Privacy policy

Bloomwise is run by DFK Helper LLC. We collect the minimum we need to recommend plants to you, keep the Site running, and honour your legal rights. We never sell your personal information. You can ask us to delete your data at any time by emailing privacy@bloomwise.app.

This Privacy Policy describes how DFK Helper LLC (“Bloomwise”, “we”, “us”) handles personal information collected through bloomwise.app and any subdomains we operate.

It applies to visitors anywhere in the world. California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Visitors in the European Economic Area and the United Kingdom have additional rights under the GDPR and UK GDPR.

We try to collect as little as possible. The categories below are what we might hold about you at any given time.

• Information you give us: email address (only if you create an account or subscribe to the newsletter), saved gardens, and any feedback or chat messages you send.
• Onboarding answers: the rough size of your garden, your hardiness zone, your favourite colours, whether you have pets, and similar preferences. Stored with an anonymous session id by default.
• Location: a ZIP code or approximate coordinates you enter in the wizard, used once to look up your USDA hardiness zone. Precise real-time geolocation is never collected automatically.
• Device information: IP address (truncated before storage), browser, operating system, and screen size. Used for debugging and fraud prevention.
• Usage information: which pages you visit, which plants you click, and aggregate events through Vercel Analytics. Consent-gated where required.
• Affiliate click logs: which outbound product link you clicked and which merchant it pointed to. No personal identifiers attached.

We use the information above to:

• Generate and improve plant recommendations for you.
• Operate and secure the Site, including preventing abuse of the Plant Doctor assistant.
• Send you transactional email if you create an account (for example, sign-in links).
• Send you the newsletter if you explicitly opt in. You can unsubscribe from every email we send.
• Comply with legal obligations, enforce our Terms, and respond to law enforcement requests that are valid under applicable law.

We do not use your information to train or fine-tune large language models. We do not sell your information. We do not share it with advertisers for cross-context behavioural advertising.

To run Bloomwise we share limited information with the following processors. Each one is bound by its own contract and privacy policy.

• Vercel: hosting, Edge Network, log drains, Vercel Analytics, Vercel AI Gateway. Vercel processes every request to the Site on our behalf.
• Neon: managed Postgres database that stores plant content, saved gardens, and chat session metadata.
• Upstash: Redis rate limiter that protects the Plant Doctor assistant from abuse.
• Resend: transactional email (sign-in links, account notices, newsletter).
• Sentry: error and performance monitoring. PII is scrubbed before events leave the Site.
• Anthropic and OpenAI (via Vercel AI Gateway): the language models that power Plant Doctor. Your chat messages are sent to the model to produce a reply and are not used to train the underlying model.
• Amazon Associates, Impact, FlexOffers, and CJ Affiliate: affiliate networks that attribute clicks we send from the Site. They receive the referring URL and a click identifier, not your email.

Bloomwise uses a small number of cookies and browser storage keys, grouped by purpose:

• Strictly necessary: remember your theme preference, your cookie consent choice, and security tokens. Always on.
• Analytics: Vercel Analytics and Speed Insights, used to understand aggregate traffic. Opt-in in the EU, UK, and wherever else required; notice-only in the US by default.
• Affiliate: short-lived click identifiers attached when you follow an affiliate link. Opt-in where required.

See our cookies page for the full per-cookie table and how to change your choice at any time.

We retain data only as long as we need it:

• Anonymous session data (onboarding answers, chat transcripts): 90 days, then purged.
• Account data (email, saved gardens): as long as your account is active. If you ask us to delete your account, we remove it within 30 days except where we are legally required to retain it.
• Affiliate click logs: 24 months, then aggregated and anonymised.
• Error and access logs: 30 days.

Depending on where you live, you may have some or all of the following rights under the CCPA/CPRA, GDPR, UK GDPR, or other applicable laws:

• Know what personal information we hold about you.
• Access a copy of that information in a portable format.
• Correct information that is inaccurate.
• Delete your information, subject to legal exceptions.
• Opt out of the sale or sharing of your information. We do not sell or share your information for cross-context behavioral advertising, so this is already the default.
• Limit our use of sensitive personal information. We do not collect sensitive categories beyond the opt-in location described above.
• Withdraw consent at any time where we rely on consent, and lodge a complaint with your local supervisory authority.

To exercise any of these rights, email privacy@bloomwise.app with a short description of your request. We will respond within 30 days (45 days for complex requests). We may need to verify your identity by asking you to confirm details from your account.

Bloomwise is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided information to us, email privacy@bloomwise.app and we will delete it.

We take reasonable organisational and technical measures to protect your information, including TLS everywhere, edge rate limiting, content security policies, and least-privilege access to our database. No system is perfectly secure. If you believe you have found a vulnerability, please email security@bloomwise.app before disclosing it publicly.

Bloomwise is hosted in the United States. If you access the Site from outside the US, your information will be transferred to, and processed in, the United States. Where required, we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum with our processors.

We may update this Privacy Policy from time to time. The “last updated” date at the top reflects the most recent change. Material changes will be highlighted on the home page or by email to account holders.

Questions or data-subject requests: privacy@bloomwise.app, or by post to DFK Helper LLC, Delaware, United States.