Last updated: May 24, 2018
This Policy sets out what personal data we collect, how we process it and how long we retain it. This Policy applies to all of our processing activities where we act as a data controller.
In this Policy, "we", "us" and "our" refers to Bloom Protocol LLC, a company incorporated in Delaware with its registered address at 189 S Orange Ave Suite 1130b, Orlando, FL 32801, USA. For more information about us, see the Contact Us section of this Policy.
In this Policy, “personal data” means any information relating to you as an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.
In this Policy, “processing” means any operation or set of operations which is performed on personal data (as defined in this Policy) or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Navigating this Policy
If you are viewing this Policy online, you can click on the below links to jump to the relevant section:
- How we collect information from you
- What type of information is collected?
- Your information and the Blockchain
- How we use your personal information
- Use of Third Party Applications and Cookies
- How long we keep your information for
- Sharing your personal information
- Your individual rights
- Additional Information
How we collect information from you
We collect information about you when you:
- visit our website;
- contact us either through our website or through other direct means of electronic communication;
- enter into a contract with us;
- use our services or offerings (including our Bloom app); and/or
- enter into any other relationship with us or interact with us for our services.
What type of information is collected?
The personal information we collect might include, but is not limited to, your:
Name; address; email address; telephone number; date of birth; nationality; IP address; the type of device through which you browse our website or use our services or app (including the operating system; your location; time date and duration of your visit to our website; and previous visits to our website) and in some instances your cryptographic wallet address.
We may also ask you to provide evidence of your identity such as asking for a copy of your passport, driving licence, proof of residence or income. We are required to ask for this information to comply with anti-money laundering (“AML”) legislation such as the Proceeds of Crime Act 2015, to ensure we safeguard against and report any suspicious activity.
Your information and the Blockchain
Blockchain technology, also known as distributed ledger technology (or simply ‘DLT’), is at the core of our business. Blockchains are decentralized and made up of digitally recorded data in a chain of packages called ‘blocks’. The manner in which these blocks are linked is chronological, meaning that the data is very difficult to alter once recorded. Since the ledger may be distributed all over the world (across several ‘nodes’ which usually replicate the ledger) this means there is no single person making decisions or otherwise administering the system (such as an operator of a cloud computing system), and that there is no centralized place where it is located either.
Accordingly, by design, a blockchain’s records cannot be changed or deleted and is said to be ‘immutable’. This may affect your ability to exercise your rights such as your right to erasure (‘right to be forgotten’), the right to rectification of your data or your rights to object or restrict processing, of your personal data. Data on the blockchain cannot generally be erased or changed, although some smart contracts may be able to revoke certain access rights, and some content may be made invisible to others, however it is not deleted.
In certain circumstances, in order to provide you services through our app, it may be necessary to write certain personal data, such as your cryptographic signatures onto the blockchain; this is done through a smart contract and requires you to execute such transactions using your wallet’s private key.
In most cases ultimate decisions to (i) transact on the blockchain using your Ethereum or other cryptocurrency wallet address, as well as (ii) share the public key relating to your Ethereum or other cryptocurrency wallet address with anyone (including us) rests with you.
IF YOU WANT TO ENSURE YOUR PRIVACY RIGHTS ARE NOT AFFECTED IN ANY WAY, YOU SHOULD NOT TRANSACT ON BLOCKCHAINS OR USE THE BLOOM APP AS CERTAIN RIGHTS MAY NOT BE FULLY AVAILABLE OR EXERCISABLE BY YOU OR US.
IN PARTICULAR THE BLOCKCHAIN IS AVAILABLE TO THE PUBLIC AND ANY PERSONAL DATA SHARED ON THE BLOCKCHAIN WILL BECOME PUBLICLY AVAILABLE.
Information written on the blockchain
When you use the Bloom app, the following information may be written onto the Ethereum blockchain:
- the cryptographic wallet address from which you submitted the transaction;
- the amount of the cryptocurrency which you send as payment;
- the cryptographic wallet address to which you initiated the transaction;
- the cryptographic signature of a piece of your identity data such as phone number or date of birth; and/or
- the cryptographic wallet address of the entity with which you engaged in an identity attestation.
How we use your personal information
We use personal information about you in connection with the following purposes:
Provision of services and management:
- to provide you with the information, products and services that you have requested from us;
- to complete any transaction you are undertaking with us;
- to perform a contractual obligation we have to you; and/or
- to meet a legal or regulatory obligation.
- to ensure that content from our site and Bloom app is presented in the most effective manner for you;
- to administer our site and Bloom app and for internal business administration and operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to notify you about changes to our service; and/or
- as part of our efforts to keep our site safe and secure.
- to provide you with information about other services we offer that are similar to those that you already have or have enquired about; and/or
- to provide you with other marketing material such as our Newsletter.
If you do not want your personal information to be used for marketing purposes, please contact us on the details below. Alternatively when you receive marketing materials from us you will be able to directly unsubscribe from them.
We use automated decision making as part of our services. Automated decision making is used when you elect to use our services in order to verify your identity, documentation, telephone number etc. We use automated decision making for this purpose as it allows us to offer an efficient service.
Certain third parties may also use certain automated decision-making tools or software. We are not responsible for the privacy practices of others and will take reasonable steps to bring such automated decision-making to your attention, but you are encouraged to become familiar with the privacy practices of any third parties you enter into any agreements with.
Use of Third Party Applications and Cookies
How long we keep your information for
We retain your information only for as long as is necessary for the purposes for which we process the information as set out in this Policy. Records can be held on a variety of media (physical or electronic) and formats.
Retention periods are determined based on the type of record, the nature of the record and activity and the legal or regulatory requirements that apply to those records. Typically, personal data which is collected pursuant to our legal obligations (such as AML) are retained for 5 years. Where personal data is collected pursuant to a contract or prior to the creation of a contract, these are retained for 6 years after the termination of the contract pursuant to our legitimate interests in defending any legal claims which may be brought against us.
However, we may retain your personal data for a longer period of time where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person, or where we have a legitimate interest to do so.
All personal data is retained in accordance with our internal Retention and Deletion Policy.
Sharing your personal information
We may pass your information to our Business Partners, third party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing our services to you.
In order to comply with our legal obligations in respect of AML, we use a third-party service provider to collect and process some of your personal data. This third-party service provider is bound by strict legal and contractual obligations to protect your personal data.
In addition, when we use any other third party service providers, we will disclose only the personal information that is necessary to deliver the service required and we will ensure, via contractual obligations that these requires them to keep your information secure and not to use it for their own direct marketing purposes.
In addition, we may transfer your personal information to a third party as part of a sale of some, or all, of our business and assets or as part of any business restructuring or reorganisation, or if we are under a duty to disclose or share your personal data in order to comply with any legal obligation. However, we will take steps to ensure that your privacy rights continue to be protected.
Transferring your information outside of the European Economic Area
Sometimes our business partners, third party service providers, agents, subcontractors and other associated organisations may be located outside of the European Economic Area (EEA). The EEA includes the European Union countries as well as Iceland, Liechtenstein and Norway. Transfers outside of the EEA are sometimes referred to as ‘third country transfers’.
We may share your personal data with these third parties outside of the EEA where we have a legal basis for doing so such as to provide you with our services or because we ourselves use service providers outside the of EEA in order to operate our business. If we transfer your information outside of the EEA to third parties we will take steps to ensure that your privacy rights continue to be protected as outlined in this Policy. This may require us to take certain additional steps to ensure that appropriate safeguards are in place if that third country is not deemed by the European Commission to offer an adequate level of protection for your privacy rights, which may include use of contractual safeguards to allow you to be able to enforce your rights and ensure these are preserved. In certain circumstances, we may need to ask you for your explicit consent to such third country transfers, and will always do so in writing and giving you full information about why we need your consent and your right to withdraw that consent at any time (together with the consequences of withdrawal).
However, when interacting with the blockchain, as explained above in this Policy, the blockchain is a global decentralized public network and accordingly any personal data written onto the blockchain may be transferred and stored across the globe.
Your individual rights
You have certain rights under applicable legislation, and in particular under Regulation EU 2016/679 (General Data Protection Regulation or “GDPR”). We explain these below. You can find out more about the GDPR and your rights by accessing the European Commission’s website.
Right Information and access
You have a right to be informed about the processing of your personal data (and if you did not give it to us, information as to the source) and this Policy intends to provide the information. Of course, if you have any further questions you can contact us on the details below.
Right to rectification
You have the right to have any inaccurate personal information about you rectified and to have any incomplete personal information about you completed. You may also request that we restrict the processing of that information.
The accuracy of your information is important to us. If you do not want us to use your personal information in the manner set out in this Policy, or need to advise us of any changes to your personal information, or would like any more information about the way in which we collect and use your personal information, please contact us at the details below.
Right to erasure (right to be ‘forgotten’)
You have the general right to request the erasure of your personal information in the following circumstances:
- the personal information is no longer necessary for the purpose for which it was collected;
- you withdraw your consent to consent based processing and no other legal justification for processing applies;
- you object to processing for direct marketing purposes;
- we unlawfully processed your personal information; and
- erasure is required to comply with a legal obligation that applies to us.
However, when interacting with the blockchain, as explained above in this Policy, it will likely not be able to erase and permanently delete personal data which has been written onto the blockchain. In these circumstances, we will use our reasonable endeavours to ensure that all personal data held by us is permanently deleted. However, notwithstanding this, your right to erasure may not be able to be fully complied with.
We will proceed to comply with an erasure request without delay unless continued retention is necessary for:
- exercising the right of freedom of expression and information;
- complying with a legal obligation under EU or other applicable law;
- the performance of a task carried out in the public interest;
- archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, under certain circumstances; and/or
- the establishment, exercise, or defence of legal claims.
Right to restrict processing and right to object to processing
You have a right to restrict processing of your personal information, such as where:
- you contest the accuracy of the personal information;
- where processing is unlawful you may request, instead of requesting erasure, that we restrict the use of the unlawfully processed personal information; and/or
- we no longer need to process your personal information but need to retain your information for the establishment, exercise, or defence of legal claims.
You also have the right to object to processing of your personal information under certain circumstances, such as where the processing is based on your consent and you withdraw that consent. This may impact the services we can provide and we will explain this to you if you decide to exercise this right.
However, when interacting with the blockchain, as explained above in this Policy, it will likely not be able to prevent external parties from processing any personal data which has been written onto the blockchain. In these circumstances we will use our reasonable endeavours to ensure that all processing of personal data held by us is restricted, notwithstanding this, your right to restrict to processing may not be able to be fully enforced.
Right to data portability
Where the legal basis for our processing is your consent or the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, you have a right to receive the personal information you provided to us in a structured, commonly used and machine-readable format, or ask us to send it to another person.
Right to freedom from automated decision-making
Where automated decision-making takes place, you have the right in this case to express your point of view and to contest the decision, as well as request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers.
Right to object to direct marketing (‘opting out’)
You have a choice about whether or not you wish to receive information from us.
We will not contact you for marketing purposes unless:
- you have a business relationship with us, and we rely on our legitimate interests as the lawful basis for processing (as described above); and/or
- you have otherwise given your prior consent (such as when you download one of our guides)
You can change your marketing preferences at any time by contacting us on the below details. On each and every marketing communication, we will always provide the option for you to exercise your right to object to the processing of your personal data for marketing purposes (known as ‘opting-out’) by clicking on the ‘unsubscribe’ button on our marketing emails or choosing a similar opt-out option on any forms we use to collect your data. You may also opt-out at any time by contacting us on the below details.
Please note that any administrative or service-related communications (to offer our services, or notify you of an update to this Policy or applicable terms of business, etc.) will solely be directed at our clients or business partners, and such communications generally do not offer an option to unsubscribe as they are necessary to provide the services requested. Therefore, please be aware that your ability to opt-out from receiving marketing and promotional materials does not change our right to contact you regarding your use of our website or as part of a contractual relationship we may have with you.
Right to request access
You also have a right to access information we hold about you. We are happy to provide you with details of your personal information that we hold or process. To protect your personal information, we follow set storage and disclosure procedures, which mean that we will require proof of identity from you prior to disclosing such information. You can exercise this right at any time by contacting us on the details below.
Right to withdraw consent
Where the legal basis for processing your personal information is your consent, you have the right to withdraw that consent at any time by contacting us on the below details.
Raising a complaint about how we have handled your personal data
If you wish to raise a complaint on how we have handled your personal data, you can contact us as set out below and we will then investigate the matter.
Right to lodge a complaint with a relevant supervisory authority
If we have not responded to you within a reasonable time or if you feel that your complaint has not been resolved to your satisfaction, you are entitled to make a complaint to the supervisory authority in the country of your habitual residence, place of work, or the place where you allege an infringement of one or more of your rights has taken place, if that is based in the EEA.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We may provide hyperlinks from this website to websites of other organisations or associated companies. Please note that we will not be liable for the contents of linked websites or any transactions carried out with organisations operating those websites. The privacy policies of others may differ significantly from our Policy. Therefore, we encourage you to read the privacy statement/policy of each and every website that collects personal data.
Review of this Policy
We may make changes to this Policy from time to time. Where we do so, we will notify those who have a business relationship with us or who are subscribed to our emailing lists directly of the changes, and change the ‘Last updated’ date above. We encourage you to review the Policy whenever you access or use our website to stay informed about our information practices and the choices available to you. If you do not agree to the revised Policy, you should discontinue your use of this website.
Any questions regarding our Policy or your rights as a Data Subject should be sent to:
Bloom Protocol LLC
189 S Orange Ave Suite 1130b, Orlando, FL 32801
Questions can also be sent by email to: email@example.com