Privacy Policy

Privacy Policy

Controller (Art. 4(7) GDPR):
Julia Kalder, Bold Bloom
c/o Autorenglück #80461
Albert-Einstein-Str. 47, 02977 Hoyerswerda, Germany
Email: info@bold-bloom.com

1. Purposes, data categories, legal bases

We process personal data to provide the platform, ensure security, deliver support, and perform contracts. Legal bases are Art. 6(1)(b) GDPR (contract) and our legitimate interests under Art. 6(1)(f) GDPR (e.g., IT security, abuse prevention). Data categories include:

• Access data in server logs (IP address, timestamp, URL, user agent) for stability and security.
• Login activity logs (IP address, approximate GeoIP location, device details) for security monitoring.
• Registration and account data (name, email, roles, language preferences), authentication tokens, session identifiers.
• Usage and content data on the platform (team and client records, notes, mood and feedback responses, files, scheduling and calendar entries, status data).
• Communication and support data (requests, logs, email correspondence).
• Billing and payment data processed via Stripe (e.g., name, payment method, invoices).

GeoIP lookups are performed only after explicit consent (Art. 6(1)(a) GDPR) and use the ip-api.com service. Consent can be withdrawn anytime in settings; cached location data is cleared on revocation.

2. Recipients

Data is shared only where necessary for contract performance, security, or legal obligations. Processors are bound by Art. 28 GDPR agreements, including:

• EU-based hosting/infrastructure provider for servers, databases, and backups.
• Stripe Payments Europe Ltd. for billing (transfers to the USA rely on Standard Contractual Clauses).
• PayPal (Europe) S.à r.l. et Cie, S.C.A. as an alternative payment provider for the DE checkout (Standard Contractual Clauses).
• Email delivery provider (Postmark/Wildbit LLC or Amazon Web Services, Inc., depending on configuration, each under Standard Contractual Clauses) for system email.
• Google LLC for OAuth/calendar integrations (Standard Contractual Clauses).
• Slack Technologies LLC and Microsoft Corporation (Microsoft Teams) for optional outbound webhook notifications (Standard Contractual Clauses).
• Functional Software, Inc. (Sentry) for error tracking and Better Stack (Logtail) for log aggregation; PII is pseudonymised / scrubbed before transmission (Standard Contractual Clauses).
• AI providers for the optional AI Session Proposal feature (BYOK): OpenAI, L.L.C., Anthropic, PBC, and Google LLC (Gemini API) — each USA, Standard Contractual Clauses. The feature is only available to paying coaches with the ai-session-proposal plan entitlement; transmission of coaching-related content occurs only after explicit consent under Art. 9(2)(a) GDPR (coaching notes default to "drop" in the privacy-first wizard).
• ip-api.com (Kloudend Ltd., United Kingdom) for geolocation lookup from IP addresses for login sessions. This feature is activated only with explicit user consent. Data transmitted: IP addresses; Purpose: Display approximate location for security awareness (detection of unusual logins). Legal basis: Art. 6(1)(a) GDPR (consent). Privacy policy: https://ip-api.com/docs/legal. Consent can be withdrawn at any time in account settings; cached location data is deleted upon revocation.

Bold Bloom maintains a Record of Processing Activities (ROPA) under Art. 30 GDPR documenting all processing purposes, data categories, recipients, third-country transfers, and retention periods. The ROPA is reviewed at least annually and is available on request to the controller contact listed above.

Each processor named above is bound by a written contract under Art. 28(3) GDPR. The contractual evidence (vendor standard DPA URL, DPA acceptance date, DPA version, internal contract owner, and next review date) is recorded in an internal Sub-Processor DPA Register that is reviewed at least annually and made available on a justified request.

3. Third-country transfers

Transfers to third countries (notably the USA) occur only when required for the purposes above. We rely on EU Standard Contractual Clauses or comparable safeguards; evidence is available on request.

4. Storage periods

Data is deleted when no longer needed for the stated purposes and when no legal retention applies. For a detailed overview of our retention periods, please see our Data Retention Policy. Typical periods: application logs after 14 days; app activity logs after 30 days; login activity logs retained for 90 days; fraud signals after 90 days; mail delivery events after 90 days; session data after 30 days; audit logs after 365 days; account data and content within 30 days after cancellation unless retention duties apply; billing records retained up to 10 years under commercial and tax laws; support requests after 365 days; backups deleted after 7 days.

5. Cookies and local storage

We rely on essential cookies only (session, CSRF protection, language, consent storage). Optional analytics or tracking is loaded solely after you opt in via the cookie banner. Your choice is stored per locale and can be updated anytime in the banner or account settings.

6. Data subject rights

You have the right to request access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), data portability (Article 20 GDPR), and to object to processing based on legitimate interests (Article 21 GDPR). Consent, where given, can be withdrawn at any time with effect for the future.

Formal GDPR requests: To formally exercise your rights, you can submit a request through our GDPR request form. We will respond to your request within 30 days as required by Article 12(3) GDPR. If you already have an account, you can track your requests in your account settings.

If you need to rectify data you cannot edit directly (for example session notes, historical feedback, audit logs, or billing records), submit a rectification request with the current and desired values. We review the request and document the decision.

If you want to restrict processing, you can submit an Article 18 GDPR restriction request. While restricted, we keep data stored but limit processing to necessary purposes. You can also request lifting the restriction once the dispute is resolved.

You may lodge a complaint with any competent supervisory authority.

7. Security

We protect data using TLS encryption, encryption at rest, role-based access, logging, hardened systems, backup and restore processes, and need-to-know access restrictions.

8. Special categories of personal data (Article 9 GDPR)

Coaching sessions may involve processing sensitive data, including session notes, mood tracking, and wellness feedback that may contain information about mental or physical health. The processing of these special categories of personal data is based on your explicit consent under Article 9(2)(a) GDPR, which you provide during registration.

This data is used exclusively for coaching purposes and is protected by additional technical measures (application-layer field-level encryption for Art. 9 GDPR data, role-based access controls, per-coach data isolation). You may withdraw your consent at any time with effect for the future by requesting deletion of your account.

This processing has been subjected to a Data Protection Impact Assessment (DPIA) under Article 35 GDPR. The DPIA documents the legal basis, risk and mitigation assessment, and the review schedule; it is made available on request to the controller contact listed above.

9. Controller responsibilities and updates

For business customers we provide a Data Processing Agreement. We update this notice when technical or legal changes require it. Last updated: 2026-05-20.

For privacy inquiries please contact info@bold-bloom.com.