Skip to content

Privacy Policy

Last updated: 29 July 2025

This Privacy Policy describes how Bloom AI Pty Ltd (ABN: 93 671 399 107) (“we”, “our” or “us”) collects, uses, and shares your personal information when you use our website located at bloom.study and the services provided through our website, applications and services (collectively, the “Services”). It applies globally and incorporates all requirements of the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Australian Privacy Act 1988 (Cth) and other local laws where we operate.

1. What personal data we collect and why

We collect the categories of data listed below. Providing certain information is a contractual requirement: if you do not provide it, we may be unable to create your account or deliver the Services. We do not intentionally collect special‑category data.

Information You Provide to Us

We collect personal information you provide directly to us. By providing personal information to us, you consent to our storage, maintenance, use and disclosing of personal information in accordance with this privacy policy. For example, we collect information when you register for an account, use the Services, submit or post content through the Services, and if you send us customer service-related requests.

Information we collect may include:

  • Account Information: When you create an account with us, we collect information associated with your account, including your name, contact information, account credentials, payment card information, and transaction history.
  • User Content: When you use our Services, we collect Personal Data that is included in the prompts you enter, file uploads, or feedback that you provide to our Services.
  • Payment Information: If you purchase services from us, we may collect payment information for the purpose of processing payments.
  • Communication Information: If you communicate with us, we collect your name, contact information, and the contents of any messages you send.
  • Social Media Information: We have pages on social media sites like Instagram, Facebook, Medium, X, YouTube and LinkedIn. When you interact with our social media pages, we collect Personal Data that you choose to provide to us, such as your contact details. In addition, the companies that host our social media pages may provide us with aggregate information and analytics about our social media activity.

Other Information You Provide: We collect other information that you may provide to us, such as when you participate in our surveys or provide us with information to establish your age or identity.

Information We Collect Automatically

When you use our Services, we may automatically collect certain information about your device and usage of the Services. We may use cookies, log files, device identifiers, and other tracking technologies to collect such information, which may include:

  • IP address
  • Device identifier
  • Browser type and settings
  • Information about your activity on the Services (e.g., the date/time stamps associated with your usage, pages and files viewed, searches and other actions you take)

2. How We Use Information

We may use Personal Information for the following purposes:

  • to provide goods, services or information to you;
  • to communicate with you; including to send you information about our Services and events;
  • for record keeping and administrative purposes;
  • to provide information about you to our contractors, employees, consultants, agents or other third parties for the purpose of providing goods or services to you;
  • to improve and optimise our service offering and customer experience;
  • to prevent fraud, criminal activity, or misuses of our Services, and to protect the security of our IT systems, architecture, and networks;
  • to send you marketing and promotional messages and other information that may be of interest to you and for the purpose of direct marketing (in accordance with the Spam Act). In this regard, we may use email, SMS, social media or mail to send you direct marketing communications. You can opt out of receiving marketing materials from us by using the opt-out facility provided (e.g. an unsubscribe link);
  • to send you administrative messages, reminders, notices, updates, security alerts, and other information requested by you; and
  • to comply with legal obligations and legal process and to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or other third parties.

Aggregated or De-Identified Information. We may aggregate or de-identify Personal Information so that it may no longer be used to identify you and use such information to analyse the effectiveness of our Services, to improve and add features to our Services, to conduct research and for other similar purposes. In addition, from time to time, we may analyse the general behavior and characteristics of users of our Services and share aggregated information like general user statistics with third parties, publish such aggregated information or make such aggregated information generally available. We may collect aggregated information through the Services, through cookies, and through other means described in this Privacy Policy. We will maintain and use de-identified information in anonymous or de-identified form and we will not attempt to reidentify the information, unless required by law.

3. Cookies & similar technologies

We use first‑party and third‑party cookies and SDKs for essential functionality, analytics and marketing. We display a consent banner that allows you to accept, reject or customise non‑essential cookies in line with the ePrivacy Directive and GDPR. We store a hashed record of each user’s cookie preferences (date, choice, IP) to demonstrate consent. You can change or withdraw consent at any time via the “Cookie Settings” link in our footer; withdrawal is as easy as giving consent.

4. How We Share Information

In certain circumstances, we may provide your Personal Information to third parties without further notice to you, unless required by the law:

  • Vendors and Service Providers: To assist us in meeting business operations needs and to perform certain services and functions, we may provide Personal Information to vendors and service providers, including providers of hosting services, customer service vendors, cloud services, email communication software, web analytics services, and other information technology providers, among others. Pursuant to our instructions, these parties will access, process, or store Personal Information only in the course of performing their duties to us.
  • Business Transfers: If we are involved in strategic transactions, reorganization, bankruptcy, receivership, or transition of service to another provider (collectively, a “Transaction”), your Personal Information and other information may be disclosed in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction along with other assets.
  • Legal Requirements: We may share your Personal Information, including information about your interaction with our Services, with government authorities, industry peers, or other third parties (i) if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, (ii) to protect and defend our rights or property, (iii) if we determine, in our sole discretion, that there is a violation of our terms, policies, or the law; (iv) to detect or prevent fraud or other illegal activity; (v) to protect the safety, security, and integrity of our products, employees, or users, or the public, or (vi) to protect against legal liability.

5. Your rights

Depending on location, individuals may have certain statutory rights in relation to their Personal Information. For example, you may have the right to:

  • Access your Personal Information and information relating to how it is processed.
  • Delete your Personal Information from our records.
  • Rectify or update your Personal Information.
  • Transfer your Personal Information to a third party (right to data portability).
  • Restrict how we process your Personal Information.
  • Withdraw your consent—where we rely on consent as the legal basis for processing at any time.
  • Object to how we process your Personal Information.
  • Lodge a complaint with your local data protection authority.

To the extent applicable under local law, you can exercise privacy rights described in this section by submitting a request to [email protected].

6. Data Retention

We’ll retain your Personal Data for only as long as we need in order to provide our Service to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. How long we retain Personal Data will depend on a number of factors, such as:

  • Our purpose for processing the data (such as whether we need to retain the data to provide our Services);
  • The amount, nature, and sensitivity of the data;
  • The potential risk of harm from unauthorized use or disclosure of the data;
  • Any legal requirements that we are subject to.

In some cases, the length of time we retain data depends on your settings.

7. Data Security

We implement commercially reasonable technical, administrative, and organizational measures to protect Personal Information both online and offline from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. However, no Internet or email transmission is ever fully secure or error free. In particular, email sent to or from us may not be secure. Therefore, you should take special care in deciding what information you send to us via the Service or email. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third-party websites.

We’ll retain your Personal Information for only as long as we need in order to provide our Service to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. How long we retain Personal Information will depend on a number of factors, such as the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure, our purpose for processing the information, and any legal requirements.

8. Changes to This Policy

We may change this Privacy Policy from time to time. If we make changes, we will notify you by revising the date at the top of this policy and, in some cases, we may provide you with additional notice (such as by adding a statement to our homepage or sending you an email notification).

9. Contact Us

If you have any questions about this Privacy Policy, please contact us at: [email protected].

10. Supplementary Information for Users in the EU and the UK

Controller

Bloom AI Pty Ltd is the controller of your personal information.

Contact: 425/1 Hutchinson Walk, Zetland NSW 2017, Australia • [email protected]

Representatives in EU and UK

To make it easier for EU and UK residents to reach us, we’ve appointed a local representative. You can contact our representative, DataRep, at any of the addresses listed below.

Country Address 
Austria DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria 
Belgium DataRep, Rue des Colonies 11, Brussels, 1000 
Bulgaria DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria 
Croatia DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia 
Cyprus DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus 
Czech Republic DataRep, Platan Office, 28. Října 205/45, Floor 3&4, Ostrava, 70200, Czech Republic 
Denmark DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark 
Estonia DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia 
Finland DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland 
France DataRep, 72 rue de Lessard, Rouen, 76100, France 
Germany DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany 
Greece DataRep, Ippodamias Sq. 8, 4th floor, Piraeus, Attica, Greece 
Hungary DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary 
Iceland DataRep, Laugavegur 13, 101 Reykjavik, Iceland 
Ireland DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland 
Italy DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy 
Latvia DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia 
Liechtenstein DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria 
Lithuania DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania 
Luxembourg DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg 
Malta DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta 
Netherlands DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands 
Norway DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway 
Poland DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland 
Portugal DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal 
Romania DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania 
Slovakia DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia 
Slovenia DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia 
Spain DataRep, Calle de Manzanares 4, Madrid, 28005, Spain 
Sweden DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE – 211 46, Sweden 
Switzerland DataRep, Leutschenbachstrasse 95, ZURICH, 8050, Switzerland 
United KingdomDataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom

Data Protection Officer

After assessing the criteria in Article 37 GDPR, we have concluded that our processing does not require the appointment of a Data Protection Officer because Bloom AI does not engage in large‑scale processing of special‑category data, and the behavioural monitoring of students is proportionate and limited in scope. We revisit this assessment annually. You may still contact us at [email protected] or via our EU/UK representative listed above.

International data transfers

We host data primarily in Google Cloud in servers based in Australia. When personal data of EEA/UK residents is transferred outside the EEA/UK, we rely on:

  • Standard Contractual Clauses (2021) approved by the European Commission and the UK Addendum;
  • Encryption in transit and at rest;
  • Access controls & audit logging;

Legal reasons we collect and use your data (our “lawful bases”)

We process your personal data for different reasons. Here’s how that breaks down:

  • To deliver our services (e.g. set up your account, provide tutoring help): we do this because it’s necessary to perform our contract with you.
  • To prevent fraud and keep our systems safe: we rely on “legitimate interest”.
  • To send marketing emails or run analytics: we rely on your consent and you can opt out anytime.
  • To follow the law (e.g. tax rules): we do this under our “legal obligation”.
PurposeLawful basisTypical data involved
Create and manage your Bloom account; deliver tutoring responsesContract (Art 6 (1)(b))Account details, user prompts, tutoring history
Process paymentsContract (Art 6 (1)(b)) and Legal obligation (Art 6 (1)(c))Name, card tokens, transaction IDs
Prevent fraud, maintain security & integrity of our ServicesLegitimate interest (Art 6 (1)(f))IP address, device IDs, logs
Send product updates or direct marketingConsent (Art 6 (1)(a))Email address, usage segments
Analytics to improve featuresConsent (cookie banner) or Legitimate interest where permittedPseudonymised user IDs, clickstream
Comply with legal requests, tax and accounting rulesLegal obligation (Art 6 (1)(c))Any data required by law

When we rely on legitimate interest, we have carried out a three‑part test (purpose, necessity, balancing). Our interests are fraud prevention, network security and product analytics. We have concluded these interests are not overridden by your rights because:

  • data is processed in a proportionate way (pseudonymisation, IP truncation, retention limits),
  • it is expected by users of an online tutoring platform, and
  • you can object at any time under “Your Rights”.

Do we use automated decision-making or profiling?

No. While Bloom uses AI to support learning, we do not use your personal data to make automated decisions that have legal or similarly significant effects on you.

How long do we keep your data?

We keep your data only as long as needed. Here’s a quick guide:

Data categoryTypical examplesRetention rule
Account & tutoring historyLogin credentials, session transcriptsWhile account active ➞ erased 12 months after closure
Payment records (Stripe)Card tokens, invoices7 years (tax & audit)
Application & server logsIP, device IDs, error traces30 days, then aggregated
Security / fraud logsSuspicious IPs, abuse reportsUp to 24 months
Customer‑support ticketsEmails, chat transcripts3 years after last contact
De‑identified analyticsAggregate usage statsIndefinite (cannot re‑identify)

You can ask us to delete your data sooner.

International transfers

We host your data on Google Cloud servers in Australia. If you’re in the EU or UK, your data may be transferred to Australia under Standard Contractual Clauses, which are contracts approved by the European Commission. We also encrypt your data in transit and at rest, and keep logs of who accesses it. You can ask for a copy of these safeguards by emailing us.

Children’s Data

Our Services are intended for students aged 13 and above. Where required by law, we rely on parental or guardian consent for children under the applicable age of digital consent (13–16, depending on jurisdiction). In some cases, we may obtain this consent through authorised educational institutions who act on behalf of parents or guardians.

Complaints

You also have the right to lodge a complaint with your local data‑protection authority. Because we have appointed DataRep as our EU representative, you may contact any EU authority or the Irish Data Protection Commission (DPC), 21 Fitzwilliam Square South, Dublin 2, Ireland.