Effective Date: April 11, 2026 | BloomBK, LLC
BloomBK, LLC (“BloomBK,” “we,” “our,” or “us”) operates an AI-powered customer relationship management and marketing platform designed for independent beauty professionals (“Stylists”). This Privacy Policy describes how we collect, use, disclose, and protect information when you use our mobile application, website (bloombk.com), booking pages, and related services (collectively, the “Service”).
This policy applies to two categories of users: (1) Stylists who subscribe to BloomBK to manage their businesses, and (2) Clients who interact with the platform by booking appointments, receiving messages, or visiting stylist booking pages.
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.
When you create a BloomBK account, we collect your name, email address, phone number, business name, business address, service area, and service offerings including pricing and descriptions. We also collect profile photos, portfolio images, and any content you provide during onboarding or platform use.
When a client books an appointment through a stylist’s booking page, we collect the client’s name, phone number, email address (if provided), and appointment details. If a client opts in to receive text messages, we record their consent, the timestamp, and the method of consent (booking page checkbox, email opt-in link, or manual entry by stylist).
BloomBK does not collect, store, process, or transmit credit card numbers, CVVs, or bank account details. All payment processing for appointment bookings is handled by Square, Inc., and subscription billing is handled by Stripe, Inc. Both are PCI Level 1 certified payment processors. We store only transaction reference IDs, payment amounts, and payment status for record-keeping purposes.
When you use the Service, we automatically collect device information (device type, operating system, unique device identifiers), log data (IP address, access times, pages viewed, app activity), and usage data (features used, actions taken, frequency of use). We use cookies and similar tracking technologies on our web properties.
If you connect third-party accounts to BloomBK (such as Square, Meta, or Google), we receive information from those services as authorized by you through OAuth authentication. This may include transaction history from Square, advertising performance data from Meta and Google, and business profile information from Google Business Profile. We do not receive or store your passwords for any third-party services.
Stylists may import existing client lists via CSV upload. Imported data may include client names, phone numbers, email addresses, and service history. Imported clients are not automatically enrolled in any messaging program. SMS consent defaults to “false” for all imported contacts, and the stylist must obtain consent through our compliant opt-in process before any marketing messages are sent.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide and maintain the Service | Account information, booking data, service history | Contractual necessity |
| Process payments and deposits | Transaction IDs via Square and Stripe (no card data) | Contractual necessity |
| Send appointment confirmations, reminders, and care tips via SMS | Phone number, booking details, consent status | Consent (TCPA opt-in) |
| Send marketing campaigns on behalf of stylists | Client phone number and email, consent status | Consent (TCPA opt-in, CAN-SPAM) |
| Generate AI-powered business insights and content | Aggregated business data (never raw client records) | Legitimate interest |
| Manage advertising campaigns on Meta and Google | Stylist business data, ad performance metrics | Contractual necessity |
| Improve the Service and develop new features | Usage data, anonymized analytics | Legitimate interest |
| Detect fraud, enforce terms, and ensure security | Account data, device data, log data | Legitimate interest |
| Comply with legal obligations | As required by applicable law | Legal obligation |
BloomBK integrates artificial intelligence (powered by Anthropic’s Claude API) to assist stylists with content creation, client communication drafting, business insights, and onboarding. The following practices govern our AI usage:
Data minimization: The AI system receives only aggregated business summaries. It never receives raw client records, individual payment data, OAuth tokens, or credentials.
Human oversight: The AI drafts recommendations and content. It never executes actions autonomously. Every AI-generated action requires explicit stylist approval before the platform acts on it.
No training on your data: Your business data, client information, and communications are not used to train AI models. We use Anthropic’s hosted API, which does not retain inputs or outputs for model training.
Content generation: AI-generated content (such as SMS drafts, ad copy, blog posts, and website text) is clearly produced for the stylist’s review and approval before publication or delivery.
We do not sell, rent, or trade your personal information to third parties. We share information only in the following circumstances:
| Third Party | Information Shared | Purpose |
|---|---|---|
| Square, Inc. | Stylist business ID, transaction data | Payment processing for bookings and deposits |
| Stripe, Inc. | Stylist email, subscription ID | BloomBK subscription billing |
| Twilio, Inc. | Client phone numbers, message content | SMS delivery (confirmations, reminders, campaigns) |
| SendGrid (Twilio) | Client email addresses, email content | Transactional and marketing email delivery |
| Anthropic (Claude API) | Aggregated business summaries only | AI-powered content generation and business insights |
| Meta Platforms, Inc. | Ad campaign data, pixel events | Advertising campaign management |
| Google LLC | Ad campaign data, conversion events, business profile data | Advertising and Google Business Profile management |
| Cloudflare, Inc. | Web traffic data | Content delivery, CDN, DDoS protection, DNS |
| Supabase, Inc. | All platform data (encrypted at rest) | Database hosting and authentication |
| Railway | Application data in transit | API and backend hosting |
| Sentry | Error data, device info (no PII) | Error monitoring and debugging |
We may also disclose information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
BloomBK sends text messages on behalf of stylists to their clients. Our SMS practices comply with the Telephone Consumer Protection Act (TCPA) and carrier requirements:
Opt-in required: No SMS is sent to any client without explicit, affirmative opt-in consent. The consent checkbox on booking pages is never pre-checked. Clients must actively choose to receive messages.
Consent records: We record the exact timestamp, source (booking page, email opt-in, or manual entry), and method of every consent event. These records are retained for a minimum of five years.
Opt-out: Clients can reply STOP, CANCEL, UNSUBSCRIBE, or QUIT to any message to immediately stop all future messages. We send a single confirmation message acknowledging the opt-out. No further messages are sent after opt-out.
Message types: Messages include appointment confirmations, reminders, post-appointment care tips, rebooking check-ins, and stylist-approved marketing campaigns. Message frequency varies by stylist configuration.
Standard rates apply: Message and data rates may apply depending on the client’s mobile carrier and plan.
Encryption: All data is encrypted in transit (TLS 1.2+) and at rest. OAuth tokens for third-party services are encrypted using AES-256 before storage.
Multi-tenant isolation: Every database query is scoped to the authenticated stylist using Row-Level Security policies. One stylist’s data is never accessible to another stylist, even in the event of an application-level bug.
Authentication: Passwords are hashed using industry-standard algorithms. Sessions use JSON Web Tokens with one-hour expiration and single-use refresh tokens. Mobile credentials are stored in platform-native secure storage (iOS Keychain, Android EncryptedSharedPreferences).
No card data: We never handle credit card information. All payment interactions use hosted checkout pages provided by Square and Stripe.
Photo handling: All uploaded photos are stripped of EXIF metadata (including GPS coordinates) before storage.
While we implement strong security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of subscription plus 30 days after cancellation |
| SMS consent records and audit logs | Five years (regulatory compliance) |
| Payment transaction references | Seven years (tax compliance), with PII stripped |
| Server logs | 90 days |
| Anonymized analytics | Indefinitely |
When a stylist deletes their account, we initiate a comprehensive deletion process that removes all personal data, client records, messages, photos, and platform content. Data that must be retained for legal or tax compliance is stripped of personally identifiable information.
If you are a California resident, you have the right to: (a) know what personal information we collect and how it is used; (b) request deletion of your personal information; (c) opt out of the sale or sharing of your personal information (we do not sell personal information); (d) non-discrimination for exercising your privacy rights; and (e) request correction of inaccurate personal information.
Regardless of your location, you may: (a) access the personal information we hold about you; (b) request correction of inaccurate information; (c) request deletion of your account and associated data; (d) export your data in a machine-readable format (JSON); and (e) opt out of marketing communications at any time.
To exercise any of these rights, contact us at privacy@bloombk.com. We will respond to verifiable requests within 45 days.
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@bloombk.com.
The Service may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you access through BloomBK.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, for active subscribers, by email notification at least 30 days before changes take effect. Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the revised terms.
If you have questions about this Privacy Policy or our data practices, contact us at:
BloomBK, LLC
Email: privacy@bloombk.com
Website: bloombk.com