BloomSign in →

Effective Date: February 14, 2026  ·  Last Updated: March 3, 2026

Privacy Policy

This policy describes how youbloom.app collects, uses, and protects your personal data.

Jump to section

1. Overview2. Information We Collect3. How We Use Your Information4. AI Integrations and MCP5. Sharing Your Information6. Data Retention7. Security8. Your Rights9. Children10. Changes to This Policy11. Contact

1. Overview

Bloom ("we", "us", or "our") operates the Bloom productivity application available at youbloom.app and on iOS and Android. This Privacy Policy explains what personal data we collect, how we use it, and the choices you have. By using Bloom you agree to the practices described here. If you disagree, please stop using Bloom and delete your account.

2. Information We Collect

2.1 Account Information

When you sign in with Google we receive your name, email address, and Google account ID. We do not receive your Google password.

2.2 App Content

We store the tasks, task groups, notes, and settings you create inside Bloom so we can sync them across your devices.

2.3 Usage Data

We collect basic analytics (feature usage counts, crash reports) using privacy-respecting tools. This data is aggregated and not tied to individual users unless required for debugging.

2.4 Device & Technical Data

We may collect device model, OS version, app version, and IP address to diagnose technical issues and prevent abuse.

3. How We Use Your Information

  • To provide, maintain, and improve the Bloom app
  • To sync your tasks across devices
  • To send essential service communications (e.g. billing, critical security updates)
  • To prevent fraud and abuse
  • To comply with legal obligations

4. AI Integrations and MCP

4.1 ChatGPT / Claude OAuth Integration

When you connect Bloom to ChatGPT (via OpenAI) or Claude (via Anthropic) using our OAuth flow: • Bloom issues a short-lived access token to the AI service. This token expires after 1 hour and is automatically renewed while the connection is active. • The AI service can read and write your Bloom tasks and task groups only. It cannot access your account settings, billing information, or other personal data. • We do not receive or store your ChatGPT or Claude conversation history. • You can disconnect at any time from ChatGPT Settings → Connected Apps, Claude Settings → Integrations, or from youbloom.app/account/connections.

4.2 Developer / MCP Personal Access Tokens

If you create a Personal Access Token (PAT) for use with developer tools such as VS Code, Cursor, Claude Desktop, or Windsurf: • The token grants the tool access to your Bloom tasks and task groups, just like the OAuth integration. • You are responsible for keeping your PAT secure. Treat it like a password — do not share it or commit it to public code repositories. • You can revoke any PAT at any time from youbloom.app/account/tokens. • Revoking a token immediately prevents it from being used.

4.3 Data Minimisation

All AI integrations (OAuth and PAT) operate under the principle of least privilege. We expose only the task-management API endpoints necessary for the integration to function. No other Bloom data is accessible via MCP.

5. Sharing Your Information

We do not sell your personal data. We share data only with: • Service providers who help us operate Bloom (e.g., Supabase for database and auth, Apple/Google for push notifications, Stripe for payments). These providers are contractually bound to protect your data and may not use it for their own purposes. • Law enforcement or regulators when required by applicable law. • A successor entity in the event of a merger, acquisition, or sale of assets, where your data would remain subject to this Privacy Policy.

6. Data Retention

We keep your data for as long as your account is active. If you delete your account, we permanently delete your tasks, groups, and personal information within 30 days, except where retention is required by law (e.g., billing records may be kept for 7 years in some jurisdictions). OAuth access tokens that have not been used for 90 days are automatically revoked. Personal Access Tokens are retained until you revoke them.

7. Security

We use industry-standard security practices: • All data is transmitted over HTTPS/TLS. • Data at rest is encrypted (AES-256) in Supabase. • Access tokens are hashed before storage — we cannot read your PATs. • We use Row-Level Security (RLS) in our database to ensure each user can only access their own data. No system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to Support@youbloom.app.

8. Your Rights

Depending on your location, you may have the right to: • Access a copy of your personal data • Correct inaccurate data • Delete your data ("right to be forgotten") • Export your data in a portable format • Withdraw consent for optional processing To exercise any of these rights, email us at Support@youbloom.app. We will respond within 30 days.

9. Children

Bloom is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notice at least 14 days before they take effect. Continuing to use Bloom after the effective date constitutes acceptance of the updated policy.

11. Contact

Questions or concerns? Reach us at: Email: Support@youbloom.app Website: youbloom.app