Bloomsee

Privacy · May 25, 2026

Privacy notice.

This notice explains what Bloomsee Studio LLC (“Bloomsee”, “we”, “our”) collects when you use bloomsee.app or the Bloomsee Studio service (together, the “Service”), what we do with it, and the rights you have. It is written for users in the United States and Canada, the only regions in which we offer the Service. Quebec residents are not eligible; the EU, UK, and elsewhere are not in scope.

Plain-English summary. You upload one reference photo. We use it — and only it — to generate the styled photos you ask for. We store it encrypted, we do not sell it, we do not train AI models on it, and we delete it when you tell us to from your account page. Stripe handles your payment card; we never see it. We send transactional emails through Resend and route image generation through third-party AI providers (Sosana and fal.ai). Full detail follows.

1. Information we collect

Account & subscription. Email address (you give it to Stripe at Checkout; Stripe sends it to us). Stripe customer and subscription identifiers. Subscription tier, status, period start and end, trial start and end, and cancellation timestamp. Whether you have affirmed you are 18 or older (timestamp only). Whether you have viewed your history (timestamp only).

Reference photograph and biometric identifiers. The single photograph you upload at onboarding and any photograph you upload to replace it. We derive a reusable studio profile (the “Studio Profile”) from that photograph. Under Illinois law (740 ILCS 14, the Biometric Information Privacy Act, “BIPA”) and the California Consumer Privacy Act as amended by the CPRA, the photograph and the derived profile are “biometric identifiers” and “sensitive personal information.” We treat them accordingly. See sections 4 and 5.

Generated outputs. The styled photographs the Service produces in response to your requests. These are stored under your account so you can re-download them from your history.

Generation metadata. Style slug, model identifier, vendor identifier, request and completion timestamps, frame-level success or failure status, gender selected at onboarding (used only to filter the style catalog), and the snapshot of the BIPA consent text version and hash you affirmed.

Payment metadata. Last four digits of your card, card brand, expiry, the country your card was issued in, and transaction status — all delivered by Stripe through webhook. Where Stripe also collects a billing address at Checkout, we receive the city, postal code, state, and country attached to your card. We never receive or store your full card number, CVC, or PIN.

Consent record. At the moment you submit the BIPA consent form at /onboarding/avatar, we additionally record the IP address and browser user-agent of the submission, solely as evidence that you gave the consent, as a defense to any later challenge under 740 ILCS 14/15(b).

Session, attribution, and product telemetry. An HMAC-signed session cookie carrying a per-account identifier, a per-session identifier, a CSRF token, and (write-once) the UTM parameters and landing timestamp from your first visit. Server-side product events such as which page you viewed, when you started a generation, when an allowance event occurred — stored without your IP address. We do not currently run Meta Pixel, TikTok Pixel, Google Analytics, or any third-party advertising tag; if we add one in the future we will notify you in advance and update this notice.

Operational logs. Web server logs (request method, path, response status, timing) retained by Fly.io for a rolling window. Error reports forwarded to Sentry with personally identifying fields scrubbed (cookies, authorization headers, request bodies, and S3 object-key fragments are removed or hashed before transmission).

2. Why we collect it (purposes)

We use your information solely to provide and operate the Service, specifically to: deliver the photographs you request; sustain your subscription, billing, and allowance; send transactional email (sign-in links, late-delivery notifications, deletion confirmations); enforce the Acceptable Use rules in our Terms of Service; debug, secure, and improve the Service; comply with our legal obligations (tax, audit, fraud prevention); and respond to lawful requests from regulators or courts. We do not use your reference photograph, your Studio Profile, or your generated outputs for any purpose other than serving your account.

3. We do not sell, share, or train AI on your data; safety checks excepted

No sale, no share, no cross-context advertising. We do not sell or share personal information as those terms are defined by California Civil Code § 1798.140. Because we do not sell or share, a Global Privacy Control signal in your browser is, in effect, already the state we operate in — no third-party transfer to ad networks occurs and no “Do Not Sell or Share My Personal Information” link is required. You may write to support@bloomsee.app to confirm your status.

No model training on your data. Bloomsee does not train, fine-tune, or otherwise improve any AI model on your reference photograph, your Studio Profile, or your generated outputs. Our service arrangements with Sosana and fal.ai engage them only to return the photographs you request; we do not authorize them to use your inputs to train any model. If we learn of any vendor-side training use we will notify you and may terminate the vendor relationship. If we ever decide to authorize training, we will notify you in advance and require new consent before processing further inputs under the new arrangement.

Safety checks on generated outputs. We may run safety checks on each generated output to enforce our Acceptable Use rules — for example, a face-presence check, an adult-content detector, and a similarity comparison to your Studio Profile. These checks do not train, fine-tune, or update any model. Each check produces only a pass/fail decision per image (plus a short reason code if it fails), retained only as long as needed to document any resulting enforcement action against the account.

4. Illinois BIPA disclosures

Notice in writing. Before we collect, capture, or store any biometric identifier from you, we present a written notice at /onboarding/avatar that (a) states we are collecting and storing biometric identifiers and biometric information; (b) identifies the specific purpose (creation and ongoing use of your Studio Profile to generate photographs you request); and (c) states the length of the term for which the information will be collected, stored, and used. The text of that notice is versioned; the cryptographic hash of the version you affirmed is stored against your account so that the exact text you saw can be reproduced.

Written release. By submitting the onboarding form with the consent box checked, you provide a written release under 740 ILCS 14/15(b)(3). Electronic signatures are valid written releases under Illinois and federal law (E-SIGN Act, 15 U.S.C. § 7001).

Retention schedule. Biometric identifiers (your reference photograph and the Studio Profile we derive from it) are retained while you have an active Bloomsee subscription, throughout the 60-day reactivation window that begins on the day a subscription is canceled, and — absent a user-initiated deletion request — in no event longer than three years after your last interaction with the Service, consistent with the statutory ceiling at 740 ILCS 14/15(a). When you replace your Studio Profile from your account, the prior reference photograph is queued for permanent deletion within 30 days.

How deletion works. When you initiate account deletion from /account, deletion enters a 24-hour grace period during which you can cancel the request from the same page. After the grace period closes, deletion is irrevocable; we then permanently destroy your reference photograph and any derived biometric data from S3, typically completing within a further 24 hours.

Destruction guarantee. Permanent deletion of your biometric identifiers means object deletion of your reference photograph from S3, and removal of any derived Studio Profile from our database. Our cleanup worker retries up to three times on failure; if all retries fail, the failure is paged to a human operator who completes the deletion manually. We do not retain a copy in “cold storage,” backup vault, or archive after deletion is complete. Our error-monitoring system (Sentry) may, for up to 90 days after deletion, retain references to the deleted object’s storage path with the identifying portion hashed; these references contain no image bytes and roll out of Sentry on a fixed 90-day window.

Generated photographs. The styled photographs the Service produced for you are stored alongside your account so you can re-download them from your history. You may have them deleted at any time by emailing support@bloomsee.app from your account email; we will remove them from S3 and from your history within 30 days. Generated outputs are stored in a separate S3 bucket with its own AWS KMS customer-managed key, on the same encryption and access-logging posture as your reference photograph.

Application to other states. The commitments in this section — written notice, written release, retention schedule, encryption, and destruction guarantee — are written to the Illinois standard, which is the most exacting biometric-privacy regime currently in force. We apply the same operational protections to residents of Texas (Tex. Bus. & Com. Code § 503.001 / CUBI), Washington (RCW 19.375 / WBIPA), New York (N.Y. Gen. Bus. Law § 899-aa, biometric-record component), and to any other state whose biometric-privacy law would otherwise apply.

No disclosure or dissemination. We do not sell, lease, trade, or otherwise profit from your biometric identifiers. We do not disclose them to any third party except (i) Sosana and fal.ai for the strictly limited purpose of generating a photograph you have requested, (ii) AWS as our encrypted-at-rest storage provider, or (iii) if compelled by valid legal process directed at us.

5. California (CCPA / CPRA) disclosures

Categories of personal information collected, by CPRA category. Identifiers (email, account identifier, IP address in transit). Customer records (subscription metadata). Commercial information (subscription tier, purchase history). Internet or other electronic network activity (referrer, UTM, session events). Geolocation (coarse, derived from IP at request time; not stored). Visual information (your reference photograph and generated outputs). Sensitive personal information under Cal. Civ. Code § 1798.140(ae): biometric information processed to uniquely identify you. We do not collect government IDs, financial-account numbers, precise geolocation, health, racial or ethnic origin, religion, union membership, mail or message contents, or genetic data.

Sources. Directly from you; from Stripe at checkout; from your browser at request time.

Purposes for sensitive personal information. We use sensitive personal information only for the purposes authorized by Cal. Civ. Code § 1798.121(a) (providing the service you requested, security, debugging). We do not use it to infer characteristics about you. California law allows us to use sensitive personal information without offering a “Limit the Use” link when that information is necessary to provide the service you asked for (11 Cal. Code Regs. § 7027(m)). Your biometric data falls into this category — without it, the Service cannot generate photos. You still have the right to ask us to delete it; see “Your California rights” below.

We do not sell sensitive personal data. We do not sell sensitive personal data within the meaning of California, Tex. Bus. & Com. Code § 541.102, Fla. Stat. § 501.71, or the equivalent provisions of any other state law.

Retention. See section 4 for biometric retention. Email, subscription, and ledger records are retained for the life of the account plus the period required for accounting, tax, and audit obligations (commonly seven years for tax records). Operational logs roll out of Fly.io storage in days, Sentry events in 90 days.

Your California rights. You may (i) request to know the categories and specific pieces of personal information we hold about you; (ii) request deletion; (iii) request correction; (iv) opt out of sale or share (not applicable — we do neither); (v) be free from retaliation for exercising any of these rights. To exercise any of these rights, email support@bloomsee.app from the email address tied to your account, or initiate account deletion from /account. For requests involving sensitive personal information, biometric identifiers, or specific pieces of personal information, we may require you to verify (a) the email address on file, (b) the approximate date your account was created, and (c) the last four digits of the payment card on file, plus a signed declaration under penalty of perjury that you are the consumer or authorized agent. We will respond within 45 days, extendable to 90 days where the law allows. An authorized agent may submit on your behalf with written authorization and identity verification.

6. Canada (PIPEDA) disclosures

For Canadian users, Bloomsee follows the ten fair information principles of the federal Personal Information Protection and Electronic Documents Act, as set out in Schedule 1: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance. Meaningful consent — not pre-checked or implied — is required for the collection of biometric identifiers, and we obtain it expressly at /onboarding/avatar. You may withdraw consent at any time by deleting your Studio Profile from /account; withdrawal terminates the subscription because the Service cannot operate without a profile.

Quebec. Bloomsee does not currently serve Quebec residents. Quebec’s Act respecting the protection of personal information in the private sector (Law 25) requires a 60-day pre-implementation notice to the Commission d’accès à l’information before any biometric processing of Quebec residents, a French translation of all material disclosures, and a designated Privacy Officer in Quebec. Until Bloomsee completes those steps, Quebec residents may not sign up for the Service.

Filing a complaint. You may direct privacy concerns to support@bloomsee.app. If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

6a. Other US state privacy laws

If you reside in a US state with a comprehensive consumer-privacy law — including (without limitation) Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia — you may exercise the rights granted to you under your state’s law, including the rights of access, deletion, correction, portability, and (where applicable) opt-out of sale, opt-out of targeted advertising, opt-out of profiling, and limit-use of sensitive personal data. Submit requests to support@bloomsee.app from your account email; we will verify your identity and respond on the schedule applicable to California requests under section 5 above (within 45 days, extendable to 90 days where the law allows).

Universal opt-out signals. For Colorado and Connecticut residents, and for any other US state whose law recognizes a universal opt-out mechanism, we honor the Global Privacy Control signal in your browser prospectively, to the extent we ever sell personal data or process it for targeted advertising. We do not currently engage in either, so the signal does not change today’s processing.

7. How we store and protect your information

Encryption. Your reference photograph and your generated outputs are stored in two separate Amazon S3 buckets located in the AWS us-east-1 region. Each bucket is encrypted at rest with a distinct AWS Key Management Service customer-managed key, so that destroying one key cannot affect data secured by the other. Both buckets reject any object upload that is not encrypted with the bucket’s key, and reject any object retrieval over a non-TLS connection. All API access is logged to AWS CloudTrail.

Access control. Object keys include your account identifier as a path segment; our application code only ever issues short-lived presigned URLs scoped to a single object. The administrative panel is protected by HTTP Basic authentication, denied iframe embedding, and accessible only to the founder.

Transport. All traffic to bloomsee.app, all webhooks from Stripe, and all webhook callbacks from Sosana and fal.ai are required to use TLS 1.2 or higher. Generation callbacks are additionally authenticated by HMAC-SHA-256 with a rotating signing key; replay attacks are rejected at a 5-minute window.

Authentication. Bloomsee uses sign-in links only — no passwords to leak. Links are valid for 15 minutes, single-use, rate-limited per email and per IP, and consumed atomically against the database.

No security controls are perfect. If we determine that personal information has been compromised in a way that creates a risk of harm to you, we will notify you without unreasonable delay and consistent with applicable law (within 30 days for California residents per Cal. Civ. Code § 1798.82; as soon as feasible for Canadian residents per PIPEDA Section 10.1; per the timing required by each US state breach-notification law). Where required, we will also notify state attorneys general and the Office of the Privacy Commissioner of Canada.

8. Third parties that process your information

We engage the following companies to provide services on our behalf. We restrict their use of your information to the purposes disclosed in this notice, under each provider’s standard service terms or any data-processing addendum we have negotiated. If we learn that a transfer to any vendor does not meet the service-provider requirements under California or sister-state law, we will renegotiate the terms, replace the vendor, or add a “Do Not Share” mechanism and update this notice. You may ask the current status of any vendor on this list by emailing support@bloomsee.app.

  • Stripe, Inc. — payment processing and subscription billing. Receives your email, payment card (directly from you, never via us), and subscription events. Stripe’s privacy policy is at stripe.com/privacy.
  • Resend, Inc. — transactional email delivery. Receives your email address and the rendered email body.
  • Amazon Web Services, Inc. — encrypted object storage (S3), encryption key management (KMS), and audit logging (CloudTrail).
  • Sosana — primary AI image generation. Receives your reference photograph bytes and the selected style prompt for the duration of generation. Does not train models on your inputs.
  • fal.ai — fallback AI image generation. Same scope as Sosana; engaged only when the primary provider is unavailable. Does not train models on your inputs.
  • Functional Software, Inc. (Sentry) — error monitoring. Receives error stack traces with personally identifying fields scrubbed before transmission.
  • Upstash, Inc. — Redis for rate-limit counters and queue coordination. Receives a hashed identifier; does not receive your photograph.
  • Supabase, Inc. — managed PostgreSQL database hosting our application records.
  • Fly.io, Inc. — application hosting and request logging.

None of these providers is authorized to sell, share, or use your information for their own marketing or model training.

9. Cookies and similar technologies

Bloomsee sets a single first-party session cookie, signed with our application key, used to keep you signed in and to carry your CSRF token and the UTM parameters from your first visit. The cookie is SameSite=Lax and Secure in production. We use no third-party advertising or analytics cookies at this time. If we add any in the future we will update this notice and, where required, present a consent prompt and honor Global Privacy Control signals.

10. Age requirement

The Service is for adults aged 18 or older. We require an affirmative age statement at avatar creation and time-stamp it on your account. We do not knowingly collect personal information from anyone under 13 (the federal threshold under the Children’s Online Privacy Protection Act, 15 U.S.C. § 6501), from anyone under 16 (the California CCPA opt-in-to-sale-or-share threshold, though we do not sell or share), or from anyone under 18 (our own threshold). If we learn that we have collected information from a minor, we will delete it and terminate the account — except where the upload would constitute apparent child sexual abuse material (CSAM) within the meaning of 18 U.S.C. § 2256, in which case we will preserve the image and associated metadata for the period required by 18 U.S.C. § 2258A(h) and report to the National Center for Missing & Exploited Children CyberTipline as required by federal law.

11. International users and data location

Bloomsee operates from the United States. Information you provide is stored in the AWS us-east-1 region (Northern Virginia) and processed in the United States. Canadian users acknowledge that their personal information will be transferred to and processed in the United States, and is subject to United States laws including federal national-security access regimes (the Foreign Intelligence Surveillance Act, 50 U.S.C. ch. 36, and the CLOUD Act, 18 U.S.C. ch. 121). These laws may not provide the same level of protection as Canadian law and are one of the operational reasons Bloomsee does not currently serve Quebec residents. By using the Service from outside the United States, you consent to this transfer.

12. How to reach us

Privacy questions, rights requests, and complaints: support@bloomsee.app. General support: support@bloomsee.app. Mailing address: Bloomsee Studio LLC, Bloomsee Studio LLC — entity formation in progress, contact support@bloomsee.app.

13. Changes to this notice

We will update this notice from time to time. For material changes — new categories of information, new purposes, a new vendor, or a change to your rights — we will notify you by email at least 45 days in advance and post the updated notice on this page. The “Effective” date at the top of the page reflects the current version. Prior versions are available on request to support@bloomsee.app.