Bloombloom

Privacy Policy

Last updated: 22 May 2026

This is a convenience translation. The legally binding version is the German one.

1. Controller

The controller within the meaning of the GDPR is:

Abed Al Muhsen Alkarim

Mittelseestr. 6a, 63065 Offenbach am Main, Deutschland

Email: hello@bloomfit.space

2. General

Protecting your personal data is important to us. We process your data exclusively on the basis of statutory provisions (GDPR, German TDDDG, BDSG). This privacy policy informs you about the most important aspects of data processing on our website.

3. Hosting (Vercel)

This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. When the website is accessed, technically necessary data (e.g. IP address, date and time of access, page requested) are processed. The legal basis is our legitimate interest in providing the website securely and reliably (Art. 6 (1) (f) GDPR).

Processing may also take place in the USA. The transfer is safeguarded by appropriate measures (EU-US Data Privacy Framework or Standard Contractual Clauses under Art. 46 GDPR).

4. Local storage of your inputs

Your onboarding inputs and your language setting are stored exclusively locally in your browser (local storage) so that your plan persists and the app works. These data are not automatically transmitted to us. The legal basis is the performance of the service you requested (Art. 6 (1) (b) GDPR) and § 25 (2) TDDDG (strictly necessary storage). You can delete these data at any time via your browser settings.

5. Health-related information (Art. 9 GDPR)

When creating your plan, you may provide information that constitutes a special category of personal data (e.g. health-related conditions, body measurements). This data is processed solely on the basis of your explicit consent pursuant to Art. 9 (2) (a) GDPR, which you give at the start of onboarding.

You may withdraw your consent at any time with effect for the future by deleting your locally stored data or contacting us. The lawfulness of processing carried out before withdrawal remains unaffected.

6. Payment processing (Stripe)

To process paid orders we use the payment provider Stripe (Stripe Payments Europe, Ltd., Dublin, Ireland; Stripe, Inc., USA). When you make a purchase, the data required for payment (e.g. email address, payment data) and the information required to create your report are processed. The legal basis is contract performance (Art. 6 (1) (b) GDPR); for health-related information additionally your consent (Art. 9 (2) (a) GDPR).

We do not store payment data (e.g. card numbers); it is processed directly by Stripe. More: https://stripe.com/privacy.

7. Email delivery (Resend)

After a purchase we send your report by email to the address you provided. We use the service Resend (Resend, Inc., USA) for delivery. The legal basis is contract performance (Art. 6 (1) (b) GDPR). The transfer to the USA is safeguarded by appropriate measures (DPF / Standard Contractual Clauses).

We also send you occasional reminders (roughly monthly) to refresh your plan, along with notes about new features. The legal basis is § 7 (3) UWG together with our legitimate interest in direct marketing of our own similar products (Art. 6 (1) (f) GDPR). You can object to these reminders at any time, free of charge, via the unsubscribe link in every email or by messaging hello@bloomfit.space. After you object, you will not receive further reminders.

Soft Push subscription: if you subscribe to Soft Push (a paid €3.99/month service), we send personalized motivational emails on the schedule you choose. The legal basis is performance of the subscription contract (Art. 6 (1) (b) GDPR) and, for using the fitness and dietary details from your plan (goal, dietary style, activity level, targets) to personalize the emails, your explicit consent (Art. 9 (2) (a) GDPR). We do not use special-category health data such as medical conditions for Soft Push.

For Soft Push we read your plan details only when each email is prepared and do not store them in this service. We store only your chosen schedule and a record of which messages you have already received (to avoid repeats), linked to a one-way hash of your email address; for this storage we use Upstash, Inc. (USA) as a processor. When you cancel, we stop processing and delete this schedule and history. You can withdraw your consent and cancel at any time with effect for the future via the link in every email or by messaging hello@bloomfit.space.

Free results by email (on request): on the results page you can ask us to email you your calculated daily numbers. For this we process your email address and the inputs required for the calculation solely to send that one email (Art. 6 (1) (b) GDPR); the inputs are not stored in the process.

Optional tips and reminders: at checkout and with the free-results email you can optionally consent to receiving a small number of follow-up emails from us (for example a reminder to finish your plan). The legal basis is your consent (Art. 6 (1) (a) GDPR). For this we store your email address, your language and the time of consent with our processor Upstash, Inc. (USA) for at most 21 days or until the email is sent; a record of the given consent is retained. You can withdraw your consent at any time with effect for the future via the unsubscribe link in every such email or by messaging hello@bloomfit.space.

8. Cookies and similar technologies

We do not use any tracking or marketing cookies on bloomfit.space. Only technically necessary storage (local storage) required to operate the website is used. During payment, the provider Stripe may set technically necessary cookies on its own pages.

To measure reach we use Vercel Web Analytics (Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA). The service is fully cookieless, does not store IP addresses in plain text, and does not allow identification of individual persons; visitor identifiers are hashed daily and are not tracked across days. We collect only aggregated, non-personal statistics (e.g. page views, time on page, country, device type). The legal basis is our legitimate interest in offering and improving our service (Art. 6 (1) (f) GDPR); consent under § 25 (1) TDDDG is not required as no end-device information is accessed. Transfer to the USA is safeguarded by appropriate measures (EU-US Data Privacy Framework / Standard Contractual Clauses under Art. 46 GDPR). More: https://vercel.com/legal/privacy-policy.

9. Storage period

Locally stored inputs remain in your browser until you delete them. Data related to purchases is stored for as long as necessary to perform the contract or as required by statutory retention periods (in particular commercial and tax-law periods of up to 10 years).

10. Your rights

You generally have the rights to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR). You may withdraw any consent given at any time (Art. 7 (3) GDPR).

An informal message to the contact details above is sufficient to exercise your rights.

11. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, https://datenschutz.hessen.de

12. Changes to this privacy policy

We reserve the right to adapt this privacy policy so that it always complies with current legal requirements or to implement changes to our services.