Privacy Policy
Last updated: March 14, 2026
Bloomy (“we,” “us,” or “our”) operates the Bloomy platform at www.bloomylearning.com (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect information from parents/guardians (“you”) and their children who use the Service.
Bloomy is designed for use by children under parental supervision. We are committed to complying with the Children’s Online Privacy Protection Act (COPPA) and applicable state privacy laws.
1. Information We Collect
1.1 Information from Parents
When you create an account and subscribe, we collect:
- Account information: Name, email address, password
- Billing information: Payment method details (processed by our third-party payment processor; we do not store full credit card numbers)
- Communication data: Emails or messages you send us
1.2 Information from Children
When your child uses the Service, we collect the following with your consent:
- Profile information: First name (or nickname), grade level, as provided by the parent
- Learning performance data: Question responses, accuracy rates, mastery scores, lesson completion status, and skill-level proficiency metrics
- AI interaction logs: Chat conversations between your child and BloomyBot, including the child’s typed responses and the AI’s replies
- Progress and retention data: Spaced repetition schedules, skill retention metrics, and review history
- Usage data: Session duration, features accessed, and navigation patterns within the Service
We do not collect: physical addresses, phone numbers, photos, videos, audio recordings, precise geolocation, or social media identifiers from children.
1.3 Automatically Collected Information
When anyone visits our website or uses the Service, we automatically collect:
- Device information: Browser type, operating system, screen resolution
- Log data: IP address, pages visited, referring URL, timestamps
- Cookies and similar technologies: We use essential cookies required for the Service to function (e.g., session management, authentication). We use Google Analytics with IP anonymization enabled to understand how the website is used. We do not use advertising cookies or tracking pixels on pages accessible to children.
2. How We Use Information
2.1 Children’s Information
We use information collected from children solely to:
- Provide personalized instruction: Adapt lesson difficulty, select appropriate content, and build individualized learning paths
- Power AI tutoring: Enable BloomyBot to provide contextually relevant Socratic guidance based on the child’s responses
- Track learning progress: Generate mastery scores, skill retention metrics, and progress reports visible to the parent
- Schedule spaced review: Determine which skills need revisiting and when
- Maintain and improve the Service: Debug issues, improve AI response quality, and enhance the learning experience
We do not use children’s information for advertising, marketing, or profiling. We do not sell children’s personal information to third parties.
2.2 Parents’ Information
We use parent information to:
- Create and manage your account
- Process subscription payments
- Send transactional communications (receipts, billing notices, account alerts)
- Respond to your support requests
- Send product updates and educational content (you may opt out at any time)
3. How We Share Information
We share personal information only in the following limited circumstances:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Payment processor | Process subscription payments | Parent billing information only (no child data) |
| Cloud hosting provider | Host and operate the Service | All data (encrypted at rest and in transit) |
| AI service provider | Power BloomyBot tutoring | Chat messages (child’s responses and context needed to generate AI replies) |
| Analytics | Understand website usage | Anonymized usage data (IP anonymization enabled; no child personal information) |
We do not:
- Sell personal information to any third party
- Share personal information for advertising purposes
- Disclose children’s data to third parties for purposes unrelated to providing the Service
- Allow third parties to collect personal information from children through the Service
We may also disclose information if required by law, in response to a valid legal process (subpoena, court order), or if necessary to protect the safety of a child or the public.
4. AI & Children’s Data
4.1 How AI Processes Your Child’s Data
BloomyBot uses AI to analyze your child’s responses to reading comprehension questions and provide educational guidance. When your child interacts with BloomyBot, their chat messages and relevant lesson context are sent to our AI service provider to generate a response. These interactions are processed in real time and are not used by the AI provider to train their general-purpose models.
4.2 AI Training
We may use aggregated, de-identified data derived from student interactions to improve Bloomy’s own educational AI models (e.g., improving the quality of hints and scaffolding). This internal improvement process uses de-identified data only and does not involve sharing identifiable children’s data with third parties for AI training purposes.
4.3 AI Safety
BloomyBot is programmed to operate within educational topics only. It includes content safety filters designed to prevent the generation of inappropriate, harmful, or off-topic content. BloomyBot is not designed to address personal, emotional, or health-related concerns. If you encounter concerning AI-generated content, please report it immediately to hello@bloomylearning.com.
5. Data Retention
We retain personal information only as long as reasonably necessary for the purposes described in this policy:
- Active account data (learning progress, mastery scores, chat logs): Retained for the duration of the subscription to provide the Service
- After cancellation: Child personal information is deleted within 30 days of account termination, unless you request earlier deletion
- Parent account information: Retained for up to 12 months after cancellation for billing records and to facilitate resubscription, then deleted
- Billing records: Retained as required by applicable tax and financial regulations
- Login security logs (IP addresses): Retained for 90 days for abuse prevention, then automatically deleted
- De-identified, aggregated data: May be retained indefinitely as it cannot be used to identify any individual
6. Data Security
We implement reasonable administrative, technical, and physical safeguards designed to protect the personal information we collect, including:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Access controls limiting data access to authorized personnel
- Regular security assessments
- Secure coding practices and code review
No system is 100% secure. We cannot guarantee the absolute security of your information, but we take commercially reasonable steps to protect it. In the event of a data breach affecting personal information, we will notify affected users and relevant authorities as required by law.
7. COPPA Compliance & Parental Rights
We comply with the Children’s Online Privacy Protection Act (COPPA) as amended. We collect personal information from children only with verifiable parental consent.
7.1 Verifiable Parental Consent
By completing a paid subscription through a credit card transaction, you provide verifiable parental consent under COPPA for the collection, use, and limited disclosure of your child’s personal information as described in this Privacy Policy. You may consent to collection and use without consenting to disclosure to third parties where such disclosure is not integral to the Service.
7.2 Your Rights as a Parent
Under COPPA, you have the right to:
- Review the personal information we have collected from your child (accessible through the parent dashboard or by contacting us)
- Request deletion of your child’s personal information
- Refuse further collection of your child’s personal information (note: this may require termination of the child’s access to the Service)
- Withdraw consent at any time by contacting us
To exercise any of these rights, contact us at hello@bloomylearning.com. We will verify your identity before processing requests. We will respond within 30 days.
8. School & District Use
8.1 How Schools Access Bloomy
Bloomy may be used in classroom settings where a school or school district (“School”) has authorized use of the Service for its students. In these cases, the School — not individual parents — establishes the relationship with Bloomy and manages student access through teacher-administered accounts.
8.2 School Consent Under COPPA
When a School authorizes the use of Bloomy for its students, the School acts as the agent of the parent for purposes of providing consent under COPPA. The School consents to Bloomy’s collection, use, and limited disclosure of student personal information solely for educational purposes as described in this Privacy Policy. Bloomy does not use student data collected in the school context for any commercial purpose unrelated to providing the educational Service.
Schools are responsible for providing notice to parents regarding Bloomy’s use in the classroom and the data practices described in this Privacy Policy. Schools may choose to distribute this Privacy Policy to parents or incorporate its disclosures into their own notices.
8.3 Teacher Access & Data Visibility
Teachers assigned to a class in Bloomy can:
- View student progress: Mastery levels, skill completion, domain performance, and usage metrics for students in their class
- View BloomyBot chat logs: Full AI tutoring conversation history for students in their class, for instructional and safety monitoring purposes
- Export student data: Download class-level progress data as CSV files for reporting and instructional planning
Teachers cannot access data for students outside their assigned class. Teacher access is governed by row-level security policies that enforce class-level data isolation.
8.4 FERPA Compliance
When Bloomy is used by a School, student data constitutes “education records” under the Family Educational Rights and Privacy Act (FERPA). In this context, Bloomy operates as a “school official” with a legitimate educational interest, as designated by the School. We use education records solely to provide the educational Service authorized by the School. We do not use education records for advertising, marketing, or any purpose other than providing and improving the educational Service.
Schools may enter into a Data Processing Agreement (DPA) with Bloomy that further specifies data handling obligations. To request a DPA, contact hello@bloomylearning.com.
8.5 School Data Retention & Deletion
When a School’s agreement with Bloomy ends, or upon request from the School, we will delete all student personal information associated with the School within 30 days. Schools may also request deletion of individual student records at any time by contacting us. De-identified, aggregated data that cannot be used to identify any student may be retained.
8.6 Parental Rights in School Context
Even when a School has provided consent on behalf of parents, parents retain the right to:
- Review their child’s personal information collected by Bloomy (by contacting the School or Bloomy directly)
- Request deletion of their child’s personal information (note: this may require the School’s involvement and may affect the child’s access to the Service)
- Opt their child out of Bloomy’s data collection (which will require the School to remove the child’s access to the Service)
To exercise these rights, parents may contact their child’s School or reach out to us directly at hello@bloomylearning.com.
9. California Privacy Rights
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:
- The right to know what personal information we collect, use, and disclose
- The right to request deletion of your personal information
- The right to opt out of the sale or sharing of personal information (note: we do not sell personal information)
- The right to non-discrimination for exercising your privacy rights
To submit a request, contact hello@bloomylearning.com with the subject line “California Privacy Request.”
10. Cookies & Tracking
We use the following types of cookies:
- Essential cookies: Required for the Service to function (authentication, session management). Cannot be disabled.
- Analytics cookies: Google Analytics with IP anonymization enabled. Used only on the marketing website, not on child-facing pages within the learning platform. You may opt out using the Google Analytics Opt-Out Browser Add-on.
We do not use advertising cookies, retargeting pixels, or social media tracking on any part of the Service.
11. Third-Party Links
The Service may contain links to third-party websites. We are not responsible for the privacy practices of third-party websites. We encourage you to read the privacy policies of any third-party websites you visit.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes to how we handle children’s data, we will notify you by email and obtain new parental consent where required by law. The “Last updated” date at the top of this page reflects the most recent revision.
13. Contact Us
If you have questions about this Privacy Policy, want to exercise your parental rights, or have concerns about your child’s data, contact us at:
Bloomy
Email: hello@bloomylearning.com
Website: www.bloomylearning.com
If you believe we have inadvertently collected personal information from a child without proper parental consent, please contact us immediately and we will promptly delete the information.