Privacy Policy

Privacy Policy

Effective date: Dec 9, 2025

At Lotus Labs Inc., a federal Canadian company (together with its affiliates, “Lotus Labs,” “we,” or “us”), we take your privacy seriously. Please read this Privacy Policy to learn how we treat personal information accessed in connection with the performance of the Services.

Summary: This policy explains what we do with the information about you that you give us or that we learn about you when you do business with us or have an interaction with you. It explains why we need certain kinds of information and goes into detail about how we may share with other companies and what protections are in place. It explains the rights that you may have to review and request changes to your information and how to get in touch with us.

Your Consent

Summary: This section discusses how you give your permission for us to collect, use and disclose your Personal Data (which is defined a few paragraphs below) . Sometimes that is through using our Services and sometimes that is by explicitly agreeing to particular terms when we ask for specific kinds of Personal Data. It explains that you don’t have to give us any Personal Data and that you can change your mind at any time. We might not be able to provide certain features or the use of some or all of our Services without the ability to use or disclose relevant Personal Data. 

‍

This policy applies to your use of our products or services (collectively, “Services”),and by using or accessing our Services you are granting consent for us to collect, use, disclose, store and retain your information as described in this Privacy Policy to the extent allowable under applicable law. For certain collections, uses and disclosures of sensitive personal information (as described below), we will seek your additional express consent at the time of collection of such sensitive information. 

You may withdraw your consent to our use or disclosure of any personal information at any time but such withdrawal may preclude us from being able to provide any Services or deliver any functionality that require the applicable personal information 

‍

For purposes of this Privacy Policy:

‍

• “Personal Data” means information about an identifiable individual and any other information that identifies or relates to a particular individual and also includes information referred to as “personally identifiable information” or “personal information” under applicable law.

What Information We Collect, Use and Disclose and Why We Do It

Summary:  This section describes the kinds of Personal Data that you might be asked to provide or that we might otherwise learn about you. It explains how we get this Personal Data, why we might need it, what we use it for and who else we give it to and why.  

Unless otherwise indicated, we collect Personal Data directly from you.  With your express consent at the time of collection, we will access and use Apple’s APIs to read and/or write certain Personal Data from applications running on your mobile device. These applications will have previously collected your Personal Data and we are collecting it from them in these circumstances.

Depending upon the features that you enable, this Personal Data may include::

• (i) biographic  information including name, contact information such as address or e-mail address, gender, and date of birth. We collect this information for the purposes of identifying you, ensuring that you are the age of majority in your jurisdiction and to suggest appropriate features to  you 

• (ii) responses to text boxes through the Services or responses to surveys or questionnaires. This is for the purpose of improving the Services generally and to more specifically tailor them to you.

 (iii) exercise or workout routines or data relating thereto (including durations, distance, and outputs). This is to provide suggestions to you and to enable you to keep track of your exercise goals and routines.

• (iv) biological function data for you to keep track of it and for us to be able to make suggestions to you about your activity. A detailed list of all such data is available upon request from our Privacy Officer

We may also collect and store photos of your food items/packaging in connection with your use of the Services. This information will be collected directly from you. This is to provide diet suggestions to you.

. We will not use or disclose your Personal Data for marketing or advertising purposes. Your Personal Data will be accessed locally through Apple’s APIs (including Apple Health) and will not be stored or cached by the app. Your Personal Data is processed locally and will not be sent to any server without your explicit consent. 

This app cannot read from or write to Apple Health without your express consent, which will be sought at the time of collection

Use and Disclosure

We use and disclose your Personal Data for providing, customizing, and improving the Services and other uses as permitted or required by applicable law . This may include our correspondence with you and our meeting our legal obligations.  

We may also use and disclose Personal Data:

• To communicate with You in accordance with applicable laws
• To provide Service to You, and to  create, update and manage Your account
• To verify Your identity
• To provide recommendations
• To respond to Your inquiries and comments
• To prevent fraud and abuse of the Service
• To protect other users of the Service, and Our business, against security breaches
• To understand Our user base and effectiveness of the Service
• To administer, operate and improve the Service and for internal business purposes
• To compile aggregated data, perform statistical analyses and otherwise analyse Our business for internal and external business purposes
• To compile aggregated data, including personal information about You in some cases, to create market research reports and data sets as part of Our suite of products that We create for external business purposes
• To comply with legal and governmental requirements
• To process job applications
• To fulfill any other purpose for which you provide it, or for which you provide express consent

‍

We may disclose Personal Data to service providers (including hosting, analytics, technology, communication, security and fraud, support, customer service, and Services fulfillment partners) required to provide the Services. 

We may disclose Personal Data to Apple and other third parties as necessary to accomplish the purposes set out herein. 

Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy, or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices and in any case, within any timeframe required for such notice under applicable law. 

‍

Anonymized PersonalData Processing via OpenAI APIs

Summary:  This section discusses what happens if you grant permission to use AI to process your Personal Data in order to generate personalized content for you. It describes some of the protections that we use to keep your Personal Data safe. 

With your explicit opt-in consent, we may process a subset of your Personal Data via OpenAI’s APIs to generate personalized responses and insights. This processing occurs under the following conditions and in accordance with OpenAI’s privacy practices available here.

• Anonymization: The data shared with OpenAI is  hashed and anonymized by various technical means in order to prevent it from being associated with an individual .

• Purpose: The data is used by us solely to generate personalized health-related responses via OpenAI’s GPT models.  

• No Storage: The data is not stored on our servers. It is sent to OpenAI’s API in real time, processed, and discarded after generating a response.

• User Control: This feature is opt-in, and users have control over what data is shared. You may enable or disable this functionality at any time in the app settings and it is disabled by default.

‍

Location Information

Summary: This section describes how we use information that shows where you are. 

We will use your location information to show you the route map of your workout and the weather at your location.

• We will not use your location information for marketing or advertising purposes.

• Your location information will be accessed locally on your device  and will not be stored or cached by the App.

• Your location information is processed locally on your device and will not be sent to any server other than as sent to OpenAI for the sole purpose of making answers to questions more relevant to you..

• This app cannot read your location information from your device without your consent, which will be sought through an express opt-in mechanism in the app. 

.

Summary: The following sections describe how we use specific kinds of data – your payment card information, crash reports and data analytics. They explain what is collected and processed and what tools we won’t use in connection with this data. 

Payment Data

Our payment processing partner(s) may collect your voluntarily provided payment card information necessary to process your payment. Please see our payment processors’ terms of service and privacy policies for information on their respective use and storage of Personal Data. For a list of these processors, please see here. We do not access or store this information and we use it to obtain payment for the Services that you request.

Analytics Data

Use of BugSnag Crash Reporting 

To collect anonymized crash data. More details can be found in BugSnag’s Data Processing Addendum.

Use of TelemetryDeck to analyze app usage

We useTelemetryDeck (provider: TelemetryDeck GmbH, Von-der-Tann-Str. 54, 86159 Augsburg, Germany) to analyze usage data. The use is based on Art. 6 para. 1 lit. b GDPR, as we require reliable and efficient tools for collecting app usage data in order to fulfill the contract with you, our customer.

Summary:  This section describes some of the security measures that we use and recommendations for steps for you to take to improve the security of your Personal Data  

Security

We seek to protect Personal Data from unauthorized access, use, and disclosure using appropriate physical, technical, organizational, and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism, limiting access to your computer or device and browser, and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the Internet or storing data is completely secure.

We retain Personal Data in accordance with applicable law..

Summary: This section describes how your Personal Data may be transferred between countries and how you can learn more about safeguards in place. As of the date of the last update, any of your Personal Data may be transferred to the United States and some may be transferred to Germany. It reminds you that by disclosing Personal Data to us or using our Services, you consent to these transfers.  

‍

Transferring Your Personal Information

We are headquartered in Canada and may use service providers that operate in the US, Germany or in other countries outside the country in which you reside. Therefore, your Personal Data may be transferred to countries which may not provide for the same level of data protection as guaranteed under the applicable data protection laws of the country in which you reside. For all such transfers we ensure that these countries are either considered adequate according to the applicable data protection law (e.g., by way of an adequacy decision of the EU commission) or that appropriate safeguards are in place such as standard contractual clauses. If you want to obtain a copy of these safeguards and/or the jurisdictions or purposes for which your personal information has been disclosed, you can contact us at hello@trybloom.app.

What data is transferred to Germany? 

The following data is collected and disclosed to TelemetryDeck in  Germany, among other non-Personal Data: 

• an anonymized, user ID (per app installation), 

• actions defined by the app publisher (e.g., "app launched," "settings opened"), 

• a rounded timestamp (to the nearest hour), 

• device metadata (e.g., system version, app version, device type), 

• additional metadata defined by the app publisher (e.g., "number of items in the database"). 

‍

What is not stored? 

• No IP addresses (not in logs, not in the database), 

• No cookies or tracking technologies, 

• no persistent identifiers that could be traced back to individuals. 

The source code of the TelemetryDeck SDK is open source and available on GitHub: https://github.com/TelemetryDeck 

Further information on the exact data processing by TelemetryDeck can be found at: https://telemetrydeck.com/privacy and at https://telemetrydeck.com/docs/guides/privacy-faq/ 

‍

We may transfer Personal Data that we collect or that you provide as described in this policy to contractors, service providers, and other third parties we use to support our business and who are contractually obligated to keep Personal Data confidential, use it only for the purposes for which we disclose it to them, and to process the Personal Data with the same standards set out in this policy.

By submitting your Personal Data or accessing the Services, you consent to this transfer, storage, or processing.

Summary:  This section describes how we use subprocessors of your Personal Data and how to get a list of who they are. 

Use of Subprocessors

We utilize the services of subprocessors in order to provide the Services to you. You can find a list of the subprocessors we use HERE.  We have agreements with all of our subprocessors to ensure that your data is treated in an appropriate and compliant way.  If you do not wish to have your data sent to our subprocessors, you may always discontinue your use of the Bloom App. 

Summary:  This section describes the rights that you may have to get a copy of the Personal Data that we have about you and to correct it if it is wrong or incomplete. It also describes how you can exercise those rights. 

Access and Correction Rights 

In certain jurisdictions, you have the right to access a record of your own Personal Data in our care, custody or control, including the purposes for which we are using or disclosing such Personal Data and to request any corrections to incorrect Personal Data. In order to exercise this right , contact our Privacy Officer at hello@trybloom.app

Summary:  This section describes our use of artificial intelligence and some of the mitigations that we put in place against risk.

Artificial Intelligence (“AI”) Information:

1. System and Technology Description
   
   1. The Bloom App analyzes personal health-related data to provide users with personalized insights and recommendations for user health and wellness.
   2. Machine learning algorithms provided by OpenAI process data provided through the user's Apple Watch or other sources to generate recommendations and predictions.
2. Risk Assessment and Mitigation
   
   1. Based on definitions provided by applicable regulatory agencies, the Bloom App is characterized as “high-risk” due to potential impacts on health outcomes and the nature of the recommendations and predictions provided. 
   2. The Bloom App mitigates any AI risk through the use of robust data encryption, collecting only that data required to provide the service and strict data retention policies.
3. Documentation and Transparency
   
   1. The Bloom App utilizes and maintains detailed logs, algorithm descriptions and decision-making processes.
   2. When using the Bloom App,  Users are provided with clear guidance on what informs recommendations, data collection, etc.
4. Quality Management
   
   1. The Bloom App uses an AI ethics committee to oversee its updates and operations and also leverages appropriate compliance frameworks to ensure quality. 
5. AI Literacy and Training
   
   1. Staff participates in workshops and training for AI governance, ethics and risk management
   2. Public Engagement:  information and other materials provided upon request to users to better understand recommendations and basis therefore

Summary:  This section describes particular rights that may apply to you if you are subject to the privacy laws of the UK or the European Union. 

European Privacy Rights

When we process your personal data and such processing is subject to European Union (EU GDPR) or United Kingdom (UK GDPR, UK Data Protection Act 2018) data protection law, depending on the applicable law, you may have certain rights with respect to that data, namely:

• Right of Access. You have the right to request confirmation as to whether or not we process your personal data. If so, you also have the right to request access to the personal and further information as specified under the applicable data protection law.
• Right to Rectification. You have the right to request that we correct inaccurate or incomplete personal data that we store about you.
• Right to Erasure. Under certain conditions, you have the right to request that we erase the personal data we may hold about you.
• Right to Data Portability. Under certain conditions, you have the right to receive the personal data, which you have provided us in a structured, commonly used, and machine-readable format and to transfer those data to another controller.
• Right to Withdraw Your Consent. If the processing of personal data is based on your consent, you can withdraw consent at any time. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal.
• Right to Object. Under certain conditions, you have the right to object to the processing of your personal data, in case the processing is based on legitimate interests or in case your personal data are processed for direct marketing purposes.
• Right to Restriction of Processing. Under certain conditions, you have the right to request the restriction of the processing of your personal data.

How to Contact Bloom and Exercise Your Rights 

‍

Summary: This section describes how to contact Bloom and how you may exercise your applicable rights under local privacy laws. 

‍

To exercise any of these rights (if they are available to you under the applicable law), please contact us at hello@trybloom.app. When another entity is the data controller (such as your employer when you use the Platform), we will refer your request to the third-party data controller and/or provide you with the information you need to contact the data controller directly.

You can also lodge a complaint with a competent data protection supervisory authority if you consider that the processing of your personal data infringes the applicable data protection law.

When you contact us about exercising any of the rights available to you under the applicable data protection law, we will ask you for information to verify your identity. In your request, please clearly identify the personal data that is the subject of your inquiry. We will comply with your request as soon as reasonably practicable and within any time frames prescribed by law.

Summary:  This section describes the rights that may apply to you if you are subject to the state laws of California or Nevada. 

State Law Privacy Rights

California Resident Rights

The California Consumer Privacy Act (CCPA) allows you to make certain requests about your personal information, including the right to:

• Request details on the categories of personal information we collect or disclose about you.

• Access and receive a copy of your personal information.

• Request deletion of certain personal information.

• Opt out of the sale of personal information (we do not sell personal information).

If you wish to exercise your rights, please contact us using the information below.

Nevada Resident Rights

If you are a resident of Nevada, you have the right to opt out of the sale of certain Personal Data. We do not sell Personal Data to third parties.

Summary:  This section reminds you how to get in touch with us for more information and to exercise your rights. 

Contact Information

If you have any questions or comments about this Privacy Policy, the ways in which we access, collect, and use Personal Data, or your choices and rights regarding such access, collection, and use, please do not hesitate to contact our Privacy Officer at:

Website: www.trybloom.app
Email: hello@trybloom.app

Changes to this Policy

‍

If we decide to change our privacy policy, we will post those changes on this page. Summary of changes so far:

‍

Jan 13, 2025: First published.

Mar 31, 2025: Added details about how user approved health data is shared with OpenAI.

Aug 15, 2025: Added details for GDPR.

Dec 9, 2025: Last reviewed.

‍