Back to Home

Privacy Policy

Last updated: May 20, 2026 · Effective immediately

1. Introduction

Bloom Up OÜ ("Bloom", "we", "our" or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what information we collect, why we collect it, how we use and share it, and the rights you have over it when you use the Bloom Studios mobile application and the website at bloomup.art (together, the "Service").

Bloom Studios is a marketplace that connects artists, producers, podcasters and creators ("Artists") with owners and managers of recording, rehearsal and photography studios ("Hosts"). Artists browse, book and pay for studios; Hosts list, manage and receive payouts for their spaces. We act as the data controller for the personal data described below.

This policy is written to comply with the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA") and Apple's App Store Review Guideline 5.1.1.

2. Quick summary

For users who want the short version:

  • We collect what we need to make bookings work: your email, profile, country, the studios and packs you list (if you are a Host), the bookings you make, and the messages you send through the in-app chat.
  • Card details never reach us. Payments are processed by Stripe and we only store opaque references such as Stripe Customer IDs and Payment Intent IDs.
  • We do not sell your personal data. Ever.
  • You can delete your account, and all the data associated with it, from inside the app.

3. Information we collect

3.1 Information you provide

  • Account credentials. Email address and a password (which we never store in plain text — Supabase Auth hashes it before persistence). Alternatively, when you sign in with Apple or Google, we receive a unique identifier and your email from those providers.
  • Profile data. First name, last name, username, date of birth, country, profile photo, biography, social links, account type ("artist" or "host"), and — if you are an artist — your role and music genres.
  • Studio listings (Hosts only). Name, description, address, city, country, photos, equipment list, amenities, hourly rate, time zone, cancellation policy and service packs.
  • Identity & payout data (Hosts only). When you connect a Stripe Connect Express account to receive payouts, you provide identity, address and bank information directly to Stripe. Bloom does not receive or store your bank account or identity documents — only an opaque Stripe account identifier.
  • Communications. The content of messages, attachments and message requests you send through the in-app chat to other users. Reviews, ratings and comments you post about studios.
  • Bookings. The studios you book, the dates and times, the pack you selected and any notes for the host.
  • Favorites. Studios you mark as favorite for later (artists only).
  • Support requests. If you contact us at bloomupou@proton.me, we keep the email and the body of the message for as long as needed to resolve your request.

3.2 Information collected automatically

  • Device information. When you open the app we receive technical data about your device, such as the operating system version, the app version and an Expo push token (an opaque identifier issued by Apple Push Notification service or Firebase Cloud Messaging) so that we can send you push notifications.
  • Approximate location. When you grant location permission, we read your coarse location once during onboarding to suggest a default country, and again when you open the map tab to centre the map on your area. We do not track your location continuously and we do not store the latitude and longitude of your device.
  • Usage and abuse-prevention logs. We log the IP address, timestamp and action type for sensitive operations (sign-up, password reset, message sending) to detect fraud, spam and rate-limit abusive clients. These logs are kept for up to 90 days and then deleted.
  • Crash reports and diagnostic logs. If the app crashes or hits an error, we capture the stack trace, the screen where it happened and the build version. We do not attach personal content (messages, profile fields) to these reports.

3.3 Information from third parties

  • Apple and Google sign-in. When you choose to sign in with Apple or Google, the provider shares your email and a stable user ID with us. You can hide your email through Apple's "Hide My Email" feature; we receive the relay address and treat it as your normal email.
  • Stripe. Stripe sends us status updates about payments, payouts and Connect accounts (for example: a charge succeeded, a payout was issued, an account was put under review). We never receive raw card data, full bank account numbers or government-issued identity documents from Stripe.
  • Geocoding. When a host enters a studio address, our backend asks the OpenStreetMap Nominatim service to translate it to coordinates so the studio can appear on the map. We send the address (street, city, country) to Nominatim and we receive a latitude and longitude. We do not send the host's identity to that service.

4. Information we do not collect

For clarity, Bloom does not collect:

  • Full credit-card numbers, CVCs or card expirations.
  • Bank account numbers or IBANs from Hosts (those are held by Stripe).
  • Photos or files from your device library that you do not explicitly upload.
  • Your microphone, camera or contacts unless you explicitly grant the corresponding permission and trigger the feature.
  • Continuous location tracking, advertising IDs (IDFA/AAID), or browsing history.
  • Health, biometric or political data.

5. How we use your data

We use the data we collect for the following purposes:

  • Service delivery. Creating your account, authenticating you on every app launch, displaying studios on the explore feed and the map, processing and confirming bookings, splitting payments via the Share Booking feature when several artists book a session together, calculating refunds when a booking is cancelled within the policy, and routing payouts to hosts via Stripe.
  • Communications between users. Showing Hosts the artist's profile and message when a booking is requested, showing artists the studio location and host profile, delivering chat messages, and powering the inbox of message requests.
  • Notifications. Sending push notifications and transactional emails about booking confirmations, message requests, payment status, refunds, cancellations and review reminders.
  • Discovery and matching. Showing the closest studios on the map, filtering by city or country, and surfacing studios that match your music genres.
  • Trust and safety. Detecting and preventing fraud, spam, abuse, harassment, and fake reviews. Honouring your blocks and reports, removing reported content when our policies require it, and applying rate limits per IP and per account.
  • Customer support. Answering your questions, troubleshooting issues, and resolving disputes between users.
  • Legal compliance. Meeting our obligations under tax, accounting, anti-money-laundering and consumer- protection laws.
  • Product improvement. Analysing aggregate, anonymised usage data to fix bugs, prioritise features, and improve performance. We do not profile individuals for advertising purposes.

6. Legal bases for processing (GDPR)

When you are based in the European Economic Area, the United Kingdom or Switzerland, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR) for everything that is necessary to deliver the booking service: account creation, authentication, processing bookings, settling payments, displaying studios.
  • Legitimate interests (Art. 6(1)(f) GDPR) for fraud prevention, rate limiting, security logging and aggregate analytics, balanced against your right to privacy.
  • Consent (Art. 6(1)(a) GDPR) for sending push notifications, accessing your device location, and accessing your photo library. You can withdraw consent at any time through the iOS Settings app or your device settings.
  • Legal obligations (Art. 6(1)(c) GDPR) for tax records, accounting, and complying with valid legal requests.

7. How we share your data

We share data only with the parties listed below, only for the purposes described, and only to the minimum extent necessary.

7.1 With other users of the Service

  • Hosts see the artist's username, profile photo, country and message when a booking is requested. After payment, the host can also see the artist's first name and booking notes.
  • Artists see the host's studio name, photos, description, equipment, address (only after a booking is confirmed), reviews, and host profile.
  • Share-booking participants see each other's username, profile photo, share amount and payment status, but not their email or phone number.
  • Reviews you publish are visible to other users in the corresponding studio page.

7.2 With our service providers (data processors)

These providers process data on our behalf and only follow our instructions. They are bound by data-processing agreements.

  • Supabase Inc. (United States and EU) — hosts our database, authentication system, file storage, and edge functions. All personal data lives inside Supabase infrastructure.
  • Stripe Payments Europe Ltd. (Ireland, with onward processing in the United States) — processes payments for artists, manages Connect Express accounts for hosts, holds funds in escrow until a session ends, executes payouts to host bank accounts, and handles refunds. Stripe is the data controller for card and bank account data and for identity-verification data shared with it during host onboarding.
  • Apple Inc. (United States) — delivers push notifications to iOS devices via the Apple Push Notification service. We send Apple an opaque device token and the notification payload (title and short body); we never include sensitive content.
  • Expo / 650 Industries Inc. (United States) — builds and signs the iOS and Android apps, distributes them via TestFlight and the stores, and brokers push tokens between Apple/Google and our backend.
  • OpenStreetMap Foundation Nominatim (United Kingdom) — converts studio addresses to coordinates. We send the address only.
  • Foreign-exchange rate provider — provides daily currency conversion rates so we can show prices in your local currency before checkout. We send no personal data; we only receive rate tables.

7.3 With law enforcement and to protect rights

We may disclose your personal data if we are legally required to do so by court order, subpoena, or other valid legal process, or if we have a good-faith belief that disclosure is necessary to protect the rights, property or safety of Bloom, our users or the public.

7.4 In a corporate transaction

If Bloom is involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, your data may be transferred to the relevant party. We will require any successor to honour the commitments made in this policy.

8. International data transfers

Bloom Up OÜ is established in the European Union (Estonia). Some of our service providers — notably Stripe, Apple, Expo and parts of Supabase's infrastructure — are based in the United States or transfer data there.

When personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses or, where applicable, the EU-U.S. Data Privacy Framework. You can request a copy of the safeguards in place by contacting us.

9. Data retention

We retain personal data for as long as necessary to fulfil the purposes described above. Specifically:

  • Account data and profile. While your account is active. Permanently deleted within 30 days of account deletion.
  • Bookings, payments and tax records. Up to 8 years after the booking date, as required by Estonian and EU accounting and tax law. After account deletion these records are anonymised: the booking remains in our database for tax purposes, but the link to your identity is severed.
  • Chat messages and reviews. While both participants have active accounts. Permanently deleted within 30 days of either participant deleting their account, except for reviews already published, which remain visible to other users with the username replaced by "Removed user".
  • Abuse-prevention and security logs. Up to 90 days, then automatically purged.
  • Push tokens. While the app is installed and receiving notifications. Removed within hours of uninstall.
  • Backups. Encrypted backups of our database are retained for up to 30 days for disaster recovery. Data that has been deleted from the live database will be deleted from backups in the next rotation.

10. Your rights

Depending on where you live, you have the following rights over your personal data. We honour them regardless of jurisdiction.

  • Access. Ask us for a copy of the personal data we hold about you.
  • Rectification. Correct inaccurate or incomplete data. You can edit most fields directly from the app under Profile → Edit profile.
  • Deletion ("right to be forgotten"). Delete your account and all the personal data we hold about you, directly from inside the app under Profile → Settings → Delete account. Tax records are anonymised but kept where required by law (see section 9).
  • Restriction. Ask us to limit how we process your data while a complaint is being investigated.
  • Objection. Object to processing based on our legitimate interests, in particular fraud prevention.
  • Portability. Receive your personal data in a structured, machine-readable format (we provide a JSON export on request).
  • Withdraw consent. Revoke previously granted permissions (location, push notifications, photo library) at any time from your device's Settings app.
  • Lodge a complaint. If you are based in the EU/EEA you may complain to your local data protection authority. The lead supervisory authority for Bloom is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

To exercise any of these rights, write to bloomupou@proton.me from the email address tied to your account. We respond within 30 days. Identity verification may be required for sensitive requests.

11. Children's privacy

Bloom is intended for users who are at least 14 years old; in jurisdictions with a higher digital age of consent, the applicable local minimum age applies. We do not knowingly collect personal data from children below the local age of digital consent. If you become aware that a child has provided us with personal data without verifiable parental consent, please contact us and we will delete it.

12. Security

We apply industry-standard technical and organisational measures to protect your data:

  • All traffic between the app and our backend is encrypted in transit (TLS 1.3).
  • Passwords are hashed using bcrypt by Supabase Auth; we cannot read them.
  • Sensitive operations are protected by row-level security rules at the database level. Even with a valid token, a user cannot read another user's private data.
  • Our edge functions verify the session on every request and rate-limit abusive callers.
  • Stripe handles card data and bank-account data outside our infrastructure, in a PCI-DSS Level 1 environment.
  • Backups are encrypted at rest. Production secrets are stored in a managed vault and rotated when needed.
  • We log access to sensitive resources and review the audit trail periodically.

No system is completely secure. If we ever discover a personal data breach that is likely to result in a risk to your rights, we will notify the competent authorities within 72 hours and inform affected users without undue delay.

13. Changes to this policy

We may update this Privacy Policy when we add new features, change service providers, or are required to do so by law. The "Last updated" date at the top reflects the most recent revision. If we make a material change we will notify you in the app or by email at least 14 days before the change takes effect, except when the change is required for legal compliance.

14. Contact us

If you have questions about this policy, want to exercise your data rights, or want to report a privacy concern, write to:

Bloom Up OÜ
Estonia, European Union
Email: bloomupou@proton.me

For privacy questions specifically, you may also reach our data protection contact at the same email address with the subject line "Privacy request".