๐Ÿ”’ Privacy Policy

Plain language. No legalese. Here's exactly how Bloom handles your data.

๐Ÿ“ฑ Local-Only Mode (Maximum Privacy)

Bloom can run entirely in your browser with zero server contact. In local-only mode:

  • ๐Ÿ” AES-256-GCM encryption โ€” your data is encrypted with a passphrase before it's written to browser storage
  • ๐Ÿง  Zero-knowledge โ€” the server never sees, processes, or stores your data
  • โœˆ๏ธ Works offline โ€” after the first visit, the app works without any internet connection
  • ๐Ÿ“ฑ Installable โ€” add to your home screen as a native-feeling app (PWA)
  • โฑ๏ธ Auto-locks โ€” configurable inactivity timeout protects your data if you walk away
  • ๐Ÿ”‘ Passphrase stays on-device โ€” derived key never leaves your browser, ever
  • ๐Ÿ”„ Export anytime โ€” encrypted or plain JSON backups to move between devices
  • โŒ No signup needed โ€” no email, no name, no account

This is the most private way to use Bloom. Your data physically cannot leave your device unless you export it yourself.

โš ๏ธ Cloud Sync vs. Local-Only vs. Self-Hosted

Bloom offers three privacy levels. Pick what works for you:

  • ๐Ÿ“ฑ Local-only mode = maximum privacy. Zero server contact. Data encrypted in your browser. No account needed.
  • ๐Ÿ  Self-hosted server = full privacy. Data on your hardware, under your control. No one else can access it.
  • ๐ŸŒ Hosted cloud sync = convenient, but the server operator could technically access the database. You're trusting them.

You can switch between modes at any time by exporting your data (plain JSON) and importing it in the other mode.

Our recommendation: Use local-only mode unless you specifically need cross-device sync or partner features.

๐Ÿ“ How Your Data is Stored

Local-Only Mode (no account)

  • โœ… Data encrypted with AES-256-GCM using your passphrase โ€” stored only in your browser's localStorage
  • โœ… Key derived via PBKDF2-SHA256 with 210,000 iterations and a random salt
  • โœ… Server never receives, processes, or stores any of your data
  • โœ… Works completely offline after first page load
  • โœ… Auto-locks after inactivity to protect against physical access

Cloud Sync (account required)

  • โœ… Data stored in a single SQLite file โ€” not spread across services
  • โœ… No third-party databases, analytics platforms, or data brokers
  • โœ… Optional AES-256-GCM encryption at rest with a user-provided key
  • ๐Ÿ  Self-hosted: Your data stays on your own hardware โ€” nobody else can access it
  • ๐ŸŒ Hosted: Your data lives on the server operator's machine โ€” convenient, but you're trusting them with your data

๐Ÿšซ What Bloom Does NOT Do

  • โŒ No AI prediction โ€” Bloom uses transparent mathematical formulas, not opaque machine learning models
  • โŒ No cloud sync โ€” Your data is not synced to any external cloud service or third-party server
  • โŒ No data selling โ€” Your cycle data is yours alone. Period.
  • โŒ No ads โ€” ever
  • โŒ No analytics or tracking scripts โ€” no Google Analytics, no pixels, nothing
  • โŒ No social media integrations
  • โŒ No cookies for tracking โ€” only a session cookie for login
  • โŒ No upselling โ€” no premium features behind paywalls
  • โŒ No medical claims โ€” Bloom is an awareness tool, not a medical device. Always consult healthcare providers for medical decisions

๐Ÿ” Security

Local-Only Mode

  • ๐Ÿ”‘ AES-256-GCM encryption with PBKDF2-SHA256 key derivation (210,000 iterations)
  • ๐Ÿง‚ Unique random salt per vault โ€” prevents rainbow table attacks
  • โฑ๏ธ Auto-lock after configurable inactivity (2, 5, 10, or 30 minutes)
  • ๐Ÿ”„ Passphrase change re-encrypts all data immediately
  • ๐Ÿ“ค Encrypted backup export โ€” protected by a separate passphrase
  • ๐Ÿšซ Passphrase never stored, never transmitted โ€” only the derived key exists in memory while unlocked

Cloud Sync / Server

  • ๐Ÿ”‘ Passwords are hashed with bcrypt (industry standard)
  • ๐Ÿช Sessions use secure, HttpOnly cookies
  • ๐Ÿ›ก๏ธ Security headers protect against common web attacks (XSS, clickjacking, MIME sniffing)
  • ๐Ÿ”’ Camera, microphone, and geolocation access are blocked by default
  • ๐Ÿ—„๏ธ Optional database-at-rest encryption (AES-256-GCM with PBKDF2 key derivation)
  • ๐Ÿ” Encrypted backups use AES-256-GCM with a password you choose (never stored)

๐Ÿ“ง Email Notifications

If you choose to enable partner email notifications:

  • ๐Ÿ“ค Emails are sent through the server operator's configured email service โ€” no third-party marketing platforms
  • โš™๏ธ You control this feature entirely โ€” it's off by default
  • ๐Ÿ™… Email content is generated on the server, never stored externally
  • โš ๏ธ On a hosted instance, the server operator's email service will process the email content. Self-host for maximum privacy.

๐Ÿ“ฆ Your Rights

You have complete control over your data:

  • ๐Ÿ“ฅ Export anytime โ€” download all your data as CSV, JSON, or encrypted backup from Settings
  • ๐Ÿ”„ Switch modes โ€” move between local-only and cloud sync via export/import
  • ๐Ÿ—‘๏ธ Delete anytime โ€” permanently wipe your account and all associated data from Settings
  • ๐Ÿ‘ค Update anytime โ€” change your settings, pronouns, and preferences whenever you want
  • ๐Ÿšš Migrate anytime โ€” export your data and import it into your own self-hosted instance
  • ๐Ÿ“ฑ Go offline anytime โ€” switch to local-only mode and your data stays on your device

๐Ÿ’› Why This Matters

Period data is deeply personal. In a world where health apps have been caught selling data, sharing with advertisers, or handing records to authorities โ€” Bloom takes a different approach.

With local-only mode, your data is encrypted on your device and never touches a server. The passphrase stays in your head. There's nothing for anyone to subpoena, breach, or sell โ€” because the server never had it in the first place.

We built Bloom as open-source software so you don't have to trust us โ€” you can verify. The code is public. The math is documented. The encryption is standard (AES-256-GCM). And you can always run it yourself.

Your body, your data, your choice. Always.