Privacy notice
Careful with your data.
Last updated: 7 July 2026. Data controller: Jasmijn Bloeit, Oeverpad 247, 9613 AL Meerstad, the Netherlands, Chamber of Commerce 80887244. Contact: jasmijnbloeit@gmail.com. This notice explains how we, as data controller, handle your personal data on The Second Bloom, in line with the GDPR.
Data we process
- Account data: email, display name, language preference, password hash.
- Profile data: pseudonym, role (primary/partner), partner link.
- Content data: reflections, homework answers, symptom logs, community posts, coach conversations.
- Usage and log data: IP address, device and browser info, timestamps, error reports.
- Communications: messages you send us.
- Payment data: handled by Paddle as Merchant of Record. We receive only order status and invoice references, never card details.
Purposes and legal basis
- Performance of the contract (art. 6.1.b GDPR): creating your account, delivering the service, enabling homework and community.
- Legitimate interests (art. 6.1.f): security, fraud prevention, abuse detection, product improvement using aggregated insights.
- Consent (art. 6.1.a): optional newsletters or non-essential cookies. You can withdraw consent at any time.
- Legal obligation (art. 6.1.c): tax retention, lawful requests from authorities.
We do not use your content (reflections, coach conversations) to train third-party AI models.
Sharing with third parties
We share data only with providers acting for us under a data-processing agreement:
- Supabase (hosting, database, authentication) — EU region.
- Paddle (Merchant of Record for payments, billing and tax compliance).
- AI provider(s) solely for the coach and homework features, with contractual limits on retention and model training.
- Email provider for transactional email (e.g. password reset).
- Professional advisers (legal, accounting) and authorities where legally required.
International transfers
Our primary storage is in the EU. Some sub-processors (e.g. AI providers) may process data outside the EEA. In that case we rely on EU Standard Contractual Clauses or an adequacy decision.
Retention
- Account and profile data: as long as your account is active, plus up to 12 months after a deletion request for administration and fraud prevention.
- Reflections, symptoms, homework, coach conversations: until you delete them or close your account.
- Community posts: remain under pseudonym for the conversation; anonymised or deleted on request.
- Invoices and payment data: 7 years (statutory tax retention).
- Log data: up to 12 months.
Your rights
- Access, rectification, erasure.
- Restriction and objection.
- Portability of data you provided.
- Withdraw consent, without retroactive effect.
- Lodge a complaint with the Dutch Data Protection Authority.
Send requests to jasmijnbloeit@gmail.com. We respond within 1 month.
Security
We apply appropriate technical and organisational measures: TLS in transit, hashed passwords, database row-level security, least-privilege access, and admin action logging.
Cookies
We use only strictly necessary cookies and local storage to keep you signed in and remember your language preference. We do not set marketing or tracking cookies. If that ever changes we will ask for your consent via a cookie banner first.
Children
The Second Bloom is intended for adults (18+). We do not knowingly collect data from children.
Changes
For material changes we will notify you in advance via email or in the app.
Contact
Questions? Email jasmijnbloeit@gmail.com. See also our terms of service and refund policy.