Privacy Policy

1. What personal data we collect

We collect the categories of data listed below. Providing certain information is necessary to create your account and use the Services. We do not intentionally collect special-category data (e.g., health, religion, ethnicity).

Information you provide

• Account information: Name, email address, role (student/teacher), and password when you create an account.
• Organisation information: School or institution name (for Space Owners).
• Payment information: Card details and billing address (processed via Stripe; we do not store full card numbers).
• User content: Conversations, prompts, file uploads, and feedback you provide to the Services.
• Communication: Messages you send to our support team.

Information collected automatically

• IP address and approximate location
• Device and browser type
• Pages visited and features used
• Date and time of access
• Session recordings of clicks, scrolls, and navigation (sensitive text inputs are masked; you can opt out via profile settings)

2. How we use your information

We use your personal information to:

• Provide and operate the Services;
• Process payments and manage subscriptions;
• Communicate with you about your account and the Services;
• Provide customer support;
• Improve and develop the Services (see Section 3);
• Prevent fraud and maintain security;
• Send marketing communications (with your consent; you can opt out anytime);
• Comply with legal obligations.

Aggregated and irreversibly anonymised data

We may aggregate or irreversibly anonymise personal information so that it no longer relates to an identified or reasonably identifiable individual. We use such data for analytics, research, benchmarking, and product improvement, and we do not attempt to re-identify it.

5. Cookies & similar technologies

We use cookies and similar technologies for essential functionality, analytics, and marketing. Our cookie banner allows you to accept, reject, or customise non-essential cookies.

We also use session recording tools (classified as analytics) to replay anonymised user interactions such as clicks, scrolls, and navigation. Sensitive text inputs (e.g., chat messages, essays) are masked in recordings. Session recording and other non-essential analytics are active only where you have provided any consent required by applicable law through our cookie banner or privacy controls. Refusing consent does not prevent access to the core Service. You can withdraw consent at any time via the Analytics toggle in your profile settings, the "Cookie Settings" link in our footer, or by contacting privacy@bloom.study.

Children and school-managed accounts.High-privacy defaults apply: non-essential analytics and session replay are disabled for users accessing Bloom through a Teaching Space the Space Owner has configured as potentially including users under 13, unless enabled in a manner permitted by applicable law and the Institution's configuration.

You can change or withdraw consent at any time via the "Cookie Settings" link in our footer. Withdrawal is as easy as giving consent.

6. How we share information

We may share your personal information with:

• Service providers: Hosting (Google Cloud), payment processing (Stripe), analytics, and customer support vendors. These parties process data only on our instructions.
• AI providers: We transmit prompts and AI responses to third-party AI providers (Microsoft Azure OpenAI Service, OpenAI, and Google Vertex AI) solely to generate Outputs. Providers do not use your content to train their models. Providers may retain transmitted content for a limited period for abuse-monitoring and safety purposes in accordance with their published policies, accessible only to authorised provider personnel; content is not shared with other customers. Where Bloom has configured enhanced privacy options with a provider (such as zero-retention or no-abuse-monitoring endpoints), different retention applies. See each provider's published policies for details: OpenAI, Azure OpenAI, Google Vertex AI.
• Space Owners: If you are an End User, your Space Owner and its authorised administrators may access, use, download, export, disclose, share, restrict, and remove your content (including Chat Logs) generated within their Teaching Space, for educational, pastoral, safeguarding, academic-integrity, and administrative purposes.
• Business transfers: In connection with a merger, acquisition, or sale of assets.
• Legal requirements: When required by law or to protect our rights, safety, or property.

Bloom internal access

Authorised Bloom personnel may access your content only for the following purposes:

• Technical support: diagnosing issues reported by you or on your behalf;
• Safety: investigating safety concerns, suspected breaches of our Terms, or suspected unlawful conduct;
• Legal process: responding to valid subpoenas, court orders, and lawful regulatory requests;
• Security: detecting, investigating, and responding to security incidents;
• Quality review: reviewing AI responses for safety, accuracy, and product reliability; and
• Training (Toggle-gated): where the Improvement Data Toggle is ON for the relevant Teaching Space, training and evaluating our AI models (see Section 3).

Access is restricted to authorised personnel, subject to role-based access controls, internal confidentiality obligations, and audit logging. Exports of Chat Logs for operational purposes are recorded with actor identity, scope, and timestamp. Bloom personnel do not browse, read, or monitor Chat Logs outside the purposes listed above.

7. Your rights

Depending on your location, you may have the right to:

• Access your personal data;
• Correct inaccurate data;
• Delete your data;
• Export your data (portability);
• Restrict or object to certain processing;
• Withdraw consent (where we rely on consent);
• Lodge a complaint with your local data protection authority.

To exercise these rights, contact us at privacy@bloom.study.

End Users in Institution Teaching Spaces should direct access, correction, and deletion requests relating to Chat Logs generated in that Teaching Space to the Institution in the first instance, as the Institution is the data controller. If you contact Bloom directly, we will acknowledge your request and, subject to identity verification, liaise with the Institution to action it in accordance with our Data Processing Agreement.

End Users in self-serve Teaching Spaces, account data, and Guest Chat users may request access, correction, or deletion directly from Bloom by contacting privacy@bloom.study, subject to identity verification.

8. Data retention

We retain your data only as long as needed for the purposes described in this policy. Here's how long we typically keep different types of data:

You can request deletion of your data sooner by contacting us. We may retain some data as required by law.

9. Data security

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption in transit (TLS) and at rest;
• Access controls and authentication;
• Regular security assessments;
• Employee training on data protection.

However, no system is completely secure. Please use strong passwords and notify us immediately if you suspect unauthorised access to your account.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the date at the top and, for significant changes, by email or in-app notification.

11. Contact us

If you have questions about this Privacy Policy or want to exercise your rights, contact us at:

Bloom AI Pty Ltd ACN 671 399 107
Email: privacy@bloom.study
Address: 56 Dennis St, Lakemba NSW 2195, Australia