Blooming AIBlooming

Privacy Policy

Last Updated: January 3, 2026

Effective Date: January 3, 2026

1. Introduction

Welcome to Blooming AI ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our educational AI-powered platform (the "Service"). This policy is designed to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Important Notice: This Privacy Policy is subject to updates and modifications. We are continuously improving our compliance documentation and will update this policy with additional details and clarifications. Your continued use of the Service after any modifications constitutes acceptance of the updated Privacy Policy.

By using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

2. Data Controller Information

Blooming AI
Location: Estonia
Supervisory Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

For privacy-related inquiries, data subject requests, or data breach notifications, please contact us at: alex@tryblooming.ai

3. Information We Collect

3.1 Information You Provide Directly

We collect only the following personal data from you:

  • Email Address: Required for account creation, authentication, and communications
  • Payment Information: Processed exclusively through Stripe (our third-party payment processor). We do not store, process, or have access to your credit card information, bank details, or other payment credentials

3.2 Information Generated Through Service Use

  • Learning Data: We store your learning history, course progress, activity completions, and educational achievements in our secure European-based database (Supabase). This data is stored solely to provide you with access to your learning journey and progress tracking
  • User-Generated Content: We store prompts, conversations, answers to activities, and other content you create while using the Service. This content is stored in our European database to enable core functionality and allow you to access your historical interactions
  • AI Interactions: Records of your interactions with our AI tutoring and educational features

3.3 Analytics Data

We use PostHog for analytics purposes. By default, all analytics data is fully anonymized and cannot be traced back to you. We do not use cookies for analytics. We do not collect IP addresses, email addresses, or user identifiers unless you explicitly grant us permission through your account settings. You may revoke this permission at any time, and analytics collection will immediately cease for your account.

4. How We Use Your Information

We use your information for the following purposes:

  • Service Delivery: To provide, maintain, and improve our educational AI platform
  • Account Management: To create and manage your account, authenticate access, and provide customer support
  • Educational Content Generation: To generate personalized curricula, learning activities, tutoring sessions, and educational materials
  • Progress Tracking: To store and display your learning history, achievements, and course progress
  • Communication: To send transactional emails (password resets, account notifications) and, with your explicit consent, marketing and educational communications
  • Analytics: To understand platform usage patterns and improve our Service (only with your explicit consent and using fully anonymized data)
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes

5. Use of Artificial Intelligence and Third-Party Large Language Models

5.1 AI-Powered Features

Our Service is AI-native and relies extensively on artificial intelligence, including third-party Large Language Models (LLMs), to deliver educational content and features. We use AI for:

  • Generating educational curricula and learning tracks
  • Creating and customizing learning activities
  • Reviewing and providing feedback on user answers
  • Conducting AI tutoring sessions
  • Facilitating conversational learning activities (e.g., Feynman technique, role-plays)
  • Generating educational content and materials

5.2 Third-Party LLM Providers

We utilize multiple third-party LLM providers, including but not limited to:

  • OpenAI (ChatGPT)
  • Anthropic (Claude)
  • Google (Gemini)
  • DeepSeek
  • Mistral AI

Critical Privacy Protection: We do NOT send personal data (such as your name, email address, payment information, or identifiable user account information) to any third-party LLM providers. These services are used exclusively to process educational content and learning materials. Your learning history, personal identifiers, and account information remain in our European-based secure database and are never transmitted to LLM providers.

5.3 International Data Transfers for AI Processing

Some of our third-party LLM providers are located outside the European Economic Area (EEA), including in the United States and China (DeepSeek). However, because we do not transmit personal data to these providers, these transfers do not constitute transfers of personal data under GDPR Article 44 and subsequent provisions.

Important: All LLM providers, regardless of location, are used exclusively for processing educational content. We implement technical measures to ensure that no personal identifiers, account information, or user metadata is transmitted to any LLM provider. Only the educational subject matter of your queries is processed.

The content processed by these LLMs consists solely of:

  • Educational subject matter and learning content
  • Anonymized learning activity data
  • Course materials and curricula
  • User-generated prompts and conversations (which you are responsible for ensuring do not contain personal data—see Section 5.4)

5.4 User Responsibility for Prompts and Conversations

IMPORTANT WARNING: When using open-ended AI features (such as tutoring sessions, conversational activities, and custom prompts), you are responsible for ensuring that you do NOT input personal data into these interactions.

Personal data includes but is not limited to:

  • Your full name, email address, phone number, or physical address
  • Names or identifying information about other individuals
  • Financial information, health information, or other sensitive personal details
  • Any information that could directly or indirectly identify you or another person

By using our AI-powered features, you acknowledge and agree that:

  1. Any personal data you voluntarily include in prompts or conversations may be processed by third-party LLM providers located outside the EEA
  2. You are solely responsible for the content you input into AI interactions
  3. We have provided clear warnings and technical safeguards to prevent inadvertent disclosure of personal data
  4. You will not hold us liable for any processing of personal data that you voluntarily include in AI interactions contrary to our warnings and instructions

We display prominent warnings in the user interface before you engage with AI features that process open-ended user input.

6. Data Storage and Security

6.1 Data Location

All personal data and user-generated content is stored exclusively on servers located within the European Union. We use Supabase (PostgreSQL) as our primary database provider, with data centers in the EU.

6.2 Security Measures

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and updates
  • Secure European-based data storage infrastructure

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

6.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Estonian Data Protection Inspectorate within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

7. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

7.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and to access that data.

7.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data.

7.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data. Upon receiving a valid erasure request, we will delete your account and all associated personal data immediately.

7.4 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You may export and download all your data at any time through your account settings.

7.5 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent (such as marketing communications or analytics), you have the right to withdraw consent at any time through your account settings. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

7.6 Right to Object (Article 21)

You have the right to object to processing of your personal data on grounds relating to your particular situation.

7.7 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) if you believe our processing of your personal data violates GDPR.

To exercise any of these rights, please contact us at alex@tryblooming.ai.

8. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contractual Necessity (Article 6(1)(b)): Processing necessary for the performance of our contract with you (providing the Service)
  • Consent (Article 6(1)(a)): For marketing communications, educational updates, and analytics (where you have provided explicit opt-in consent)
  • Legitimate Interests (Article 6(1)(f)): For service improvement, security, and fraud prevention, where such interests are not overridden by your rights
  • Legal Obligation (Article 6(1)(c)): Where processing is necessary to comply with legal requirements

9. Data Retention and Deletion

9.1 Active Accounts

We retain your personal data for as long as your account remains active and as necessary to provide you with the Service.

9.2 Account Deletion

When you request deletion of your account or exercise your right to erasure, we will immediately and permanently delete:

  • Your email address and account credentials
  • All learning data, progress records, and educational history
  • All user-generated content, prompts, and conversations
  • All analytics data associated with your account (if any)

9.3 Legal Retention Requirements

We may retain certain data where required by law (such as financial records for tax purposes) or to establish, exercise, or defend legal claims.

10. Cookies and Tracking Technologies

We use minimal cookies to provide and improve our Service:

10.1 Essential Cookies

The following cookies are necessary for the Service to function:

  • Authentication cookies: Required to maintain your login session and provide secure access to your account
  • Preference cookies: Store your UI preferences (such as sidebar state and language settings)

These cookies are technically necessary and do not require consent.

10.2 Analytics and Tracking Cookies

We only use cookies for analytics and tracking purposes if you explicitly grant us permission. By default, analytics are fully anonymized without the use of cookies.

When you grant analytics consent through your account settings:

  • PostHog analytics cookies: Used to understand how you use the Service and improve user experience
  • These cookies use both localStorage and browser cookies to track your interactions
  • You can revoke this consent at any time through Settings > Notifications, and all analytics tracking will immediately cease

10.3 Managing Cookie Preferences

You control analytics cookies through your account settings:

  1. Navigate to Settings > Notifications
  2. Toggle "Analytics Consent" on or off
  3. Changes take effect immediately

You can also manage cookies through your browser settings, though disabling essential cookies may prevent the Service from functioning properly.

11. Third-Party Services

11.1 Payment Processing

We use Stripe for payment processing. Stripe collects and processes payment information on our behalf. Stripe is certified under the EU-US Data Privacy Framework and utilizes Standard Contractual Clauses (SCCs) for international data transfers. Please review Stripe's Privacy Policy at https://stripe.com/privacy for information on how they handle your payment data.

11.2 Other Third-Party Services

We may use additional third-party services for service operation and improvement. Any such services are selected based on their GDPR compliance and data protection standards. We do not share personal data with third parties except as described in this Privacy Policy.

12. Children's Privacy

Our Service is intended for users aged 16 and older. We do not knowingly collect personal data from individuals under 16. By using the Service, you represent and warrant that you are at least 16 years old. If we become aware that we have collected personal data from someone under 16, we will take steps to delete that information immediately.

13. International Users

While our Service is based in Estonia and complies with GDPR, users from outside the European Economic Area may access the Service. By using our Service from outside the EEA, you acknowledge that your data will be processed in accordance with this Privacy Policy and European data protection standards.

14. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. We will notify you of material changes by:

  • Posting the updated Privacy Policy on our website with a new "Last Updated" date
  • Sending an email notification to your registered email address (for significant changes)
  • Displaying a prominent notice on the Service

This Privacy Policy will be updated with additional details and clarifications as our compliance documentation evolves. Your continued use of the Service after any modifications constitutes your acceptance of the updated Privacy Policy. If you do not agree to the modified Privacy Policy, you must stop using the Service and may request deletion of your account.

15. Contact Us

For questions about this Privacy Policy, to exercise your GDPR rights, or to report a data breach or privacy concern, please contact us at:

Email: alex@tryblooming.ai

Supervisory Authority:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: https://www.aki.ee/en

By using Blooming AI, you acknowledge that you have read, understood, and agree to this Privacy Policy.