Privacy Policy
Last updated: June 21, 2026
We take the protection of your data seriously. In this privacy policy we explain transparently what data we process, what we use it for, and what rights you have. If you have any questions, reach out to us at any time.
1. Data controller
The data controller responsible for the processing of personal data within the meaning of Art. 4(7) GDPR is:
bloomnow (in the process of incorporation as bloomnow FlexCo)
represented by Anna Christine Enzinger
Unter Bregarten 22/1
2482 Münchendorf, Austria
Email: ace@bloomnow.ai
As soon as bloomnow FlexCo is registered in the Austrian commercial register, responsibility will transfer to the FlexCo. We will update this policy accordingly.
2. Data protection contact
Roxane Hunot, co-founder of bloomnow, is the internal point of contact for all data protection matters.
Email: rh@bloomnow.ai
You can address any question about the processing of your data directly to her.
3. General principles
We only process personal data to the extent necessary to provide our website and services and to fulfil legal obligations. Processing is carried out only on one of the following legal bases under Art. 6(1) GDPR:
- (a) consent
- (b) performance of a contract or pre-contractual measures
- (c) compliance with a legal obligation
- (f) legitimate interests
For special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data) we process data exclusively on the basis of your explicit consent pursuant to Art. 9(2)(a) GDPR.
4. Processing activities in detail
4.1 Visiting the website (server logs)
When you visit our website, our hosting provider automatically records technical data that your browser transmits:
- IP address (shortened or anonymized where technically possible)
- date and time of the request
- page or file requested
- browser and operating system used
- referrer URL
This data is processed to provide the website technically, to ensure its stability and security and to defend against attacks. The legal basis is Art. 6(1)(f) GDPR (legitimate interest). Server logs are deleted after a maximum of 30 days.
4.2 Cookies and consent management
We use cookies on our website, small text files stored in your browser. We distinguish between:
- Strictly necessary cookies required for the website to function. Legal basis: Art. 6(1)(f) GDPR.
- Optional cookies (e.g. for web analytics or embedded content) that are only set with your consent. Legal basis: Art. 6(1)(a) GDPR.
Optional cookies (in particular for web analytics and audience measurement, and for measuring advertising performance) are only set after you have consented via our cookie banner. We do not use a third-party tool for this, but a lightweight in-house consent solution combined with Google Consent Mode v2. Until you consent, analytics- and advertising-related storage access (in particular cookies) remains disabled; in this state Google services run without cookies and without recognising you.
We store your choice locally in your browser (localStorage) so the banner does not reappear on every visit. You can withdraw or adjust any consent given at any time, with effect for the future, via the "Cookie settings" link in the footer of every page. Withdrawing is as easy as giving consent.
4.3 Web analytics and marketing (Google services)
On the basis of your consent (Art. 6(1)(a) GDPR) we use the following services provided by Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland; parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). You can withdraw your consent at any time via "Cookie settings" in the footer.
Google Tag Manager. We use Google Tag Manager to deliver the tags (scripts) below in a managed way. Tag Manager itself does not set cookies and does not collect personal data for analytics purposes; it only controls the consent-based loading of the other services.
Google Analytics 4. We use Google Analytics 4 to understand how our website is used (e.g. pages visited, time on page, approximate location, device and browser information). A pseudonymous identifier (client ID) and your truncated IP address are processed; we do not directly attribute this to you. We operate Google Analytics with IP truncation enabled and without combining it with other data sources.
Google Ads (conversion tracking and remarketing). We measure the performance of our ads (e.g. whether a sign-up follows an ad click) and may serve advertising on that basis. Google may set cookies for this purpose if you have consented.
The data collected by these services may be transferred to the USA. For this we rely on the EU-US Data Privacy Framework (Google LLC is certified) and additionally on standard contractual clauses pursuant to Art. 46 GDPR. For more information, see Google's privacy policy at policies.google.com/privacy.
4.4 Launch pre-registration
The bloomnow app is in a closed beta. When you pre-register for the launch, we process the following data in order to inform you about the public launch of bloomnow and to send you a confirmation:
- name (optional)
- email address
- language preference (German or English)
- time of sign-up
After pre-registering you receive a confirmation email. The legal basis is your consent under Art. 6(1)(a) GDPR. You can withdraw your pre-registration at any time by sending a message to rh@bloomnow.ai. After you withdraw, we delete your data within 30 days, unless a statutory retention obligation applies.
To manage pre-registrations we store the data in our database at Supabase (servers in Frankfurt, EU); the confirmation email is sent via our processor Resend Inc. (USA). You can find more about both providers in section 6.
In addition, for each pre-registration we record how it came about (such as the category of the referring site or an anonymous campaign code from a tracking link) and the approximate country of origin (only the two-letter country code, without storing the IP address). We evaluate this only in aggregate, to understand which channels work. The legal basis is our legitimate interest in effective reach measurement under Art. 6(1)(f) GDPR.
4.5 Embedded videos and social embeds
Our website contains embedded YouTube videos (e.g. introduction videos and voices from our advisory board). When you click the video thumbnail we load the YouTube player and your browser establishes a connection to YouTube's servers, transmitting at least your IP address.
Providers and possible transfers to third countries:
- YouTube: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; parent company Google LLC, USA
The legal basis is your consent under Art. 6(1)(a) GDPR, which you give by clicking the thumbnail. For transfers to the United States we rely on the EU-US Data Privacy Framework, provided the respective provider is certified under it, and additionally on standard contractual clauses pursuant to Art. 46 GDPR.
4.6 Email communication
If you write to us by email, for instance to beta@bloomnow.ai, ace@bloomnow.ai or rh@bloomnow.ai, we process the personal data contained in your message in order to handle your request.
The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures or performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in responding).
Emails are deleted once the reason for the communication no longer applies and no statutory retention obligations stand in the way.
4.7 Own cookieless reach measurement
To understand how many people visit our website and which channels bring them to us, we run our own lightweight reach measurement. On each page view we store an anonymous record in our database at Supabase (servers in Frankfurt, EU): the page visited, the category of the referring source (e.g. a search engine, a social network, or an anonymous campaign code from a tracking link) and the approximate country of origin.
This measurement works without cookies and without recognising you across visits. We set no identifiers, build no user profiles and store no IP address: the country is derived from the IP address by our hosting provider (Vercel) and passed to us only as a two-letter country code; we do not otherwise process the IP address for this. Only anonymous aggregate statistics result, and no conclusions about you as a person are possible. The legal basis is our legitimate interest in privacy-friendly reach measurement under Art. 6(1)(f) GDPR.
4.8 bloomie chat on the website
Through the bloomie window on our website you can ask questions about bloomnow. Your chat input is transmitted to our processor Mistral AI (France, processing within the EU; see section 6.2) to generate responses and is stored together with the responses in our database at Supabase (servers in Frankfurt, EU), so an ongoing conversation can be continued. Your input is not used to train AI models. bloomie is labelled as AI, answers only questions about bloomnow, does not provide diagnoses and makes no automated decisions with legal effect (Art. 22 GDPR). To protect against abuse we store, per chat session, only a salted check value (hash) that cannot be traced back to you, instead of your IP address. If you voluntarily leave your name and email address to be contacted by our team, we process these to answer your enquiry. Please do not enter health data or other particularly sensitive information in the chat.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in answering your enquiry and secure operation); where you actively contact us, Art. 6(1)(b) GDPR.
5. Data processing in the bloomnow app
The following processing activities relate to the bloomnow app (iOS, Android, web app). All app data is stored in our database at Supabase, with servers located in Frankfurt (AWS eu-central-1), within the EU.
5.1 Account and profile
When you register, we process your email address, your name and, optionally, a profile picture. You can sign in with email/password or via Google OAuth (Google LLC, USA); when you sign in with Google we receive the email address and name stored with Google. For the community you can use an alias and a separate community avatar, so your real name does not have to be visible there.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Retention period: until you delete your account.
5.2 App settings
We store your settings (e.g. color mode, language, text size, notification preferences) to make them available across your devices.
Legal basis: Art. 6(1)(b) GDPR.
5.3 Self-care features (health data)
If you use features such as the mood diary (mood, sleep quality, tags, notes), wins, or saved tools, we process the content you enter. This information can allow conclusions about your health and therefore constitutes special categories of personal data (Art. 9 GDPR).
Legal basis: your explicit consent (Art. 9(2)(a) GDPR), which you can withdraw at any time with effect for the future, by deleting the content or your account in the app.
5.4 Questionnaires and self-assessments
The app offers questionnaires (e.g. about your family situation) and an ADHD-oriented self-screening. We store your answers and the results calculated from them in order to recommend suitable content and display your results. The tests are not diagnostic instruments and do not replace professional assessment. Information you provide may also relate to your child; it is entered exclusively by you as the parent or legal guardian; children do not have their own access to the app.
Legal basis: your explicit consent (Art. 9(2)(a) GDPR), which you give before your first questionnaire and can withdraw at any time.
5.5 bloomie (AI assistant)
bloomie is an AI-powered assistant. Your chat input is transmitted to our processor Mistral AI (France, processing within the EU) to generate responses and is stored together with the responses as a conversation history in your account, so you can continue earlier conversations. Your input is not used to train AI models. bloomie is expressly labelled as AI in the app, does not provide diagnoses and does not make automated decisions with legal effect (Art. 22 GDPR). You can delete conversation histories in the app; when you delete your account they are removed entirely.
Legal basis: Art. 6(1)(b) GDPR; insofar as you enter health-related content, your explicit consent (Art. 9(2)(a) GDPR).
5.6 Community and direct messages
Posts, comments and reactions in the community are visible to other signed-in users (under your community alias, if set). Direct messages are visible only to you and the respective recipient. We store this content until you delete it or your account.
Legal basis: Art. 6(1)(b) GDPR.
5.7 Push notifications
If you enable push notifications, we store a device token and send messages via Firebase Cloud Messaging (Google LLC, USA; transfer based on the EU-US Data Privacy Framework and standard contractual clauses). You can disable push at any time in the app or in your system settings; the token is removed when you delete your account.
Legal basis: Art. 6(1)(a) GDPR (consent).
5.8 Appointments, reminders and travel time
The appointments feature lets you create appointments and reminders, including by dictating them with your voice or having them recognized from a photo or screenshot, and shows you a daily overview ("Now & Next"). We store the content you enter (title, date, time, location, notes) in your account. We process voice and image recognition solely to create an appointment from it; processing takes place on our EU infrastructure (Supabase, Frankfurt) or, where AI is involved, via the processor named in section 5.5.
When you ask for the travel time for an appointment, we transmit the appointment's location to two European map services: Photon (operated by Komoot GmbH, Germany) for geocoding, i.e. converting the address into coordinates, and Valhalla (provided by FOSSGIS e. V. based on OpenStreetMap, Germany) for route and travel-time calculation. Only the location data needed for the calculation is transmitted, without any user identifier and without any link to your account. Processing takes place within the EU; no transfer to a third country occurs.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract); the travel-time calculation only happens at your request.
5.9 Usage and crash analytics (optional)
To improve the app we may analyse how the app is used and diagnose technical crashes, but only if you actively opt in. Without your consent, analytics is disabled (default) and nothing is collected. You can withdraw your consent at any time in your profile; collection then stops immediately. Only pseudonymous usage events and device/app metadata are collected, not the content of your entries or conversations. We use three separate building blocks for this, which we deliberately list separately here:
- Product and usage analytics (PostHog). To understand how the app is used (e.g. which tools are opened, onboarding steps, progress through the purchase funnel) we use PostHog in the EU cloud (processed in the EU region via eu.i.posthog.com). Only pseudonymous usage events and pseudonymous device and app metadata are collected. No personal plain-text data (PII) and no advertising or cross-app IDs are transmitted; there is no session replay and no automatic capture of interactions (autocapture). As PostHog processes in the EU region, no transfer to a third country takes place.
- Crash diagnostics (Firebase Crashlytics). For crash reports we use Firebase Crashlytics (Google LLC, USA; transfer based on the EU-US Data Privacy Framework and standard contractual clauses). Firebase is no longer used for usage analytics; Google Analytics 4 / Firebase Analytics are no longer used in the app.
- In-house event statistics (self-operated). Independently of PostHog, we run a lightweight, self-operated event statistic on our own EU infrastructure (Supabase, servers in Frankfurt). It is technically and organizationally separate from PostHog — neither covers the other.
Legal basis: Art. 6(1)(a) GDPR (consent).
5.10 Beta testing
During the beta phase we additionally process: (a) your beta feedback (content, time, app version) in order to improve the app, and (b) your acceptance of the beta participation terms (time and text version) in order to be able to demonstrate that consent was given (Art. 7(1) GDPR).
Legal basis: Art. 6(1)(b) and (f) GDPR (interest in record-keeping and improvement).
5.11 Data export and account deletion
You can exercise both rights directly in the app (Profile → "Export data" or "Delete account"). The export is sent to your verified account email address as a machine-readable file (sent via our processor Resend Inc., USA). Account deletion immediately and irreversibly removes all your data from our database, including your profile, diary and test data, conversation histories, community content and direct messages. Residual copies in encrypted backups expire automatically after the backup retention period. As proof of deletion we store only an anonymous check value (hash) with a timestamp that cannot be traced back to you.
6. Hosting and sub-processors
6.1 Hosting
Our website is delivered through Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA) via its European edge locations. We have entered into a data processing agreement with Vercel pursuant to Art. 28 GDPR. As Vercel is a US-based company, we additionally rely on the EU-US Data Privacy Framework as well as standard contractual clauses pursuant to Art. 46 GDPR for any data transfer.
The backend infrastructure of our app (database, authentication, storage) runs on Supabase (Supabase Inc., 970 Toa Payoh North, Singapore), with servers located in Frankfurt in the AWS eu-central-1 region. Personal data of our app users is stored exclusively within the EU. We have entered into a data processing agreement with Supabase pursuant to Art. 28 GDPR. As Supabase has a US parent company, we additionally rely on the EU-US Data Privacy Framework and on standard contractual clauses pursuant to Art. 46 GDPR.
6.2 Overview of sub-processors
We use the following processors:
- Vercel Inc. (USA): website hosting and delivery via European edge locations
- Supabase Inc. (Singapore; servers in EU/Frankfurt): database, authentication and storage for the app, and for the website's launch pre-registrations
- Google Ireland Ltd. (Ireland): Google Tag Manager, Google Analytics 4 and Google Ads for web analytics and advertising performance measurement (only after consent)
- PostHog (EU cloud, EU region): product and usage analytics in the app (only after consent; no PII, no advertising tracking, no session replay; see section 5.9)
- Mistral AI (France, processing within the EU): AI model for bloomie, the AI assistant in the app (see section 5.5)
- Komoot GmbH / Photon (Germany): geocoding of location data for the app's travel-time feature (only at your request; see section 5.8)
- FOSSGIS e. V. / Valhalla (Germany, based on OpenStreetMap): route and travel-time calculation for the app's travel-time feature (only at your request; see section 5.8)
- Dynatrace (EU region): technical monitoring and error diagnosis of our server functions (observability/tracing) to ensure stability and performance; only technical telemetry metadata is processed (function name, request method, response status, error messages), no content of your input, no health data and no IP address
- Resend Inc. (USA): transactional emails from the app and confirmation emails for the launch pre-registration
- Firebase / Google LLC (USA): push notifications (Cloud Messaging) and crash diagnostics (Crashlytics) for the app
- Google LLC (USA): Google OAuth for optional sign-in to the app
We have entered into data processing agreements pursuant to Art. 28 GDPR with all processors.
7. Transfers to third countries
Your data is only transferred to third countries (outside the EU or EEA) where this is necessary to provide the requested service, for example for embedded content from US providers, and where you have consented or another legal basis applies.
In such cases we rely on:
- the EU-US Data Privacy Framework (for US providers that are certified under it), or
- standard contractual clauses pursuant to Art. 46 GDPR together with supplementary technical and organizational measures.
8. Retention periods
We store personal data only for as long as required for the respective processing or as required by law:
- Launch pre-registration: until the public app launch and up to 6 months thereafter if no account is created; withdrawal possible at any time, followed by deletion within 30 days
- App data: as long as your account exists; when you delete your account, all your data is deleted immediately and cascadingly from our database; residual copies remain only in encrypted backups until our hosting provider's backup retention period expires
- Server logs: maximum of 30 days
- Email communication: until the matter is resolved, maximum 3 years thereafter
- Accounting and tax-relevant data: in line with statutory retention obligations (typically 7 years in Austria)
9. Your rights
You have the following rights against us at any time:
- Right of access under Art. 15 GDPR: we will tell you what data we hold about you.
- Right to rectification under Art. 16 GDPR: you can have incorrect data corrected.
- Right to erasure under Art. 17 GDPR: you can request deletion of your data, unless statutory retention obligations apply. You can delete your account and all associated data yourself at any time, even without the app, at bloomnow.ai/en/delete-account.
- Right to restriction of processing under Art. 18 GDPR
- Right to data portability under Art. 20 GDPR: you will receive your data in a structured, commonly used, machine-readable format.
- Right to object under Art. 21 GDPR: you can object at any time to processing based on legitimate interest.
- Right to withdraw consent under Art. 7(3) GDPR: you can withdraw any consent at any time with effect for the future.
You can also exercise access or data portability and erasure directly in the app: Profile → "Export data" or "Delete account" (see section 5.11).
A short email to rh@bloomnow.ai is enough. We will respond within the statutory deadline of one month.
10. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data infringes the GDPR. The supervisory authority competent for us is:
Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40–42, 1030 Vienna, Austria
www.dsb.gv.at
You can also contact the supervisory authority of your place of residence or workplace.
11. Data security
We use technical and organizational measures to protect your data, in particular encryption in transit (TLS) and at rest, access restrictions within the team, contractual confidentiality obligations, and regular security reviews.
12. Automated decision-making
Our app includes bloomie, an AI-powered assistant (see section 5.5). However, no automated decisions with legal effect or similarly significant impact within the meaning of Art. 22 GDPR take place, neither through bloomie nor anywhere else in the app. Recommendations and content serve solely to inform and support you.
13. Processing of special categories of data (health data)
bloomnow is aimed at families of neurodivergent children. Health-related data falls within the special categories of personal data under Art. 9 GDPR and is subject to special protection.
We process such data exclusively on the basis of your explicit consent under Art. 9(2)(a) GDPR. This applies in particular to the self-care features (e.g. the mood diary), questionnaires and self-assessments, and health-related content you share with bloomie; see sections 5.3 to 5.5 for details. You can withdraw your consent at any time with effect for the future, for example by deleting the respective content or your account in the app.
14. Changes to this privacy policy
We may update this privacy policy, for example when we introduce new features or when the legal situation or tools we use change. We will actively inform you of material changes, e.g. by email to registered users. The current version is always available at bloomnow.ai.
15. Contact
You can reach out to us with any privacy question at any time:
Roxane Hunot
Data Protection Contact
rh@bloomnow.ai
General enquiries: beta@bloomnow.ai