← Back to home

Privacy Policy

Last updated: 19 May 2026

Who we are

BloomHealth is a personal health-tracking app operated by an individual developer based in the United Kingdom (the "data controller" under UK GDPR). This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have. Contact us at support@getbloomhealth.com.

What we collect

We collect:

  • Account data — name, email, and authentication identifiers, handled by Clerk (see Sub-processors below).
  • Profile and goal data — date of birth, sex, height, weight, dietary preference, activity level, health goals, and weekly targets you set during onboarding or update later in settings.
  • Health and food logs — meals, weights, sleep, symptoms, mood, and notes you enter manually or import.
  • Meal photos — images you snap or upload so the app can estimate the calories and macros of what you ate.
  • Wearable data — steps, heart rate, sleep stages, and similar metrics you choose to sync from Apple HealthKit, Google Health Connect, or a connected wearable via Terra.
  • Lab reports — PDF uploads and the values our system extracts from them.
  • AI chat conversations — your messages to the in-app AI coach and the responses it generates.
  • Subscription and purchase data — receipt identifiers and entitlement state, handled by RevenueCat and the Apple App Store / Google Play.
  • Diagnostic and usage data — crash reports, performance metrics, and anonymised product analytics so we can spot bugs and improve the app.

How we use it

We use your data to:

  • Compute personalised daily targets (calories, macros) and power your dashboard and insights.
  • Send meal photos to our AI provider for food identification and calorie estimation. Photos are transmitted over an encrypted connection and are not used by the AI provider to train their foundation models.
  • Generate AI chat responses based on your data. Chat content is transmitted to our AI provider for inference only and is not used to train third-party models.
  • Operate your subscription and access entitlements.
  • Improve recognition accuracy and product quality using aggregated, de-identified statistics. We do not sell your personal data.
  • Communicate with you about your account, support requests, or important service changes.

Meal photos and AI processing

When you snap or upload a meal photo, the image is sent to our AI provider (currently Google Vertex AI) for food identification and calorie estimation. The result (estimated calories, macros, and a description) is saved to your meal log so you can review and edit it. Photos are stored in encrypted object storage tied to your account and are deleted when you delete the corresponding meal log or your account. Photos are not sold, shared with advertisers, or used to train third-party models.

Apple HealthKit and Health Connect

If you choose to sync health data, BloomHealth reads metrics from Apple HealthKit (on iOS) or Google Health Connect (on Android) — for example steps, heart rate, sleep stages, weight, and workouts. Per Apple's App Review and HealthKit guidelines:

  • We only read the metrics you explicitly grant permission for, and only the categories you toggle on in iOS Settings → Privacy & Security → Health.
  • HealthKit data is used only to provide and improve the service for you (e.g. show your steps in the dashboard, factor activity into calorie targets).
  • We never use HealthKit data for advertising or marketing, and we never sell or share it with data brokers.
  • You can revoke permissions at any time in iOS Settings; doing so stops new data flowing into BloomHealth but does not delete data already imported. Use in-app account deletion to remove everything.

Sub-processors and third-party services

We rely on the following service providers to operate BloomHealth. Each handles only the data needed for their function and is bound by their own privacy commitments.

  • Clerk — authentication, account management.
  • Google Vertex AI— AI inference for meal photo analysis and chat coaching. Content is transmitted for inference only and is not used to train Google's foundation models.
  • Amazon Web Services (S3, RDS) — encrypted object storage for meal photos and lab reports, and the primary PostgreSQL database.
  • Terra — wearable-device integration (Garmin, Fitbit, Whoop, Oura, and similar) when you choose to connect.
  • RevenueCat — subscription entitlement management.
  • Apple App Store / Google Play — payment processing. We never see or store your payment card details.
  • PostHog — anonymised product analytics and feature-flag delivery.
  • Sentry — crash and error reporting.
  • Vercel — hosting for the marketing website and the API.

Storage and security

Data is encrypted in transit (TLS) and at rest. Account passwords are never stored by us — Clerk handles authentication. We restrict access to production data to the minimum needed to operate the service, and we monitor for unusual activity. No system is perfectly secure, but we apply industry-standard controls and respond promptly to issues.

Data retention

We keep your personal data for as long as your account is active. Specifically:

  • Profile, health logs, meal photos, and lab reports are kept until you delete them or close your account.
  • AI chat conversations are kept so you can refer back to them; you can clear individual conversations from settings.
  • Diagnostic and usage data is retained for up to 12 months for debugging and security analysis.
  • On account deletion, all personal data is permanently deleted within 30 days, except where we are required by law to retain specific records (for example tax records relating to your subscription, kept by Apple or Google as the merchant of record).

Your privacy rights

Wherever you are, you can export your data and delete your account from in-app settings. If you are in the UK, EU, or European Economic Area, you also have the following rights under UK GDPR and the EU GDPR:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data.
  • Portability — receive your data in a machine-readable format.
  • Restriction and objection — restrict or object to certain processing.
  • Withdraw consent — withdraw any consent you previously gave (for example, to wearable sync).
  • Lodge a complaint— with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

If you are a California resident, you have similar rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete it, and the right to opt out of any sale or sharing of personal information for cross-context behavioural advertising — which we don't do. To exercise any right, use in-app settings or email support@getbloomhealth.com.

Children's privacy

BloomHealth is not intended for, or directed at, children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us at support@getbloomhealth.com and we'll delete it promptly.

International data transfers

Some of our sub-processors are based outside the UK and EEA (notably in the United States). Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards — typically the UK International Data Transfer Addendum or the EU Standard Contractual Clauses — to protect it.

Not medical advice

BloomHealth is not a medical device and does not provide medical advice, diagnosis, or treatment. The AI summaries and calorie estimates in the app are informational only. Always consult a qualified healthcare professional for medical decisions.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we'll bump the "Last updated" date at the top of the page. If the changes are material we'll also notify you in the app or by email.

Contact

Questions, requests, or complaints? Email support@getbloomhealth.com.