Privacy Policy

Privacy Policy

Effective date: Aug 15, 2025

At Lotus Labs Inc., a federal Canadian company (together with its affiliates, “Lotus Labs,” “we,” or “us”), we take your privacy seriously. Please read this Privacy Policy to learn how we treat Health Data accessed in connection with the performance of the Services.

Your Consent

By using or accessing our products or services (collectively, “Services”) in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will access, use, and share your information as described in this Privacy Policy.

BY MAKING YOUR HEALTH DATA AVAILABLE TO US, YOU AGREE TO OUR ACCESSING YOUR HEALTH DATA. IN DOING SO, YOU CONSENT TO OUR USE OF YOUR HEALTH DATA TO PROVIDE THE SERVICE IN ACCORDANCE WITH THIS PRIVACY POLICY.

For purposes of this Privacy Policy:

• The capitalized terms “You,” “User,” and “User Data” have the respective meanings attributed thereto in our Terms of Service relating to the provision of the Services set forth here: **, as such Terms of Service may be amended from time to time (the “Terms of Service”).

• “Personal Data” means your Health Data and any other information that identifies or relates to a particular individual and also includes information referred to as “personally identifiable information” or “personal information” under applicable law.

What Information We Use

Nutrition and Health Data

We will access and use Apple’s APIs to read and/or write certain health-related data (your “Health Data”) from applications running on your mobile device. Such information may include, among other things:

• (i) personal information including sex, date of birth, etc.

• (ii) exercise or workout routines or data relating thereto (including durations, distance, and outputs).

• (iii) heart rate and other health-related diagnostics or data.

• (iv) sleep data.

We may also collect and store photos of your food items/packaging in connection with your use of the Services.

We will use your Health Data solely to provide the Service and for the other permitted purposes contemplated by our Terms of Service. We will not use your Health Data for marketing or advertising purposes. Your Health Data will be accessed locally through Apple’s APIs (including Apple Health) and will not be stored or cached by the app. Your Health Data is processed locally and will not be sent to any server without your explicit consent.

This app cannot read from or write to Apple Health without your consent.

Anonymized Health Data Processing via OpenAI APIs

With your explicit opt-in consent, we may process a subset of your Health Data via OpenAI’s APIs to generate personalized responses and insights. This processing occurs under the following conditions:

• Anonymization: The data shared with OpenAI is not linked to personally identifiable information (PII). It only includes age, sex, and height along with relevant health metrics.

• Purpose: The data is used solely to generate personalized health-related responses via OpenAI’s GPT models.  The data shared with OpenAI is not used to train OpenAI models.

• No Storage: The data is not stored on our servers. It is sent to OpenAI’s API in real time, processed, and discarded after generating a response.

• User Control: This feature is opt-in, and users have full control over what data is shared. You may enable or disable this functionality at any time in the app settings.

We ensure that OpenAI handles this data in compliance with their  privacy policy and applicable regulations.

Location Data

We will use your Location Data to show you the route map of your workout and the weather at your location.

• We will not use your Location Data for marketing or advertising purposes.

• Your Location Data will be accessed locally through your device and will not be stored or cached by the App.

• Your Location Data is processed locally and will not be sent to any server other than as sent to OpenAI for the sole purpose of making answers to questions more relevant to you..

• This app cannot read your Location Data from your device without your consent.

Personal Data

We may also collect certain limited Personal Data directly from you, including your email, usernames, authorizations, and/or responses to text boxes through the Services or responses to surveys or questionnaires.

Our payment processing partner(s) may collect your voluntarily provided payment card information necessary to process your payment. Please see our payment processors’ terms of service and privacy policies for information on their respective use and storage of Personal Data.

Analytics Data

Use of BugSnag Crash Reporting 

To collect anonymized crash data. More details can be found in BugSnag’s Data Processing Addendum.

Use of TelemetryDeck to analyze app usage

We use the privacy-friendly analytics service TelemetryDeck (provider: TelemetryDeck GmbH, Von-der-Tann-Str. 54, 86159 Augsburg, Germany) to analyze usage data. The use is based on Art. 6 para. 1 lit. b GDPR, as we require reliable and efficient tools for collecting app usage data in order to fulfill the contract with you, our customer.

What data is transferred?

The data processed by TelemetryDeck is completely anonymized and does not allow any conclusions to be drawn about personal information.

The following data is collected, among other things:

• an anonymized, untraceable user ID (per app installation),
• actions defined by the app publisher (e.g., "app launched," "settings opened"),
• a rounded timestamp (to the nearest hour),
• device metadata (e.g., system version, app version, device type),
• additional metadata defined by the app publisher (e.g., "number of items in the database").

What is not stored?

• No IP addresses (not in logs, not in the database),
• No cookies or tracking technologies,
• no persistent identifiers that could be traced back to individuals.

The source code of the TelemetryDeck SDK is completely open source and available on GitHub: https://github.com/TelemetryDeck

Further information on the exact data processing by TelemetryDeck can be found at: https://telemetrydeck.com/privacy and at https://telemetrydeck.com/docs/guides/privacy-faq/

Our Use

We will only use your Personal Data for providing, customizing, and improving the Services. This may include our correspondence with you and our meeting our legal obligations under the Terms of Service. We will not use the Personal Data we collect for materially different, unrelated, or incompatible purposes.

We may disclose Personal Data to service providers (including hosting, analytics, technology, communication, security and fraud, support, customer service, and Services fulfillment partners) required to provide the Services.

Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy, or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices.

Security

We seek to protect Personal Data from unauthorized access, use, and disclosure using appropriate physical, technical, organizational, and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism, limiting access to your computer or device and browser, and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the Internet or storing data is completely secure.

We retain Personal Data in accordance with the terms and conditions of the Terms of Service.

Transferring Your Personal Information

We are headquartered in Canada and may use service providers that operate in the US or in other countries outside the country in which you reside. Therefore, your personal information may be transferred to countries which may not provide for the same level of data protection as guaranteed under the applicable data protection laws of the country in which you reside. For all such transfers we ensure that these countries are either considered adequate according to the applicable data protection law (e.g., by way of an adequacy decision of the EU commission) or that appropriate safeguards are in place such as standard contractual clauses. If you want to obtain a copy of these safeguards, you can contact us at hello@trybloom.app.

We may transfer personal information that we collect or that you provide as described in this policy to contractors, service providers, and other third parties we use to support our business and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this policy.

By submitting your personal information or accessing the Services, you consent to this transfer, storage, or processing.

Use of Subprocessors

We utilize the services of subprocessors in order to provide the Services to you. You can find a list of the subprocessors we use HERE.  We have agreements with all of our subprocessors to ensure that your data is treated in an appropriate and compliant way.  If you do not wish to have your data sent to our subprocessors, you may always discontinue your use of the Bloom App. 

Artificial Intelligence (“AI”) Information:

1. System and Technology Description
   
   1. The Bloom App analyzes personal health-related data to provide users with personalized insights and recommendations for user health and wellness.
   2. Machine learning algorithms provided by OpenAI process data provided through the user's Apple Watch or other sources to generate recommendations and predictions.
2. Risk Assessment and Mitigation
   
   1. Based on definitions provided by applicable regulatory agencies, the Bloom App is characterized as “high-risk” due to potential impacts on health outcomes and the nature of the recommendations and predictions provided. 
   2. The Bloom App mitigates any AI risk through the use of robust data encryption, collecting only that data required to provide the service and strict data retention policies.
3. Documentation and Transparency
   
   1. The Bloom App utilizes and maintains detailed logs, algorithm descriptions and decision-making processes.
   2. When using the Bloom App,  Users are provided with clear guidance on what informs recommendations, data collection, etc.
4. Quality Management
   
   1. The Bloom App uses an AI ethics committee to oversee its updates and operations and also leverages appropriate compliance frameworks to ensure quality. 
5. AI Literacy and Training
   
   1. Staff participates in workshops and training for AI governance, ethics and risk management
   2. Public Engagement:  information and other materials provided upon request to users to better understand recommendations and basis therefore

European Privacy Rights

When we process your personal data and such processing is subject to European Union (EU GDPR) or United Kingdom (UK GDPR, UK Data Protection Act 2018) data protection law, depending on the applicable law, you may have certain rights with respect to that data, namely:

• Right of Access. You have the right to request confirmation as to whether or not we process your personal data. If so, you also have the right to request access to the personal and further information as specified under the applicable data protection law.
• Right to Rectification. You have the right to request that we correct inaccurate or incomplete personal data that we store about you.
• Right to Erasure. Under certain conditions, you have the right to request that we erase the personal data we may hold about you.
• Right to Data Portability. Under certain conditions, you have the right to receive the personal data, which you have provided us in a structured, commonly used, and machine-readable format and to transfer those data to another controller.
• Right to Withdraw Your Consent. If the processing of personal data is based on your consent, you can withdraw consent at any time. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal.
• Right to Object. Under certain conditions, you have the right to object to the processing of your personal data, in case the processing is based on legitimate interests or in case your personal data are processed for direct marketing purposes.
• Right to Restriction of Processing. Under certain conditions, you have the right to request the restriction of the processing of your personal data.

To exercise any of these rights (if they are available to you under the applicable law), please contact us at hellos@trybloom.app. When another entity is the data controller (such as your employer when you use the Platform), we will refer your request to the third-party data controller and/or provide you with the information you need to contact the data controller directly.

You can also lodge a complaint with a competent data protection supervisory authority if you consider that the processing of your personal data infringes the applicable data protection law.

When you contact us about exercising any of the rights available to you under the applicable data protection law, we will ask you for information to verify your identity. In your request, please clearly identify the personal data that is the subject of your inquiry. We will comply with your request as soon as reasonably practicable and within any time frames prescribed by law.

State Law Privacy Rights

California Resident Rights

The California Consumer Privacy Act (CCPA) allows you to make certain requests about your personal information, including the right to:

• Request details on the categories of personal information we collect or disclose about you.

• Access and receive a copy of your personal information.

• Request deletion of certain personal information.

• Opt out of the sale of personal information (we do not sell personal information).

If you wish to exercise your rights, please contact us using the information below.

Nevada Resident Rights

If you are a resident of Nevada, you have the right to opt out of the sale of certain Personal Data. We do not sell Personal Data to third parties.

Contact Information

If you have any questions or comments about this Privacy Policy, the ways in which we access, collect, and use Personal Data, or your choices and rights regarding such access, collection, and use, please do not hesitate to contact us at:

Website: www.trybloom.appEmail: hello@trybloom.app

Changes to this Policy

‍

If we decide to change our privacy policy, we will post those changes on this page. Summary of changes so far:

‍

Jan 13, 2025: First published.

Mar 31, 2025: Added details about how user approved health data is shared with OpenAI.

Aug 15, 2025: Added details for GDPR.

‍