Bloom — Privacy Policy
Last updated: 2026-05-24 · v1 draft
v1 draft — pending legal review. This document is
written by engineering to accurately describe what the Bloom and Bloom
Staff apps do with data. A healthcare-savvy attorney is reviewing it
before it becomes the final policy.
Applies to: Bloom (iOS, bundle id
com.lumonsoftware.bloom) and Bloom Staff (iOS, bundle id
com.lumonsoftware.bloom.staff).
Operator: Lumon Software, LLC.
Data controller for your stay: the residential program
("Facility") where you are staying. Lumon is the data processor.
1. The shape of this product (read this first)
Bloom is not a general-consumer wellness app. It is a white-labeled in-room companion that residential recovery programs, mental-health residences, and wellness retreats license from Lumon Software and deploy on iPads inside their facility.
This shape matters for privacy because:
- You did not create an account in the conventional sense. Your facility provisioned a record for you when you arrived; that record is what the app signs into.
- Lumon does not own the data inside the app. Your facility does. Lumon hosts the infrastructure under a Business Associate Agreement (BAA) with the facility.
- There is no cross-facility data bridge. Information collected on the iPad inside Facility A cannot reach Facility B, ever, by any product feature. This is enforced at the database layer via row-level security (RLS).
- There is no advertising network, analytics SDK, or third-party tracker inside Bloom. No Facebook SDK, no Google Analytics, no AppsFlyer, no Branch. The only outbound network traffic is to your facility's Lumon-hosted backend and to Apple Push Notification service.
2. What we collect
2.1 Information you give us in the app
| Category | Examples | Where it lives |
|---|---|---|
| Profile basics | Your preferred name, room number, sobriety date if you provide one. | Your facility's patients table (Postgres, single-tenant per facility). |
| Journal entries | Free-form text you write in the Journal tile. | Encrypted at rest, gated by RLS so only you can read your own entries. Staff cannot read journal entries. |
| Gratitude entries | "Three things" you list in the Gratitude tile. | Same posture as journal. |
| Goals | Short text goals you set. | Same. |
| Requests | "Can I have extra towels," "I'd like to talk to a counselor." | Routed to the facility staff queue. Visible to assigned staff. |
| Messages | Conversations with your care team. | Visible to you and the staff thread participants. |
| Schedule, attendance, check-in answers | What you did today, mood you reported. | Visible to you and to your assigned staff. |
| Device push token | Apple Push Notification token for your device. | Used only to deliver notifications from your facility's backend. Not sold, not shared. |
2.2 Information that is not collected
- No location tracking. Bloom does not request the location permission and does not read GPS, Wi-Fi SSID, or Bluetooth beacons for tracking purposes.
- No microphone access (the voice-note feature, if your facility enables it, prompts you each time and does not record passively).
- No camera access outside of explicit photo-attach prompts.
- No address book / contacts access.
- No HealthKit data unless your facility specifically enables the optional vitals integration and you grant the prompt.
- No advertising identifier (IDFA). Bloom does not ask for App Tracking Transparency permission because it does not track.
2.3 Information collected automatically
- App diagnostics (crash logs, performance traces). Stored in your facility's backend, not in a third-party analytics provider. If your facility enables Apple's standard AppMetrics / crash reporting opt-in at the OS level, that data flows to Apple under Apple's privacy policy — Lumon does not receive it.
- Internal audit log. Every meaningful staff action ("staff member X read patient Y's chart") is recorded. You can ask your facility's compliance lead for an audit-log report on actions taken on your own record.
3. How we use it
We use your data only to operate Bloom inside your facility:
- Show you your day, your tiles, your messages.
- Route your requests to the right staff.
- Deliver push notifications when there is something for you to see.
- Let staff coordinate your care.
- Maintain the audit log so your facility's leadership can review staff activity.
We do not use your data to:
- Advertise to you.
- Train any machine-learning model. No customer data is used to train any AI system, Lumon-owned or third-party.
- Sell, rent, or trade to any third party.
- Send marketing emails. Bloom does not send transactional or marketing email to patients; staff-side magic-link emails are scoped to the facility's own staff accounts.
4. Who sees it
| Party | What they see | When |
|---|---|---|
| You | Everything in your own record, including your journal, gratitude, goals. | Always. |
| Your facility's staff (in Bloom Staff app) | Your profile, schedule, requests, messages, check-ins, chart data their role permits. Not your journal, gratitude, or private goal text. | While you are an active resident. |
| Your facility's admin/operator | Same as staff plus admin-level views (room management, audit log). | While you are an active resident. |
| Lumon Software (the operator) | Application-level access for support and reliability. Lumon staff access is logged. | Only when needed to operate the service. |
| Other facilities | Nothing. Ever. Bloom has no feature that exposes data across facility boundaries. | Never. |
| Apple | Push notification payloads (which are scrubbed of PHI — see §6) and OS-level diagnostics if you opted in. | Per Apple's policy. |
| Third-party advertisers / data brokers | Nothing. | Never. |
5. Where it lives
- Database: Postgres (Supabase distribution), hosted by Lumon on AWS EC2 instances dedicated per facility — no shared multi-tenant database tier.
- At rest: disk-level encryption on the host volumes.
- Row-level security: every multi-tenant table carries RLS policies that constrain reads/writes to the requesting user's facility.
- Backups: nightly logical backups, age-encrypted before leaving the host.
- Region: US (
us-east-1at time of writing). - No outbound webhooks. Bloom has no general-purpose outbound webhook system; your data does not get pushed to third-party automation tools without explicit per-feature consent from the facility.
6. Push notifications
- The visible payload is generic ("You have a new message from your care team") — it never includes PHI in the unencrypted notification body that Apple's servers see.
- The full message contents are fetched by the app over HTTPS after you unlock the device.
- Device push tokens are stored in your facility's backend, not shared with any third party.
7. How long we keep it
- While you are an active resident: indefinitely.
- After discharge: retained per your facility's records-retention policy. Healthcare records in the US are typically retained 6–10 years depending on state; your facility's policy controls. Lumon retains data according to the BAA.
- If your facility leaves Lumon's platform: an audited purge path retires the data. The operator triggers it; the policy on when is the facility's call under the BAA.
8. Your rights
Depending on where you live:
- HIPAA (US): you have the right to access, amend, and request an accounting of disclosures of your protected health information. Direct these requests to your facility's privacy officer in the first instance; Lumon will assist the facility in fulfilling them.
- GDPR / UK GDPR: you have rights of access, rectification, erasure, restriction, portability, and objection. Same routing — to the facility, with Lumon assisting.
- CCPA / CPRA (California): you have rights to know, delete, and limit use of sensitive personal information. Same routing. Lumon does not "sell" personal information as defined by CCPA.
9. Children
Bloom is licensed by facilities for adult residential programs. Bloom is not intended for children under 13 and Lumon does not knowingly collect personal information from children. If your facility serves adolescents, a separate version with parental-consent flows is required and the standard Bloom app is not authorized for that use.
10. Security incidents
If we discover a security incident that affects your information, the facility's privacy officer will be notified per the BAA, typically within 72 hours, and will determine your notification per applicable law.
11. Changes to this policy
We will revise this policy as the product evolves. Material changes will be noted at the top of this document with a new "Last updated" date, and the facility's privacy officer will be notified.
12. Contact
- Your facility's privacy officer — first stop for any privacy question about your stay.
- Lumon Software, Privacy: privacy@lumonbloom.com