Privacy Policy

Last updated: February 1, 2025

1. Introduction

BloomHand ("we", "us", or "our") operates the bloomhand.com website and platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Service.

We are committed to protecting your privacy in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, including British Columbia's Personal Information Protection Act (PIPA). By using the Service, you consent to the collection and use of your information as described in this policy.

2. Accountability

We have designated a Privacy Officer who is responsible for our compliance with this policy and applicable privacy legislation. Our Privacy Officer can be reached at the contact information in Section 15. All staff with access to personal information are made aware of their privacy obligations.

3. Information We Collect

Information you provide directly

  • Account information: Email address and display name when you create an account or sign in via magic link.
  • Profile information: Emoji avatar, if you choose to set it.
  • Community content: Post descriptions, announcements, and other content posted by organizers.
  • Sign-up information: Your display name and optional note when you sign up for a need (e.g. "Greg — will bring chicken pot pie"). Your display name and note are visible to all community members. Your email address is visible only to the community owner.
  • Communications: Any messages you send to us via email or support channels.

Information collected automatically

  • Log data: IP address, browser type and version, operating system, referring URL, pages visited, date and time of access.
  • Device information: Device type, screen resolution, and language preferences.
  • Cookies and similar technologies: See Section 9 below.

Information we do NOT collect

  • Passwords: BloomHand uses passwordless authentication exclusively. We never collect, store, or process passwords.
  • Payment card details: Payment processing is handled entirely by Stripe. We do not store credit card numbers or banking information on our servers. See Section 8.

4. Consent

Under PIPEDA, we collect and use your personal information based on your consent. The form of consent may vary depending on the sensitivity of the information and your reasonable expectations:

  • Express consent: When you create an account, provide your email address for authentication, or opt in to email notifications.
  • Implied consent: When you voluntarily submit a display name and note to sign up for a need, you understand this information will be displayed on the community board. When you browse the Service, we collect log data necessary to operate and secure the platform.

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may affect your ability to use certain features of the Service. See Section 11 for how to exercise your rights.

In limited circumstances, we may collect, use, or disclose personal information without consent as permitted by PIPEDA — for example, when required by law, for fraud prevention, or in emergencies.

5. How We Use Your Information

We collect personal information only for the following identified purposes:

  • Provide, operate, and maintain the Service.
  • Send you magic-link authentication emails.
  • Display your sign-up information on community boards (display name and note only — never your email).
  • Send optional reminders and notifications related to your sign-ups, if you have opted in.
  • Deliver announcement emails and weekly digest summaries sent by your community's organizers through the platform.
  • Send waitlist notifications when a spot opens up for a need you are waiting for.
  • Respond to your inquiries and provide support.
  • Monitor and analyse usage trends to improve the Service.
  • Detect, prevent, and address fraud, abuse, and security issues.
  • Comply with legal obligations.

We will not use your personal information for purposes other than those identified above without first obtaining your consent.

6. Disclosure of Your Information

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

  • Within a community board: Your display name and sign-up note are visible to other members of the same community. Your email address is not visible to other members or organizers. However, the community owner can see your email address for the purposes of identity verification and community management. When you join a community, you are informed of this.
  • Community owner exports: Community owners with a Premium plan may export community data (such as member lists and activity reports) that includes your display name, role, and email address. Owners are responsible for how they handle exported data in accordance with applicable privacy laws. See our Terms of Service, Section 5.
  • Service providers: We use third-party providers to help operate the Service (see Section 8). These providers access your information only to perform services on our behalf and are contractually required to protect your information and use it only for the purposes we specify.
  • Legal requirements: We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request.
  • Safety and rights: We may disclose information to protect the rights, property, or safety of BloomHand, our users, or the public.
  • Business transfer: If BloomHand is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your personal information becomes subject to a different privacy policy.

7. Cross-Border Data Transfers

Your personal information may be stored and processed in the United States or other countries where our service providers operate. When your data is transferred outside of Canada, it may be subject to the laws of those jurisdictions, which may differ from Canadian privacy law. Foreign governments, courts, or law enforcement agencies may be able to access your information under the laws of those jurisdictions.

We take reasonable steps to ensure that our service providers protect your information through contractual obligations that require a comparable level of protection to that provided under Canadian law.

8. Third-Party Services

We use the following third-party services that may process your personal information:

  • Stripe (United States) — Payment processing for paid plans. Stripe collects payment information directly and is governed by its own privacy policy (stripe.com/privacy).
  • Cloudflare Turnstile (United States) — Bot protection on community code entry. Processes device and interaction data to verify human users.
  • Google Analytics (United States) — Web analytics to understand how visitors use the Service. Collects anonymized usage data. You may opt out using your browser settings or the Google Analytics opt-out add-on.
  • Email delivery service — Sends magic-link authentication emails and optional notification emails on our behalf.
  • Hosting and infrastructure providers — Servers and databases that store and process your data to operate the Service.

9. Cookies and Tracking Technologies

We use the following types of cookies:

  • Essential cookies: Required for the Service to function (e.g. session management, CSRF protection, authentication state). These cannot be disabled without breaking core functionality.
  • Analytics cookies: Used by Google Analytics to understand how visitors interact with the Service. These cookies collect anonymized usage data and do not identify you personally. You may opt out through your browser settings or browser extensions.

We do not use advertising cookies or tracking pixels. We do not sell data to advertisers or ad networks.

10. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Specifically:

  • Account data: Retained while your account is active. You may request deletion at any time.
  • Sign-up records (claims): Retained while the associated community and post exist. Organizers may delete posts and communities.
  • Log data: Retained for up to 90 days for security and troubleshooting purposes, then deleted or anonymized.
  • Payment records: Retained as required by tax and financial reporting laws.

When a community is deleted, all associated boards, posts, claims, and member data for that community are permanently removed.

11. Your Rights Under Canadian Privacy Law

Under PIPEDA and applicable provincial legislation, you have the following rights regarding your personal information:

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may request that we correct inaccurate or incomplete personal information. You can also update your display name and avatar directly in the Service.
  • Deletion: You may request that we delete your personal information, subject to legal retention requirements.
  • Data portability: You may request a copy of your data in a commonly used electronic format.
  • Withdraw consent: You may withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal may affect your ability to use certain features of the Service.
  • Challenge compliance: You have the right to challenge our compliance with these privacy practices and to file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you believe your privacy rights have been violated.

To exercise any of these rights, contact us at the address in Section 15. We will respond to your request within 30 days, as required by PIPEDA. We will not charge a fee for responding to your request unless it is clearly unfounded or excessive.

12. Data Security

We implement reasonable technical and organizational safeguards to protect your personal information against unauthorized access, alteration, disclosure, or destruction, including:

  • Encryption of data in transit using TLS/SSL.
  • Encryption of data at rest for sensitive fields.
  • Passwordless authentication, eliminating the risk of password breaches.
  • Rate limiting and bot protection on sensitive endpoints.
  • Access controls limiting employee access to personal information on a need-to-know basis.
  • Regular security reviews and updates.

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

13. Breach Notification

In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm to you, we will:

  • Notify the Office of the Privacy Commissioner of Canada as required by PIPEDA.
  • Notify you directly as soon as feasible, describing the nature of the breach, the information involved, and the steps we are taking.
  • Notify any other organizations or government institutions that may be able to reduce the risk of harm.

We maintain records of all breaches of security safeguards, regardless of whether they meet the threshold for notification.

14. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will take steps to delete that information promptly.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our handling of your personal information, or if you wish to exercise any of your rights described above, please contact our Privacy Officer:

Email: privacy@bloomhand.com

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca or by calling 1-800-282-1376.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

This Privacy Policy should be read together with our Terms of Service.

Please confirm