Privacy Policy

Effective date: 6 October, 2025

Last updated: 6 October, 2025

1. Introduction & Scope

bloomlabs (“we”, “us”, “our”) is committed to protecting your privacy and handling your data responsibly. This Privacy Policy describes how we collect, use, disclose, and safeguard personal data and other data submitted to or collected via our website, platform, and services (collectively, the “Services”). It applies to all users, including project developers, platform users, visitors, and clients.

This policy is to be read in conjunction with our Terms of Service. Capitalized terms not defined herein have the meaning given in those Terms.

2. Who is the Data Controller

The data controller for your personal data under applicable laws (such as the GDPR) is:

Bloom labs, MB

Address: Musninku 16-16, LT-07183, Vilnius, Lithuania

Contact: hello@bloomlabs.earth

If you have questions about your privacy rights, you may contact us via that address.

3. What Data We Collect & When

We collect and process two broad categories of data:

3.1. Personal Data

This is data that can identify you (directly or indirectly). Examples include:

  • Name, email address, job title, organization.
  • Contact details you supply (e.g., via forms, onboarding, etc.).
  • Account credentials (hashed passwords).
  • Data contained in communications or messages you send us (e.g. feedback, support requests).
  • When you log in or use the platform, usage metrics tied to your account (e.g. last login time).

3.2. Non-Personal / Aggregated / Operational Data

These are usage, technical, or system-level records, including:

  • Timestamps and logs of access, page views, errors, performance metrics.
  • Aggregated analytics (e.g. how many users visited a certain dashboard).
  • Metadata about project data submissions (e.g. timestamps, versions) — but only insofar as they do not identify an individual.

3.3. Data from Project Developers / Data Contributors

As part of the core service, you (or your organization) may upload biodiversity, carbon, nature-credit, or related data. We treat these uploads primarily as “client data” / “contributed data”, which is not personal data (unless you embed personal identifiers). Our processing of that data is governed under our contractual terms (see Section 7) and subject to confidentiality and security constraints.

4. Legal Bases for Processing (for GDPR / EU)

When we process personal data, we rely on one or more of the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): when processing is necessary to fulfill obligations under a service agreement (e.g. to provide platform access).
  • Legitimate interests (Art. 6(1)(f) GDPR): for purposes such as security, fraud prevention, internal analytics, and platform improvement, provided that your rights do not override those interests.
  • Consent (Art. 6(1)(a) GDPR): for optional features such as marketing communications, newsletters, or certain cookies and tracking tools.
  • Legal compliance (Art. 6(1)(c) GDPR): when we are required by law or regulatory obligations to process certain data (e.g. accounting, audit).

We will always inform you of the relevant legal bases for particular data processing operations.

5. How We Use Your Data

We use collected data for these core purposes:

  • To provide, operate, maintain, and improve our Services.
  • To manage account registration, authentication, and support.
  • To communicate with you (e.g. updates, service announcements, support).
  • To analyze use, conduct internal analytics, usage statistics, performance monitoring.
  • To enforce our Terms, detect fraud or abuse, and maintain security.
  • To comply with legal obligations (e.g. audit, tax, regulatory).
  • With your consent, for marketing, newsletters, or promotional communications.

We do not sell or trade your personal data to third parties for commercial gain.

6. Sharing, Transfers & Third Parties

6.1. Third-Party Service Providers / Processors

We employ third parties (such as hosting, email delivery) to support the operation of our Services. These providers act as processors and only process personal data under our instructions and in compliance with applicable law. We enter into Data Processing Agreements (DPAs) with such providers as needed (e.g. in line with Art. 28 GDPR).

6.2. Business Transfers

In the event of a merger, acquisition, financing, or asset sale, your personal data may be transferred to a successor entity, subject to confidentiality and legal safeguards.

6.3. Legal & Safety Disclosures

We may disclose personal or operational data if required by law, subpoena, regulatory authority, or to defend legal claims. We may also disclose to protect the rights, safety, or property of bloomlabs, users, or the public.

6.4. International Transfers

Because our stack may involve service providers located outside the EEA (e.g. hosting, email delivery), some automatic transfers of personal data outside the EEA may occur. We ensure that such transfers are lawful, typically using:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Other appropriate safeguards

We will notify you of any such transfers in relevant notices.

7. Handling of “Client / Project Developer Data”

Your data submissions are handled under specific contractual and internal governance rules:

  • You retain ownership of your contributed data.
  • We treat your data as confidential / proprietary and will not expose it to unauthorized parties.
  • Only authorized bloomlabs personnel (currently limited) may access raw data; other internal users access via controlled dashboards, subject to role-based permissions, audit logs, and least-privilege principles.
  • All access, edits, or exports are logged, time-stamped, and versioned where feasible.
  • We maintain backups and disaster recovery while preserving confidentiality and integrity.
  • If you request data deletion or export, we will comply in a timely manner, subject to any legal or contractual retention obligations.

8. Data Retention & Deletion

We retain personal data only as long as necessary for the purposes specified, unless longer retention is required by law or contract. After that, we securely delete or anonymize the data.

For project data, retention will depend on your contract and our mutual agreement — we will retain as long as needed to support active service, historical records, auditability, or liability periods.

9. Your Rights (for individuals in applicable jurisdictions)

Under laws such as the GDPR, you have the following rights:

  • Right to access your personal data processed by us (Art. 15).
  • Right to rectification if data is inaccurate or incomplete (Art. 16).
  • Right to erasure (“right to be forgotten”), under certain conditions (Art. 17).
  • Right to restrict processing under certain circumstances (Art. 18).
  • Right to object to processing, particularly for marketing or legitimate interest bases (Art. 21).
  • Right to data portability — to receive your personal data in a structured, machine-readable format (Art. 20).
  • Right to withdraw consent at any time (where processing is based on consent).
  • Right to lodge a complaint with a supervisory authority in your jurisdiction (e.g. GDPR authority).

10. Security Measures

We employ a combination of technical and organizational safeguards to protect your data:

  • Encryption in transit (TLS/SSL) for all communications between client, front end, API, and database.
  • At-rest encryption of database storage.
  • Role-based access controls (RBAC): only authorized team members with proper roles may access relevant data.
  • Least privilege principle: minimal required permissions are granted.
  • Audit logging / access history for all data operations (reads, writes, exports).
  • Regular backup and disaster recovery plans.
  • Vulnerability management: periodic security reviews, patching, monitoring, intrusion detection.
  • Internal policies and training: staff handling data are trained, bound by confidentiality, and follow internal security policies.

We continuously review and update our security measures as technology and threats evolve.

11. Cookies, Analytics & Tracking

We may employ cookies, local storage, tracking pixels, and third-party analytics tools. These may include:

  • Strictly necessary cookies (essential for site function)
  • Performance / usage cookies (collect anonymized usage data)
  • Optional tracking cookies (only with your consent)
  • Integration with third-party tools (e.g. Google Analytics, monitoring, A/B testing)

You may withdraw consent for non-essential cookies via cookie settings. We anonymize or pseudonymize logged data where possible (e.g. IP masking in analytics).

12. Children & Minors

Our Services are not directed to children (under age 16). We do not knowingly collect personal data from minors. If we learn that we have inadvertently collected data from a minor, we will delete it as soon as practicable.

13. Changes to the Privacy Policy

We may update this Privacy Policy from time to time (e.g. when we add features, services, or in response to regulatory change). The “Last updated” date will reflect the latest version. For material changes, we will notify users (e.g. by email or notice in the dashboard) before the change becomes effective.

bloomlabs
The market,
brought to you.
Explore the platform
Explore the platform
LinkedIn
Substack
©2025: bloomlabs
Contact us