🪙 Bloomly — Privacy Policy

Last updated: April 2026  ·  Plain English, no legalese

Who we are

Bloomly is a family finance and task-rewards app. It is operated as an independent product. If you have questions about this policy, email us at hello@bloomly.pro.

What data we collect and why

We collect only what is needed to make the app work:

• Email address — only if you create a cloud account, used for sign-in and password reset. Never shared or used for marketing.
• Password — stored as a bcrypt hash. We cannot read your password.
• Family data — member names, tasks, goals, transactions, and settings you create inside the app. Stored locally on your device and, if you opt in to cloud sync, encrypted in transit and stored on our server.
• Basic usage analytics — we count how many families are active each day (a single integer per family per day). No page views, no click tracking, no advertising profiles.
• Error & crash reports — if the app errors or crashes, an anonymised diagnostic report is sent to Sentry and Firebase Crashlytics (our error and crash monitoring services) to help us fix bugs. No personal data and no advertising profiles are included.

What we do NOT collect

• Location data
• Device identifiers or fingerprints
• Advertising IDs
• Contacts or photos (profile photos stay on your device)
• Anything sold or shared with third parties for marketing

Where your data is stored

Family data is stored on your device in your browser's local storage. If you create a cloud account, a copy is also stored on our server hosted on Fly.io (London, UK). Daily backups are taken to AWS S3. Both providers are GDPR-compliant.

Third-party services we use: Fly.io (hosting) AWS S3 (backups) Sentry (error monitoring) Resend (transactional email) Stripe (payments) Firebase (push notifications & crash reporting)

We have Data Processing Agreements (DPAs) in place with all third-party processors as required by GDPR Article 28. Each processor is used only for the stated purpose and is not permitted to use your data for their own purposes.

Data retention

Your data is kept for as long as your account is active. If you delete your cloud account (Settings → Delete cloud account), all server-side data is permanently deleted immediately, including all associated records. Local data on your device is removed when you use "Clear all data" in Settings.

Specific retention periods for operational data:

• Family data & sync history — deleted immediately on account deletion; sync patches older than 30 days are purged automatically
• Password reset tokens — deleted after 90 days (used or expired)
• Invite codes — deleted after 7 days (used or expired)
• Activity analytics (daily-active counts, no personal data) — kept for 365 days, deleted on account deletion
• Stripe payment records — we store your Stripe customer ID and subscription ID only; card details are held by Stripe, not by us. Stripe event records are purged after 90 days
• Backups — daily encrypted backups are retained for 30 days and then automatically deleted
• Feedback submissions — kept for 1 year to help us improve the app

Your rights

You have the right to:

• Access your data — use Settings → Export my data to download a full JSON copy
• Delete your data — use Settings → Delete cloud account (server data) or Clear all data (local data)
• Correct your data — edit any member, task, or goal directly in the app
• Portability — your exported JSON contains all your family data in a readable format

If you need help exercising any of these rights, email hello@bloomly.pro.

Children's privacy

Bloomly is designed to be used by families together, under parental supervision. The app is suitable for children aged 6 and over. Child members are set up and managed by parents within the app — children do not create accounts and we do not collect personal information directly from children under 13.

The parent or guardian who creates the Bloomly account is responsible for obtaining any necessary consent to add child members. By creating an account and adding child members, you confirm that you are the parent or legal guardian of those children and that you consent to their limited data (name and in-app activity) being stored as part of your family account. Parents can delete all associated data at any time via Settings → Delete cloud account.

Cookies and tracking

We do not use advertising or tracking cookies. If you create a cloud account, a single HttpOnly session cookie is set by the server to keep you signed in. This cookie is strictly necessary for account functionality and cannot be read by client-side scripts. It is automatically cleared when you sign out or delete your account. We do not use any advertising networks, tracking pixels, or analytics cookies.

Push notifications

If you enable push notifications, your browser's push subscription (a technical token, not personal data) is stored on our server and used only to deliver in-app notifications about coin awards and tasks. You can disable notifications at any time in Settings.

Changes to this policy

If we make material changes, we will update the date at the top of this page. Continued use of the app after changes means you accept the updated policy.