Privacy Policy
Dernière mise à jour : 2026-02-16
Privacy Policy
Last Updated: 2026-02-16 Effective Date: 2026-02-16
1. Data Controller
Bloomoo ("we", "us", "our") is the data controller for the personal data processed through this platform.
- Contact email: privacy@bloomoo.com
- Registered address: [TO BE ADDED]
- Data Protection Officer (if appointed): [TO BE ADDED]
This Privacy Policy is provided in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR).
2. Data We Collect
2.1 Account Data
- Email address
- Name (if provided)
- Account creation and last login timestamps
2.2 Assessment Data
- Responses to psychometric questionnaires
- Computed scores and reports
- Open-question responses (typed or transcribed from voice input)
Special Category Data (GDPR Art. 9): Depending on the nature of the psychometric instruments used, some assessment data may qualify as data revealing psychological characteristics. Where this is the case, processing is based on your explicit consent (Art. 9(2)(a)).
2.3 AI-Generated Content
- Personality summaries generated by AI models
- Result interpretations
- Recommendations
2.4 Demographic Data (Optional)
- Age range, gender, education level, job sector
- Provided voluntarily; never required
2.5 Consent Records
- Records of which consents you have granted or revoked
- Timestamps, consent type, and version of consent text
2.6 Technical Data
- IP address (retained for 90 days)
- User agent string (retained for 90 days)
- Authentication session data (cookies)
2.7 Payment Data
- Payment transactions are processed by Stripe. We store transaction references, not card details.
2.8 Data Minimization
Bloomoo applies the principle of data minimization (GDPR Art. 5(1)(c)). We collect only the data necessary for the purposes described in this policy. In particular, Bloomoo does not request or collect clinical diagnoses, medical history, medical records, or any health-related information beyond the scope of psychometric self-assessment questionnaires.
3. Legal Bases for Processing
We process your personal data under the following legal bases (GDPR Article 6):
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Performance of contract | Art. 6(1)(b) |
| Assessment completion and scoring | Consent | Art. 6(1)(a) |
| AI-generated summaries and interpretations | Consent | Art. 6(1)(a) |
| Sharing results with a company (B2B) | Consent | Art. 6(1)(a) |
| Aggregated analytics (anonymized) | Consent | Art. 6(1)(a) |
| Security logging and abuse prevention | Legitimate interest | Art. 6(1)(f) |
| Payment processing | Performance of contract | Art. 6(1)(b) |
| Legal compliance (audit logs, consent records) | Legal obligation | Art. 6(1)(c) |
Legitimate Interest Assessment: Where processing is based on legitimate interest (Art. 6(1)(f)), a Legitimate Interest Assessment has been conducted to ensure that such processing does not override your fundamental rights and freedoms. Security logging is limited to the minimum data necessary (IP address and user agent, retained for 90 days) and is essential for detecting unauthorized access and preventing abuse.
4. Consent Model
Bloomoo uses five independent, granular consent types. Each is requested separately and can be revoked at any time without affecting the others:
- Assessment Consent — Required to complete assessments and receive results.
- Company Access Consent — Allows a specific company to access your results. Granted per company, revocable at any time.
- Aggregation Consent — Allows your anonymized data to be included in statistical aggregations (subject to k-anonymity threshold of k=20).
- AI Usage Consent — Allows AI models to generate personalized summaries and recommendations from your data.
- Analytics Consent — Allows anonymized usage analytics (PostHog) to help us improve the platform. Managed via the cookie consent banner.
Consents are never bundled. Revoking one consent does not affect others. Revoking consent triggers deletion of the associated data (e.g., revoking AI usage consent deletes AI-generated summaries).
5. Data Processors (Sub-processors)
We use the following third-party processors:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Vercel | Application hosting and CDN | US/EU | Standard Contractual Clauses |
| Supabase / Neon | PostgreSQL database hosting | EU preferred | Standard Contractual Clauses |
| Resend | Transactional email delivery | US | Standard Contractual Clauses |
| Stripe | Payment processing | US/EU | Standard Contractual Clauses, PCI DSS |
| PostHog | Privacy-mode analytics | EU | No PII collected, no autocapture, no session recording |
5b. No Sale of Personal Data
Bloomoo does not sell, rent, or trade your personal data to third parties. Your data is processed solely for the purposes described in this Privacy Policy.
6. International Transfers
Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Technical measures including encryption in transit and at rest
7. Data Retention
We retain personal data only as long as necessary. See our Data Retention Policy for detailed retention periods per data category. Key periods:
- Account data: Until you request deletion
- Assessment responses: Until you request deletion or revoke consent
- AI summaries: Until you request deletion or revoke AI usage consent
- Consent records: 5 years after revocation (legal obligation)
- Technical logs: 90 days
- Payment records: 7 years (tax/legal obligation)
8. Your Rights
Under GDPR, you have the following rights:
8.1 Right of Access (Art. 15)
You can request a copy of all personal data we hold about you. Use the data export feature in your account settings or contact us directly.
8.2 Right to Rectification (Art. 16)
You can update your personal data through your profile settings at any time.
8.3 Right to Erasure (Art. 17)
You can request deletion of your account and all associated data. Deletion requests are processed within 30 days. Certain data may be retained where required by law (see Data Retention Policy).
8.4 Right to Data Portability (Art. 20)
You can export your data in a machine-readable format (JSON) through your account settings.
8.5 Right to Restriction of Processing (Art. 18)
You can request that we restrict processing of your data while a complaint or dispute is resolved.
8.6 Right to Object (Art. 21)
You can object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
8.7 Right to Withdraw Consent (Art. 7)
You can withdraw any consent at any time through your account settings. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
8.8 Right to Lodge a Complaint
You have the right to lodge a complaint with your national data protection authority if you believe your rights have been violated. In France, the competent supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL) — www.cnil.fr.
9. Children
Bloomoo is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.
10. Non-Clinical Disclaimer
Bloomoo is not a clinical, diagnostic, or therapeutic tool. Assessment results describe personality traits and tendencies based on validated academic instruments. Results are informational and educational only. They are not a substitute for professional psychological or medical advice.
See our Non-Clinical Disclaimer for full details.
11. Profiling and Automated Decision-Making
11.1 Profiling
Bloomoo performs profiling within the meaning of GDPR Article 4(4) by evaluating personal aspects relating to personality traits, behavioral tendencies, and preferences based on your assessment responses. This profiling is carried out solely for informational and self-development purposes and is based on your explicit consent.
11.2 AI-Generated Content
Bloomoo uses AI to generate personality summaries and recommendations. These outputs are:
- Informational only — they do not produce legal or similarly significant effects
- Based on your explicit consent (AI Usage Consent)
- Deletable at any time by revoking consent
- Probabilistic in nature — AI-generated outputs may contain inaccuracies, oversimplifications, or generalizations
You have the right to request human review of any AI-generated output.
11.4 AI Data Flow
When AI-generated content is produced, assessment data is processed as follows:
- Data is pseudonymized before transmission to the AI model — no email addresses, names, or direct identifiers are included in AI prompts
- AI processing is performed by a self-hosted LLM server or, where a third-party provider is used (e.g., OpenAI, Anthropic), data is transmitted under Data Processing Agreements with appropriate safeguards
- Raw assessment responses are summarized into dimensional scores before AI processing; individual item-level responses are not transmitted
- No personal data is retained by the AI provider beyond the duration of the request
11.3 No Automated Decisions with Legal Effects
No automated decision-making on the platform produces legal effects or similarly significantly affects you. All AI outputs are supplementary interpretations provided for your information only.
12. Security
We implement technical and organizational measures to protect your data, including:
- Encryption in transit (TLS) and at rest
- Row-Level Security (RLS) at the database level for data isolation
- Role-based access control (RBAC)
- Audit logging of all data access
- Regular security reviews
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email. Continued use of the platform after changes constitutes acceptance of the updated policy.
14. Contact
For privacy inquiries, data subject requests, or complaints:
- Email: privacy@bloomoo.com
- Postal address: [TO BE ADDED]