Privacy Policy

1. Information We Collect

Account information

When you create an account, we collect your email address, display name, and username. If you register via GitHub OAuth, we also receive your GitHub user ID, username, email, and avatar URL from GitHub.

Authentication data

We store hashed passwords (bcrypt) for email/password accounts. We store GitHub access tokens for users who authenticate via GitHub. These tokens are used to access GitHub on your behalf (repo operations, webhook setup).

API keys

If you use BYOK (Bring Your Own Key), we store your Anthropic API key. It is used only to execute AI agent tasks on your behalf and can be removed at any time.

Usage data

We collect information about how you use the Service: conversations with agents, ideas submitted, tasks created, and interaction patterns. This data is used to operate the platform and improve the AI agent experience.

Payment information

Payment processing is handled by Stripe. We do not store credit card numbers or full payment details. We store Stripe customer IDs and subscription status.

2. How We Use Your Information

We use your information to:

Operate and maintain the Service, including running AI agents on your behalf.
Authenticate your identity and manage your account.
Process payments and manage subscriptions.
Send email notifications about task progress (you can opt out from your profile).
Provide customer support.
Improve the Service and develop new features.
Enforce our Terms of Service and prevent abuse.

3. Information Sharing

We do not sell your personal information. We share information only in these circumstances:

Public profiles: Your username, display name, avatar, and contributions to public projects are visible at your public profile page.
Public projects: Ideas and conversations in public projects are visible to other authenticated users.
Service providers: We use third-party services (Stripe for payments, Resend for emails, Anthropic for AI, GitHub for code hosting, Fly.io for infrastructure) that process data on our behalf.
Legal requirements: We may disclose information if required by law or to protect our rights and safety.

4. Data Storage and Security

Your data is stored on servers operated by Fly.io with PostgreSQL databases. We use encryption in transit (TLS) and at rest. Passwords are hashed with bcrypt. Session tokens are JWTs with expiration. We implement rate limiting, audit logging, and access controls to protect your data.

5. Cookies

We use HTTP-only session cookies (bloom_session) for authentication. We do not use tracking cookies or third-party analytics cookies.

6. Email Communications

We send transactional emails (account verification, password reset) and notification emails (task progress updates). You can disable notification emails from your profile settings. Transactional emails cannot be disabled as they are essential for account security.

7. Your Rights

You have the right to:

Access your personal data via your profile and API.
Correct inaccurate data by updating your profile.
Delete your account and associated data.
Export your data by contacting us.
Opt out of notification emails from your profile settings.

8. Data Retention

We retain your data for as long as your account is active. After account deletion, we remove personal data within 30 days. Contributions to public open source projects (code, PRs) remain as part of the project's public git history, as is standard for open source contributions.

9. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. We will notify users of material changes via email or in-app notice. The “Last updated” date at the top reflects the most recent revision.

11. Contact

Questions about this policy? Reach us at privacy@bloomit.ai.