Privacy Policy
1. Introduction
This Privacy Policy describes how BloomChats ("we", "us", "our"), a sole proprietorship owned and operated by Ibrahim, based in New Delhi, India, collects, uses, stores, shares, and protects your personal information when you use our website at bloomchats.com, application, APIs, and services (collectively, the "Service"). By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.
We are committed to protecting your privacy and handling your data transparently and in compliance with the Digital Personal Data Protection Act, 2023 (India), the Information Technology Act, 2000 and its rules, the General Data Protection Regulation (GDPR) where applicable, the California Consumer Privacy Act (CCPA) where applicable, and all other relevant data protection laws. This policy applies to all users of BloomChats, including account holders and the Instagram contacts whose data is processed through the Service.
2. Information We Collect
Account Information: When you register, we collect your email address, display name, password (stored in hashed form only — we never store plaintext passwords), timezone preference, and optionally your company name and phone number.
Connected Platform Data: When you connect an Instagram account, we receive your Instagram Page ID, Page Access Token, and basic page profile information through the official Instagram Graph API. We never access your Instagram password and do not use unofficial APIs.
Contact Data: We collect and store information about Instagram users who interact with your connected accounts, including their Instagram User ID, username, message history with your account, tags you assign, custom fields you create, and interaction timestamps. This data is collected through the official API based on user-initiated conversations.
Usage Data: We automatically collect information about how you use the Service, including pages visited, features used, flows created, messages sent and received, API calls made, browser type, operating system, IP address, device information, and session duration.
Billing Information: When you subscribe to a paid plan, our payment processors (Stripe and Razorpay) collect your payment details. We receive and store only the last four digits of your card, card brand, expiration date, and billing address. We never store your full card number, CVV, or UPI PIN.
Communication Data: If you contact support, submit feedback, or participate in surveys, we collect the content of those communications along with your email address and any attachments you provide.
Cookies: We use essential cookies for authentication and session management. We use analytics cookies (with your consent where required by law) to understand usage patterns and improve the Service. We do not use advertising or third-party tracking cookies and do not participate in cross-site tracking or behavioral advertising.
3. How We Use Your Information
We use your information for the following purposes: to provide, maintain, and improve the Service, including processing DMs, executing automation flows, managing contacts, and generating analytics; to create and manage your account, authenticate access, process payments, and communicate with you about your account; to power AI intent matching and template suggestions (AI processing occurs on our servers and we do not send your message content to third-party AI providers without explicit consent); to generate analytics dashboards, reports, and performance metrics for your automation workflows; to send transactional emails such as receipts, password resets, security alerts, and service notifications such as token expiry and plan changes; to detect and prevent fraud, abuse, spam, and unauthorized access; and to comply with applicable legal obligations and respond to lawful requests from authorities.
We do not sell, rent, or lease your personal data to any third party. We do not use your contact data or message content for advertising purposes.
4. Legal Bases for Processing
Under the Digital Personal Data Protection Act, 2023 (India): We process your data based on your consent provided at the time of registration and use of the Service, and for legitimate uses as permitted under the Act, including performance of the contract between you and BloomChats, compliance with legal obligations, and protection of vital interests.
For users in the European Economic Area, United Kingdom, or Switzerland (GDPR): We process your data under the following legal bases — Contract Performance for providing the Service you requested; Legitimate Interest for fraud prevention, security monitoring, and product improvement balanced against your privacy rights; Consent for optional analytics cookies and marketing communications, which you can withdraw at any time; and Legal Obligation for compliance with EU/UK laws and regulations.
For California residents (CCPA/CPRA): You have the right to know what personal data we collect and how we use it, the right to request deletion of your data subject to legal exceptions, the right to opt out of the sale of personal data (we do not sell personal data), and the right to non-discrimination for exercising your privacy rights. To submit a CCPA request, email contact@bloomchats.com.
5. Data Sharing and Third Parties
We share data only with trusted third-party services that help us operate the Service. Our cloud hosting provider stores data on secure servers with encryption at rest and in transit. Stripe and Razorpay handle payment transactions and are governed by their own privacy policies. We use transactional email providers for account notifications. We use privacy-respecting analytics tools to understand usage patterns. We exchange data with Meta's Instagram Graph API as necessary to deliver messaging automation features, governed by Meta's Platform Terms.
In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you before your data becomes subject to a different privacy policy. We may disclose data if required by law, court order, or governmental request under Indian law or any other applicable jurisdiction, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others. We require all third-party service providers to process data only according to our instructions and to maintain appropriate security measures.
6. Data Storage and Transfers
BloomChats is based in New Delhi, India. Your data is primarily stored on cloud servers which may be located in India, the United States, or other jurisdictions where our cloud hosting provider operates data centers. By using the Service, you consent to the transfer of your data to these locations. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by appropriate technical and organizational safeguards. All data transfers comply with the requirements of the Digital Personal Data Protection Act, 2023.
7. Data Retention
We retain your account information for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where retention is required by law. Contact records and message history are retained for the duration of your subscription. Analytics data retention varies by plan: Free (7 days), Starter (30 days), Pro (90 days), Business (180 days), Enterprise (365 days). Billing records including invoices and transaction records are retained for 8 years to comply with Indian tax and financial reporting obligations under the Income Tax Act, 1961 and the GST Act, 2017. Server logs containing IP addresses and request data are retained for 90 days for security monitoring, then anonymized or deleted. Encrypted backups may contain your data for up to 30 days after deletion, after which data is permanently removed.
You can request data export or deletion at any time from your Account Settings or by contacting contact@bloomchats.com.
8. Data Security
We implement industry-standard technical and organizational measures to protect your data. All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption. Passwords are hashed using bcrypt with individual salts. API keys use cryptographically secure random generation. Our hosting infrastructure uses firewalls, intrusion detection systems, DDoS mitigation, and automated vulnerability scanning. Internal access to production data is restricted to authorized personnel using role-based access controls, multi-factor authentication, and audit logging.
In the event of a data breach affecting your personal data, we will notify affected users and relevant authorities, including the Data Protection Board of India where applicable, within 72 hours as required by the Digital Personal Data Protection Act, 2023 and GDPR. While we strive to protect your data, no method of transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials and API keys.
9. Your Rights
Depending on your location, you have the following rights regarding your personal data. Right of Access: you may request a copy of the personal data we hold about you. Right to Correction: you may request that we correct inaccurate or incomplete data. Right to Erasure: you may request that we delete your personal data, subject to legal retention requirements. Right to Data Portability: you may request your data in a structured, machine-readable format (JSON or CSV export is available from Settings). Right to Withdraw Consent: where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing. Right to Grievance Redressal: under Indian law, you have the right to file a complaint with the Data Protection Board of India.
To exercise any of these rights, go to Settings in your account or email contact@bloomchats.com. We will respond within 30 days or sooner if required by applicable law. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority or the Data Protection Board of India.
10. Children's Privacy
The Service is not intended for children under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at contact@bloomchats.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will provide notice via email or an in-app notification at least 14 days before the changes take effect. Non-material changes such as formatting or clarifications may be made without advance notice. Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acceptance of the changes. If you disagree, you may delete your account before the effective date. We encourage you to review this Privacy Policy periodically.
12. Grievance Officer
In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, the Grievance Officer and Data Protection Officer for BloomChats is Ibrahim. You may contact the Grievance Officer for any privacy-related complaints, concerns, or grievances at contact@bloomchats.com. The Grievance Officer shall acknowledge your complaint within 24 hours and resolve it within 15 days from the date of receipt. If you are not satisfied with the resolution, you may escalate your complaint to the Data Protection Board of India as established under the Digital Personal Data Protection Act, 2023.
13. Data Controller and Processor
BloomChats acts as the data controller (referred to as "Data Fiduciary" under Indian law) for your account information and usage data. For your Instagram contacts' data, you are the data controller and BloomChats acts as the data processor (referred to as "Data Processor" under Indian law) on your behalf. You are responsible for ensuring that your use of the Service complies with all applicable data protection laws in your jurisdiction, including obtaining any necessary consents from your contacts.
14. Contact Information
For any privacy-related questions, requests, or complaints, you may contact us at: Privacy Team: contact@bloomchats.com. General Support: contact@bloomchats.com. Grievance Officer: contact@bloomchats.com. Address: New Delhi, India. You may also reach us through the Contact page on our website or submit privacy requests directly from Settings in your account.
