'%20fill='%23fff'%3e%3cpath%20d='M24%20364.337V24h141.909c25.481%200%2046.833%203.601%2064.056%2010.803%2017.222%207.191%2030.183%2017.279%2038.882%2030.24s13.049%2027.972%2013.049%2045.041c0%2012.961-2.72%2024.513-8.148%2034.645-5.429%2010.142-12.906%2018.534-22.431%2025.174-9.526%206.651-20.548%2011.299-33.069%2013.953v3.325c13.732.661%2026.451%204.383%2038.134%2011.134%2011.684%206.762%2021.077%2016.155%2028.168%2028.17%207.092%2012.025%2010.638%2026.231%2010.638%2042.628%200%2018.281-4.647%2034.601-13.952%2048.939-9.305%2014.35-22.762%2025.648-40.381%2033.908-17.607%208.248-38.992%2012.377-64.143%2012.377H24zm82.258-200.414h45.534c8.975%200%2016.947-1.497%2023.929-4.493s12.432-7.312%2016.374-12.961c3.931-5.65%205.902-12.466%205.902-20.439%200-11.409-4.041-20.384-12.135-26.926-8.082-6.53-18.995-9.801-32.738-9.801h-46.866v74.62zm0%20134.109h50.853c17.839%200%2030.987-3.381%2039.466-10.131%208.479-6.762%2012.708-16.178%2012.708-28.247%200-8.755-2.049-16.309-6.145-22.686-4.096-6.365-9.922-11.298-17.443-14.789-7.532-3.491-16.561-5.231-27.089-5.231h-52.339v81.095l-.011-.011zM388.865%2024v340.337h-81.256V24h81.256zm181.618%20230.159V109.082h81.091v255.255h-77.435v-47.529h-2.665c-5.649%2015.616-15.263%2028.004-28.829%2037.145-13.578%209.14-29.941%2013.71-49.102%2013.71-17.398%200-32.683-3.986-45.864-11.97-13.181-7.973-23.433-19.14-30.745-33.489s-11.023-31.165-11.133-50.437V109.082h81.256v146.739c.11%2013.854%203.766%2024.767%2010.968%2032.74s17.002%2011.96%2029.413%2011.96c8.082%200%2015.372-1.795%2021.847-5.407%206.486-3.601%2011.628-8.865%2015.45-15.781%203.821-6.927%205.737-15.318%205.737-25.174h.011zm224.376%20115.002c-26.704%200-49.718-5.286-69.044-15.869-19.337-10.583-34.181-25.703-44.532-45.371-10.362-19.668-15.537-43.069-15.537-70.215s5.208-49.445%2015.614-69.212c10.418-19.779%2025.096-35.174%2044.037-46.197s41.261-16.53%2066.962-16.53c18.17%200%2034.787%202.83%2049.851%208.48s28.08%2014.007%2039.048%2025.086%2019.501%2024.734%2025.591%2040.966%209.14%2034.81%209.14%2055.756v20.273H694.145v-47.199h146.226c-.11-8.633-2.159-16.342-6.145-23.104s-9.448-12.047-16.374-15.869-14.866-5.726-23.841-5.726-17.233%202.015-24.424%206.057c-7.202%204.052-12.906%209.537-17.112%2016.452-4.207%206.927-6.431%2014.757-6.652%2023.512v48.025c0%2010.417%202.049%2019.525%206.145%2027.332s9.911%2013.876%2017.454%2018.193c7.532%204.317%2016.506%206.486%2026.924%206.486%207.201%200%2013.731-1.002%2019.612-2.995%205.869-1.993%2010.912-4.923%2015.119-8.81%204.206-3.876%207.367-8.645%209.47-14.294l74.616%202.158c-3.105%2016.728-9.889%2031.264-20.361%2043.62s-24.182%2021.937-41.129%2028.743c-16.947%206.816-36.559%2010.219-58.825%2010.219l.011.033z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='A'%3e%3cpath%20fill='%23fff'%20transform='translate(24%2024)'%20d='M0%200h892v345.161H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
GDPR Compliance
Additional information for EU residents about how we process personal data in compliance with the General Data Protection Regulation.
Last updated: April 12, 2026
1. Introduction
This GDPR Compliance page provides additional information for residents of the European Economic Area (EEA) about how Bloo, Inc. (“Blue”, “we”, “us”, or “our”) processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
This page supplements our main Privacy Policy and should be read together with it. In case of any conflict, the GDPR-specific provisions in this document prevail for EEA residents.
2. Data Controller Information
Bloo, Inc. 2035 Sunset Lake Road Newark, Delaware 19702 United States Email: [email protected]
We are a data controller for the personal data we process about you. In certain circumstances, we may also act as a data processor on behalf of our business customers.
3. Data Protection Officer
Our Data Protection Officer can be contacted at:
Emanuele Faja, CEO Email: [email protected] Subject Line: GDPR Request
4. Legal Basis for Processing
We process your personal data under the following legal bases set forth in Article 6 of the GDPR:
4.1 Performance of a Contract (Article 6(1)(b))
- Creating and managing your account
- Providing our process management services
- Processing payments and billing
- Providing customer support
4.2 Legitimate Interests (Article 6(1)(f))
Our legitimate interests include:
- Improving and developing our Service
- Ensuring security and preventing fraud
- Analyzing usage patterns and trends
- Sending service-related communications
- Scanning and reviewing Content for Terms of Service and Acceptable Use Policy compliance, abuse detection, and platform safety
We have conducted legitimate interest assessments to ensure your interests and fundamental rights do not override these interests.
4.3 Legal Obligation (Article 6(1)©)
- Complying with tax and accounting requirements
- Responding to lawful requests from authorities
- Maintaining records as required by law
4.4 Consent (Article 6(1)(a))
- Sending marketing communications
- Processing optional data you choose to provide
You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
5. Data Subject Rights
Under the GDPR, you have the following rights:
5.1 Right of Access (Article 15)
You can request a copy of your personal data and information about how we process it.
5.2 Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data.
5.3 Right to Erasure (Article 17)
You can request deletion of your personal data when:
- It’s no longer necessary for the original purpose
- You withdraw consent (where consent is the legal basis)
- You object to processing based on legitimate interests
- The data has been unlawfully processed
5.4 Right to Restriction (Article 18)
You can request we limit processing while we:
- Verify accuracy of data you’ve contested
- Determine if our legitimate interests override yours
- Establish, exercise, or defend legal claims
5.5 Right to Data Portability (Article 20)
You can receive your personal data in a structured, commonly used, machine-readable format when processing is based on consent or contract and is automated.
5.6 Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes. For marketing, we will stop immediately. For other purposes, we will stop unless we demonstrate compelling legitimate grounds.
5.7 Rights Related to Automated Decision-Making (Article 22)
We use artificial intelligence systems to flag potential violations of our Terms of Service and Acceptable Use Policy for human review. All enforcement decisions, including account suspension or termination, are made by humans. We do not make decisions based solely on automated processing that produce legal or similarly significant effects concerning you.
6. International Data Transfers
All customer data is stored and processed within the European Union. Our infrastructure is hosted in Germany (Hetzner, Falkenstein and Frankfurt) with database services in the EU (AWS eu-central-1, Frankfurt).
Data may be transferred outside the EEA to:
- United States (our headquarters, for operational and support purposes only — no customer data is stored in the US)
For information about what data is transferred and stored, see Section 3 of our Privacy Policy and the subprocessor list in our Data Processing Agreement.
We ensure appropriate safeguards through:
- EU Data Residency: All customer data, files, and databases are stored within the EU
- Standard Contractual Clauses (SCCs): We use the European Commission’s standard contractual clauses for any limited transfers to countries without an adequacy decision
- Technical Measures: All data is encrypted in transit and at rest
- Organizational Measures: Access controls and data protection training
7. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware
- Notify affected individuals without undue delay if the breach is likely to result in high risk
- Document all breaches and actions taken
8. Data Protection by Design and Default
We implement data protection principles from the outset:
- Data Minimization: We only collect data necessary for specified purposes
- Purpose Limitation: We only use data for stated, legitimate purposes
- Storage Limitation: We follow the retention periods in Section 8 of our Privacy Policy
- Security: We implement appropriate technical and organizational measures
9. Supervisory Authority
You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not adequately addressed your concerns.
For a list of supervisory authorities, visit: https://edpb.europa.eu/about-edpb/board/members_en
10. Specific Processing Activities
10.1 Marketing Communications
- Legal Basis: Consent or legitimate interest (existing customers)
- Right to Object: You can opt out anytime via unsubscribe links or account settings
- Data Sources: Information you provide and Service usage data
10.2 Analytics and Improvements
- Legal Basis: Legitimate interest in improving our Service
- Data Types: Usage patterns, feature adoption, performance metrics
- Retention: See Section 8 of our Privacy Policy
10.3 Customer Support
- Legal Basis: Contract performance and legitimate interest
- Data Types: Communications, account information, issue details
- Retention: 3 years for quality and training purposes
10.4 Content Scanning and Compliance Review
- Legal Basis: Legitimate interest in enforcing our Terms of Service and Acceptable Use Policy, and protecting the integrity and safety of the Service
- Data Types: File metadata (names, sizes, types, upload dates), file contents, usage patterns, account activity metrics
- Processing: Content may be processed by third-party AI service providers (OpenAI, Anthropic) using EU-based endpoints. AI systems flag potential violations for human review. All enforcement decisions are made by humans
- Retention: Scanning logs and flagged content records are retained for the duration of the account plus 12 months following termination, or as required by law
- Right to Object: You may object to this processing under Article 21. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests
11. Cookies and Tracking
For detailed information about cookies, see Section 4 of our Privacy Policy.
We use only strictly necessary cookies for authentication and session management. No consent is required for these cookies under GDPR.
12. Children’s Data
We do not knowingly process personal data of individuals under 18. If we become aware of such processing, we will promptly delete the data.
13. Changes to This Notice
We may update this GDPR notice to reflect changes in our practices or legal requirements. Changes to this notice are governed by Section 19 of our Terms of Service.
14. Contact Us
For any GDPR-related questions or to exercise your rights:
Email: [email protected]Subject Line: GDPR Request
We will respond to your request within one month, extendable by two months for complex requests. We will inform you of any extension and the reasons.
There is no fee for exercising your rights unless requests are manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or refuse to act.