Log in Open app

Last updated: April 3, 2026

Privacy Policy

Introduction

This privacy policy explains how Torcalianov SRL ("we", "us", "our") collects, uses, and protects your personal data when you use Bloompath (bloompath.eu), our web-based floral business management platform. We are committed to protecting your privacy and handling your data transparently in compliance with the EU General Data Protection Regulation (GDPR).

What we collect

We collect only what is necessary to provide the service:

  • Account information: your name, email address, and password (stored securely using one-way hashing — we cannot read your password).
  • Business information: company name and, optionally, Tax ID or VAT number for invoicing purposes.
  • User content: the materials, recipes, events, clients, invoices, and other business data you create within the application. This is your data — you own it.
  • Technical information: basic server logs (IP address, browser type, request timestamps) required to operate and secure the service.

Why we collect it

  • To provide, maintain, and improve the Bloompath service.
  • To authenticate your identity and secure your account.
  • To send you essential communications: account verification, password resets, and important service updates. We do not send marketing emails unless you explicitly opt in.
  • To support invoicing features when you provide Tax ID or VAT details.
  • To detect and prevent abuse, fraud, and security threats.

How we store your data

Your data is stored on servers located within the European Union. We use industry-standard security measures including encrypted connections (TLS/HTTPS), one-way password hashing, role-based access controls, and regular security updates. Only authorized personnel can access production systems, and access is logged.

We do not sell, rent, trade, or otherwise share your personal data with third parties for marketing, advertising, or profiling purposes. We have no third-party analytics, tracking pixels, or advertising scripts on our platform.

Third-party services

We minimize reliance on third parties. Currently, the only external services involved are:

  • Email delivery: we use a transactional email provider to send account verification and password reset emails. These emails contain only the minimum data required (your email address and a secure token).
  • Error tracking (legitimate interest): we use Sentry (hosted in the EU, Frankfurt region) to automatically capture application crashes so we can fix bugs quickly. Error reports contain a stack trace, the URL where the error happened, and a random session identifier — they do not contain your form inputs or business content. We rely on GDPR Article 6(1)(f) legitimate interest for this because it is strictly necessary to keep the service secure and reliable.
  • Product analytics (consent-based): with your consent, we use PostHog (hosted in the EU, Frankfurt region) to understand how Bloompath is used so we can improve it. PostHog records page views, clicks on key actions, and — when you have accepted — a session replay with all input fields and sensitive form data masked. You can decline at any time; if you decline, no data is sent to PostHog.
  • Invoicing integrations (optional): if you choose to connect SmartBill, Oblio, Pennylane, Lexware or another invoicing provider, the invoice data you explicitly send through those integrations will be processed according to their respective privacy policies. No data is shared with them unless you initiate the action.

Cookies & local storage

Bloompath uses minimal browser storage, strictly necessary for the service to function:

  • Authentication token: stored in localStorage to keep you logged in across sessions. This is not a tracking mechanism — it simply proves your identity to our server.
  • Language preference: a small cookie that remembers your chosen language.
  • Analytics consent choice: a single localStorage entry that remembers whether you accepted or declined product analytics, so we do not ask you again on every visit.
  • Product analytics (only if you accept): if you accept analytics, PostHog stores a distinct-ID cookie and a session-replay identifier to tie events together within a session. These are removed if you decline or log out.

When you first arrive at Bloompath we show a small bar asking whether to enable product analytics. Analytics are off by default; error tracking runs regardless because it is strictly necessary to keep the service reliable.

Data retention

We retain your account and business data for as long as your account is active. If you request deletion of your account, we will permanently remove all your personal data and business content within 30 days. Encrypted backups may be retained for up to 90 days for disaster recovery purposes, after which they are automatically purged.

PostHog product-analytics events and session replays are retained for 12 months and then automatically deleted. Sentry error reports are retained for 90 days. Both services are hosted in the EU (Frankfurt).

Your rights under GDPR

As a data subject in the EU, you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure: request deletion of your account and all associated data ("right to be forgotten").
  • Restriction: request that we limit how your data is processed while a concern is being resolved.
  • Portability: request your data in a structured, machine-readable format.
  • Objection: object to the processing of your data where we rely on legitimate interests.

To exercise any of these rights, email us at support@bloompath.eu. We will respond within 30 days.

Children

Bloompath is a business management tool not directed at children. You must be at least 16 years old to create an account. We do not knowingly collect data from anyone under 16. If we become aware that we have, we will delete it promptly.

Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you via email or through a notice in the application at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Contact

If you have any questions about this privacy policy or how we handle your data, contact us at support@bloompath.eu.