Bloom stores the data you need to learn or teach (your account, your conversations, the documents educators upload), encrypts it with AES-256 at rest and TLS in transit, and gives Space Owners a single switch that controls whether de-identified conversation data may be used to improve Bloom. Payments are handled by Stripe, and you can request access, export, or deletion at any time by emailing privacy@bloom.study.
This article explains what each of those things means in practice, with the exact toggle labels and policy clauses that govern them, so students, educators, and IT or legal reviewers can all answer the questions they care about most.
What Bloom stores about you
When you use Bloom, we store the categories of data set out in section 1 of the Privacy Policy:
- Account information: name, email, role (student or teacher), and password.
- Organisation information: school or institution name (for Space Owners).
- User content: conversations, prompts, file uploads, and feedback.
- Payment information: card details and billing address, “processed via Stripe; we do not store full card numbers.”
- Automatic data: IP address and approximate location, device and browser type, pages visited, and date and time of access.
Sensitive text inputs (chat messages, essays) are masked in any session recordings, and you can opt out of session replay via the Analytics toggle in your profile settings.
Encryption and infrastructure
Every piece of data Bloom stores is encrypted with industry-standard AES-256 at rest, and every connection to Bloom is protected by TLS in transit. Hosting is on Google Cloud, primarily in Australia, with flexible data residency options available for institutional customers. Bloom has been independently penetration tested by CyberCX, and meets HECVAT and CIS Benchmarks (see the Security Overview).
Is my chat used to train AI?
This is the question we hear most, and the answer depends on one switch in your Teaching Space settings: Help Improve Bloom. Space Owners control it under Teaching Space › Settings › General. The label and description in the product read, verbatim:
The defaults are different by plan:
- Free Tier: the toggle is ON by default. Space Owners may turn it OFF at any time.
- Paid Tiers: the toggle is OFF by default. Space Owners may opt in if they want to contribute to improvement.
Bloom also has a hard carve-out for under-13 Teaching Spaces. The setting “This Teaching Space may include students under 13” forces the Help Improve Bloom toggle OFF, and it cannot be turned back on while that attestation is in effect. From the in-product description: “When ON, conversations from this Space will not be used to train or improve AI models, regardless of the ‘Help Improve Bloom’ setting.”
Who can see your conversations
Conversations live inside a Teaching Space, and visibility follows that boundary:
- Other students cannot see your chat history.
- Space Owners and authorised admins in your Teaching Space may access, export, or remove content (including chat logs) generated within the space, for educational, pastoral, safeguarding, academic-integrity, and administrative purposes.
- Bloom personnel only access content for technical support, safety investigations, legal process, security incidents, quality review, and (where the toggle is ON) AI training. Access is role-based, audit-logged, and recorded with actor identity, scope, and timestamp.
- AI providers (Microsoft Azure OpenAI, OpenAI, and Google Vertex AI) receive prompts and responses to generate Outputs only. Per section 6 of the Privacy Policy: “Providers do not use your content to train their models.”
Payment data and Stripe
All Bloom subscriptions are processed through Stripe. Card numbers are entered into Stripe-hosted fields, never into Bloom directly, and Bloom stores only a Stripe customer reference plus your billing address. Invoices, receipts, and saved payment methods live in the Stripe billing portal, which you can open from Plan & Benefits › Billing. Payment records are retained for 7 years for tax and audit compliance.
Access, export, and deletion
Depending on where you live, you have rights to access, correct, delete, or export your personal data, restrict or object to processing, and withdraw consent. Two paths apply, depending on how you use Bloom:
- If you use Bloom through a school or institution: direct access, correction, and deletion requests for chat logs to your institution first. They are the data controller for that content. Bloom will liaise with them under the Data Processing Agreement.
- If you use Bloom directly (self-serve account or Guest Chat): email privacy@bloom.study, and we will action your request subject to identity verification.
Closure timelines (Privacy Policy, section 8): account and conversation data are retained while your account is active. After closure, data stays in active systems for 30 days, then is deleted. Backups are retained up to 90 days. End-user chat logs in a Teaching Space remain under the Space Owner’s custody for 30 days after their subscription ends to allow export or reactivation.
Common issues
I want to delete my data
If you signed up directly, email privacy@bloom.study. If you joined a school’s Teaching Space, contact the school first; they own the chat logs. You can also close your account from your profile, which starts the 30-day deletion clock automatically.
Is my chat used to train AI?
Only if your Space Owner has the Help Improve Bloom toggle ON. On paid plans this is OFF by default. On free accounts it is ON by default and can be switched off at any time. AI providers (OpenAI, Azure OpenAI, Vertex AI) do not use your content to train their models.
Can my teacher read my conversations?
Yes, within their Teaching Space. Teachers, school administrators, and Space Owners can read, download, export, or delete chat logs in their space for educational and safeguarding reasons. This does not extend to other Teaching Spaces or to other students’ private accounts.
Where is my data stored?
Primarily on Google Cloud in Australia. Institutional customers can request alternative data regions. International transfers (for example, to EU or UK users) are covered by Standard Contractual Clauses and the UK International Data Transfer Addendum.
What’s next
- For technical detail, certifications, and pen-testing results, see the Security Overview.
- For the full legal text, including children’s data, EU/UK supplementary information, and retention schedules, read the Privacy Policy.
- Institutional reviewers can request the Data Processing Agreement covering FERPA, COPPA, GDPR, and student data privacy.
- For specific privacy questions, contact privacy@bloom.study. For security questionnaires (HECVAT, CIS Benchmarks), contact hi@bloom.study.