactional emails from the app
  • Firebase / Google LLC (USA) — push notifications for the app
  • Google LLC (USA) — Google OAuth for optional sign-in to the app

We have entered into data processing agreements pursuant to Art. 28 GDPR with all processors.

6. Transfers to third countries

Your data is only transferred to third countries (outside the EU or EEA) where this is necessary to provide the requested service, for example for embedded content from US providers, and where you have consented or another legal basis applies.

In such cases we rely on:

  • the EU-US Data Privacy Framework (for US providers that are certified under it), or
  • standard contractual clauses pursuant to Art. 46 GDPR together with supplementary technical and organizational measures.

7. Retention periods

We store personal data only for as long as required for the respective processing or as required by law:

  • Waitlist / early access: until the app launch and up to 6 months thereafter if no account is created; withdrawal possible at any time, followed by deletion within 30 days
  • App data: as long as your account exists; after account deletion, a 30-day retention period, then final deletion
  • Server logs: maximum of 30 days
  • Email communication: until the matter is resolved, maximum 3 years thereafter
  • Accounting and tax-relevant data: in line with statutory retention obligations (typically 7 years in Austria)

8. Your rights

You have the following rights against us at any time:

  • Right of access under Art. 15 GDPR: we will tell you what data we hold about you.
  • Right to rectification under Art. 16 GDPR: you can have incorrect data corrected.
  • Right to erasure under Art. 17 GDPR: you can request deletion of your data, unless statutory retention obligations apply.
  • Right to restriction of processing under Art. 18 GDPR
  • Right to data portability under Art. 20 GDPR: you will receive your data in a structured, commonly used, machine-readable format.
  • Right to object under Art. 21 GDPR: you can object at any time to processing based on legitimate interest.
  • Right to withdraw consent under Art. 7(3) GDPR: you can withdraw any consent at any time with effect for the future.

A short email to rh@bloomnow.ai is enough. We will respond within the statutory deadline of one month.

9. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data infringes the GDPR. The supervisory authority competent for us is:

Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40–42, 1030 Vienna, Austria
www.dsb.gv.at

You can also contact the supervisory authority of your place of residence or workplace.

10. Data security

We use technical and organizational measures to protect your data, in particular encryption in transit (TLS) and at rest, access restrictions within the team, contractual confidentiality obligations, and regular security reviews.

11. Automated decision-making

Automated decision-making, including profiling within the meaning of Art. 22 GDPR, does not currently take place. Recommendations and content in our app are delivered through rule-based logic that we can review and explain ourselves.

If we deploy AI-based features in the future, we will inform you separately in advance and obtain your consent where legally required.

12. Processing of special categories of data (health data)

bloomnow is aimed at families of neurodivergent children. Health-related data falls within the special categories of personal data under Art. 9 GDPR and is subject to special protection.

We currently do not process detailed neurodivergence profiles or answers from self-assessments. We are waiting until bloomnow is certified as Software as a Medical Device under EU MDR and all the required organizational and technical prerequisites are in place.

Should we process such data in the future, we will do so exclusively on the basis of your explicit consent under Art. 9(2)(a) GDPR. We will then inform you separately and transparently about the purpose, scope, and protective measures.

13. Changes to this privacy policy

We may update this privacy policy, for example when we introduce new features or when the legal situation or tools we use change. We will actively inform you of material changes, e.g. by email to registered users. The current version is always available at bloomnow.ai.

14. Contact

You can reach out to us with any privacy question at any time:

Roxane Hunot
Data Protection Contact
rh@bloomnow.ai

General enquiries: beta@bloomnow.ai