Privacy Policy

Who this policy applies to

This policy applies to two types of users:

Practitioners - therapists and counsellors who create a Bloom account to manage their practice.

Clients - individuals whose therapist uses Bloom to manage appointments, notes, and other practice administration.

What data we collect

From practitioners

When you sign up and use Bloom, we collect:

• Your name, email address, and phone number
• Your practice name, address, and website
• Your professional details (session types, fees, availability)
• Your Stripe Connect account details (for payment processing)
• Your profile photo and practice logo (if uploaded)
• Technical data: IP address, browser type, device information
• Usage data: pages visited, features used, session duration

From clients

When your therapist uses Bloom to manage your care, we may process:

• Your name, email address, and phone number
• Appointment dates, times, and session types
• Payment records and amounts
• Your signed counselling agreement
• Any information you provide through the booking form

Session notes

Your therapist may write session notes about your appointments. These notes are encrypted with AES-256 encryption before they are stored. We cannot read, access, or decrypt session notes. Only the therapist who wrote them can access them.

How we use your data

We use practitioner data to:

• Provide and maintain the Bloom platform
• Process your account registration and authentication
• Send transactional emails (booking confirmations, reminders, payment receipts)
• Improve the platform based on usage patterns
• Communicate with you about your account or our services

We use client data to:

• Facilitate appointment booking and management on behalf of your therapist
• Send appointment confirmations and reminders
• Process payment information on behalf of your therapist
• Deliver signed counselling agreements

We do not use your data to:

• Train AI models
• Sell to third parties
• Target advertising
• Profile you for marketing purposes

Legal basis for processing

We process personal data on the following legal bases under UK GDPR:

• Contract performance - to provide the Bloom service to practitioners who have signed up
• Legitimate interests - to improve our platform and communicate with users about their accounts
• Consent - where clients consent to their data being processed as part of their therapist's practice (managed through the counselling agreement between therapist and client)

Data storage and security

All data is stored on servers located within the European Union.

We protect your data with:

• AES-256 encryption for session notes (the same standard used by banks)
• HTTPS encryption for all data in transit
• Secure password hashing using Argon2
• HTTP-only session cookies
• Rate limiting on public endpoints
• Regular security reviews

We use the following third-party services to operate Bloom:

Each of these providers has their own privacy policy and data processing agreements in place with Bloom.

Data retention

We retain your data for as long as your account is active. Specifically:

• Practitioner accounts: Data is retained while your subscription is active. If you cancel, your data is retained for 30 days to allow reactivation, then permanently deleted.
• Client records: Retained according to your therapist's data retention policy. Therapists can archive and delete client records at any time. Archived records are soft-deleted (retained but hidden) and can be permanently deleted on request.
• Session notes: Retained as long as the associated client record exists. Encrypted at rest and only accessible by the authoring therapist.
• Signed agreements: Retained for the duration of the therapeutic relationship plus 6 years (in line with BACP record-keeping guidance), unless your therapist deletes them sooner.
• Technical logs: Server logs are retained for 30 days, then automatically deleted.

Your rights

Under UK GDPR, you have the right to:

• Access - request a copy of your personal data
• Rectification - ask us to correct inaccurate data
• Erasure - ask us to delete your data (subject to legal retention requirements)
• Restriction - ask us to restrict processing of your data
• Portability - receive your data in a machine-readable format
• Object - object to processing based on legitimate interests

To exercise any of these rights, email us at hello@trybloom.co.uk. We will respond within one month.

For clients: Your therapist is the data controller for your therapy records. If you want to access, correct, or delete the records your therapist holds about you, please contact your therapist directly. Bloom processes this data on your therapist's behalf (as a data processor).

Cookies

We use the following cookies:

• bloom_session - authentication cookie, essential for the service to function. HTTP-only, secure, 7-day expiry with sliding renewal on activity.
• PostHog analytics - anonymous usage analytics to help us improve the platform. Only active in production. No personal data is collected through analytics.

We do not use advertising cookies, tracking pixels, or third-party marketing cookies.

Children

Bloom is not designed for use by anyone under 18. We do not knowingly collect personal data from children. If a therapist works with clients under 18, the therapist is responsible for obtaining appropriate parental consent.

Changes to this policy

We may update this policy from time to time. We will notify practitioners of significant changes by email. The "last updated" date at the top of this page will always reflect the most recent version.

Data breaches

In the event of a personal data breach that poses a risk to individuals, we will notify the ICO within 72 hours and notify affected users without undue delay, in accordance with UK GDPR requirements.

Contact us

If you have questions about this privacy policy or how we handle your data:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been handled improperly.