Privacy Policy and Notice of Privacy Practices

Last Updated: May 1, 2026 | Effective: May 1, 2026

Welcome to Bloom360. This document combines our Platform Privacy Policy (Part One) and our HIPAA Notice of Privacy Practices (Part Two) into a single resource so you can understand how we collect, use, share, and protect your information — both as a user of our digital platform and as a patient receiving healthcare services. We encourage you to read this document carefully. If you have questions, please contact us at privacy@bloom360.com.

Table of Contents

  • Part One: Privacy Policy
    • 1. What This Policy Covers
    • 2. Information We Collect
    • 3. How We Use Your Information
    • 4. When We Share Your Information
    • 5. Cookies and Tracking Technologies
    • 6. Security
    • 7. Data Retention
    • 8. Children's Privacy
    • 9. Your Privacy Rights
    • 10. State-Specific Privacy Rights
    • 11. Third-Party Links
    • 12. International Visitors
    • 13. Artificial Intelligence
    • 14. Changes to This Policy
    • 15. Contact Us
  • Part Two: HIPAA Notice of Privacy Practices
    • A. Who This Notice Applies To
    • B. How We May Use and Disclose Your Protected Health Information
    • C. Uses and Disclosures Requiring Your Written Authorization
    • D. Your HIPAA Rights
    • E. Our Legal Duties
    • F. How to File a HIPAA Complaint
    • G. Changes to This Notice

PART ONE: Privacy Policy

1. What This Policy Covers

This Privacy Policy describes how Bloom360, Inc. ("Bloom360," "we," "us," or "our") collects, uses, discloses, and protects information when you visit our website, use our mobile applications, access our telehealth platform, or otherwise interact with our services (collectively, the "Services"). This Policy applies to all users, including members, prospective members, website visitors, and anyone who communicates with us.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

2. Information We Collect

We collect information in the following ways:

2.1 Information You Provide Directly

  • Account and Registration Data: Name, email address, phone number, date of birth, mailing address, sex assigned at birth, gender identity, and account credentials.
  • Health and Medical Information: Health history, current medications, allergies, symptoms, diagnoses, treatment plans, lab results, and other clinical data you share with your care team.
  • Insurance and Payment Data: Credit or debit card information, billing address, and insurance details (if applicable).
  • Identity Verification Data: Government-issued identification, photographs, and related documents used for identity verification purposes.
  • Communications: Messages, emails, chat transcripts, telehealth visit notes, and other content you provide when communicating with us or your care team.
  • Survey and Feedback Data: Responses to health assessments, satisfaction surveys, and feedback forms.

2.2 Information We Collect Automatically

  • Device and Browser Information: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
  • Usage Data: Pages visited, features used, click patterns, session duration, referring URLs, and search queries within our platform.
  • Location Data: Approximate geographic location based on IP address or, with your consent, more precise location data from your device.
  • Cookies and Similar Technologies: Information collected through cookies, pixels, web beacons, and similar tracking technologies (see Section 5).

2.3 Information from Third Parties

  • Healthcare Providers: Medical records, referral information, and clinical data from other healthcare providers involved in your care (with your consent or as permitted by law).
  • Health Information Exchanges: Clinical data obtained through authorized health information exchange networks.
  • Partners and Service Providers: Information from laboratories, pharmacies, and other partners who support your care.
  • Public Sources: Publicly available information that supplements the data we already hold.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing Care: To deliver telehealth consultations, create treatment plans, coordinate referrals, communicate with your care team, and manage your health records.
  • Account Management: To create and manage your account, process payments, verify your identity, and maintain your membership.
  • Improving Our Services: To analyze usage patterns, conduct research, develop new features, and enhance the quality of care and user experience.
  • Communications: To send appointment reminders, health tips, service updates, billing notices, and respond to your inquiries.
  • Safety and Security: To detect and prevent fraud, unauthorized access, and other harmful activities; to protect the rights, safety, and property of Bloom360, our members, and the public.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
  • Marketing: With your consent where required, to send promotional materials about our services. You may opt out of marketing communications at any time.
  • Quality Assurance: To conduct internal audits, quality improvement activities, and training for our care team.
  • De-identified Data: We may de-identify or aggregate your information so it can no longer identify you, and use such data for research, analytics, and business purposes without restriction.

4. When We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • Service Providers: We share information with trusted third-party vendors who perform services on our behalf, such as payment processing, cloud hosting, analytics, customer support, and IT security. These providers are contractually obligated to protect your information and use it only for the purposes we specify.
  • Affiliates: We may share information with our corporate affiliates and subsidiaries for purposes consistent with this Privacy Policy. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
  • Legal Requirements: We may disclose information when required by law, regulation, legal process, or governmental request, including in response to subpoenas, court orders, or law enforcement requests.
  • Business Transactions: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of the transaction. We will notify you of any such change in ownership or control.
  • With Your Consent: We may share information with third parties when you have provided your explicit consent to do so.
  • De-identified Data: We may share de-identified or aggregated data that cannot reasonably be used to identify you with third parties for research, analytics, or other purposes.
  • Healthcare Operations: As described in Part Two of this document, we may share your protected health information for treatment, payment, and healthcare operations as permitted under HIPAA.

5. Cookies and Tracking Technologies

We use cookies, pixels, web beacons, and similar technologies to enhance your experience, analyze usage, and deliver relevant content. The types of cookies we use include:

  • Strictly Necessary Cookies: Required for the operation of our Services, such as session management and security.
  • Performance and Analytics Cookies: Help us understand how visitors interact with our platform so we can improve functionality and user experience.
  • Functional Cookies: Remember your preferences and settings to provide a personalized experience.
  • Marketing Cookies: Used to deliver relevant advertisements and track the effectiveness of our marketing campaigns.

You can manage your cookie preferences through your browser settings or through our cookie consent banner. Please note that disabling certain cookies may affect the functionality of our Services. We honor Global Privacy Control (GPC) and Do Not Track (DNT) signals where required by applicable law.

6. Security

We implement administrative, technical, and physical safeguards designed to protect your information from unauthorized access, use, disclosure, alteration, or destruction. These measures include encryption of data in transit and at rest, access controls, regular security assessments, employee training, and incident response procedures. While we strive to protect your information, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

7. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Medical records are retained in accordance with applicable state and federal requirements, which generally require retention for a minimum of seven (7) years from the date of the last encounter, or longer as required by law. When information is no longer needed, we securely delete or de-identify it.

8. Children's Privacy

Bloom360 Services are available to individuals aged 16 and older. For members between the ages of 16 and 17, we require parental or legal guardian consent before the minor can create an account or receive services. We do not knowingly collect personal information from children under the age of 16. If we learn that we have collected information from a child under 16 without appropriate consent, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@bloom360.com.

9. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

  • Right to Know / Access: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the purposes for which we use it, and the categories of third parties with whom we share it.
  • Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
  • Right to Delete: You have the right to request that we delete your personal information, subject to certain legal exceptions (e.g., medical record retention requirements).
  • Right to Opt-Out of Sale or Sharing: We do not sell your personal information. If this practice changes, you will have the right to opt out.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit how we use your sensitive personal information to purposes necessary for providing our Services.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, please contact us at privacy@bloom360.com. We will verify your identity before processing your request and respond within the timeframes required by applicable law. You may also designate an authorized agent to make a request on your behalf.

10. State-Specific Privacy Rights

Residents of certain states may have additional privacy rights under their respective state laws, including but not limited to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and similar state privacy laws. If you are a resident of one of these states, please review the following:

  • California Residents: You have the right to know, delete, correct, and opt out of the sale or sharing of your personal information. You may also request information about our data practices by contacting us. We do not sell personal information. To the extent our Services are subject to the CCPA/CPRA, the rights described in Section 9 above apply.
  • Virginia, Colorado, Connecticut, and Other State Residents: You may have rights to access, correct, delete, obtain a copy of your data, and opt out of targeted advertising, profiling, or sale of personal data. To exercise these rights, contact us at privacy@bloom360.com.

If we deny your request, you may have the right to appeal. To appeal a decision, please contact us at privacy@bloom360.com with the subject line "Privacy Rights Appeal."

11. Third-Party Links

Our Services may contain links to third-party websites, applications, or services that are not operated by Bloom360. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform. We are not responsible for the privacy practices or content of third-party services.

12. International Visitors

Bloom360 is based in the United States and our Services are designed for use within the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using our Services, you consent to the transfer of your information to the United States.

13. Artificial Intelligence

Bloom360 may use artificial intelligence (AI) and machine learning tools to support our care team in delivering services to you. These tools may assist with tasks such as clinical documentation, care plan recommendations, health risk assessments, and administrative workflows.

AI tools support — but do not replace — clinical decision-making by your licensed healthcare providers. All clinical decisions are made by qualified healthcare professionals who exercise independent medical judgment.

We require all AI vendors and partners to enter into HIPAA-compliant Business Associate Agreements (BAAs) and adhere to our data security and privacy standards. We do not use your personal health information to train general-purpose AI models without your explicit consent.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make material changes, we will provide at least fourteen (14) days' advance notice by posting the updated Policy on our website and, where appropriate, notifying you by email or through our platform. The "Last Updated" date at the top of this document indicates when the most recent revisions were made. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Email: privacy@bloom360.com
  • Mail: Bloom360, Inc., Attn: Privacy Officer, 4444 2nd Ave Ste 30674, Detroit, MI 48201

PART TWO: HIPAA Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

A. Who This Notice Applies To

This Notice of Privacy Practices ("Notice") applies to Bloom360, Inc. and its affiliated healthcare providers, workforce members, and business associates who create, receive, maintain, or transmit your protected health information (PHI) in connection with the healthcare services we provide. PHI includes any individually identifiable health information relating to your past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare.

B. How We May Use and Disclose Your Protected Health Information

We may use and disclose your PHI without your written authorization for the following purposes:

  • Treatment: We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. For example, your primary care provider may share your health information with a dietitian or physical therapist on your care team to coordinate your treatment plan.
  • Payment: We may use and disclose your PHI to bill and collect payment for the services we provide. This includes sending billing information to you or to a third-party payer.
  • Healthcare Operations: We may use and disclose your PHI for our internal operations, including quality improvement, auditing, staff training, credentialing, and business planning activities that support the delivery of care.
  • Required by Law: We may use or disclose your PHI when required to do so by federal, state, or local law.
  • Public Health Activities: We may disclose your PHI to public health authorities for purposes such as preventing or controlling disease, injury, or disability; reporting births, deaths, or suspected abuse; and notifying individuals of product recalls or adverse events.
  • Health Oversight Activities: We may disclose your PHI to a health oversight agency for activities authorized by law, including audits, investigations, inspections, and licensure actions.
  • Abuse, Neglect, or Domestic Violence: We may disclose your PHI to appropriate government authorities if we reasonably believe you are a victim of abuse, neglect, or domestic violence, as required or authorized by law.
  • Decedents: We may disclose PHI to a coroner, medical examiner, or funeral director as necessary for them to carry out their duties.
  • Research: Under certain circumstances, we may use or disclose your PHI for research purposes, provided the research has been approved by an institutional review board or privacy board that has reviewed the research protocol and established safeguards for the privacy of your information.
  • Serious Threats to Health or Safety: We may use or disclose your PHI when necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health or safety of the public or another person.
  • Workers' Compensation: We may disclose your PHI as authorized by and necessary to comply with workers' compensation laws.
  • Business Associates: We may disclose your PHI to our business associates who perform services on our behalf, such as data hosting, analytics, billing, or IT support. All business associates are required to sign a HIPAA-compliant Business Associate Agreement and protect the confidentiality and security of your PHI.

C. Uses and Disclosures Requiring Your Written Authorization

We will obtain your written authorization before using or disclosing your PHI for the following purposes:

  • Psychotherapy Notes: Uses and disclosures of psychotherapy notes (where applicable) require your written authorization, except in limited circumstances permitted by law.
  • Marketing with Remuneration: If we receive payment from a third party in exchange for making a communication to you about their products or services, we will obtain your written authorization before doing so.
  • Sale of PHI: We will not sell your PHI without your written authorization, except as permitted by HIPAA (e.g., for public health purposes or research).

You may revoke any authorization you provide at any time by submitting a written request to us. Revocation will not affect any uses or disclosures made in reliance on the authorization prior to its revocation.

D. Your HIPAA Rights

You have the following rights with respect to your PHI:

  • Right to Access: You have the right to inspect and obtain a copy of your PHI maintained in a designated record set. We may charge a reasonable, cost-based fee for providing copies. We will respond to your request within 30 days (or 60 days with a written extension).
  • Right to Amendment: You have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. We may deny your request under certain circumstances (e.g., if the information was not created by us, or if it is already accurate and complete), and we will provide a written explanation for any denial.
  • Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures of your PHI that we have made. This accounting does not include disclosures made for treatment, payment, or healthcare operations, or disclosures authorized by you.
  • Right to Request Restrictions: You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request, except that we must agree to restrict disclosures to a health plan for services you paid for in full out of pocket.
  • Right to Confidential Communications: You have the right to request that we communicate with you about your health information by alternative means or at alternative locations (e.g., sending correspondence to a different address or contacting you only by email).
  • Right to a Paper Copy: You have the right to obtain a paper copy of this Notice upon request, even if you previously agreed to receive it electronically.
  • Right to Breach Notification: You have the right to be notified if a breach of your unsecured PHI occurs. We will notify you in accordance with HIPAA requirements.

To exercise any of these rights, please contact us at privacy@bloom360.com or write to Bloom360, Inc., Attn: Privacy Officer, 4444 2nd Ave Ste 30674, Detroit, MI 48201.

E. Our Legal Duties

We are required by law to maintain the privacy and security of your protected health information, provide you with this Notice of our legal duties and privacy practices with respect to your PHI, notify you following a breach of unsecured PHI, and abide by the terms of this Notice currently in effect. We reserve the right to change the terms of this Notice and to make the revised Notice effective for all PHI we already maintain as well as any PHI we create or receive in the future.

F. How to File a HIPAA Complaint

If you believe your privacy rights have been violated, you may file a complaint with Bloom360 or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

  • File with Bloom360: Contact our Privacy Officer at privacy@bloom360.com or write to Bloom360, Inc., Attn: Privacy Officer, 4444 2nd Ave Ste 30674, Detroit, MI 48201.
  • File with HHS OCR: You may file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue SW, Washington, DC 20201. You may call 1-877-696-6775 or visit www.hhs.gov/ocr/complaints.

We will not retaliate against you for filing a complaint.

G. Changes to This Notice

We reserve the right to change this Notice at any time. Any changes will apply to all PHI we maintain, including information created or received before the changes. When we make material changes, we will post the revised Notice on our website and make it available to you upon request. The effective date of the current Notice is listed at the top of this document.

Contact Information

If you have any questions about this Privacy Policy and Notice of Privacy Practices, please contact us: