Privacy Policy
Effective date: March 31, 2026
Last updated: March 31, 2026
1. Introduction & Scope
This Privacy Policy explains how Not Blossom ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our nutrition and diet generation platform ("the Service"), including our web application at notblossom.com, iOS app, and Android app.
This policy applies to all users of the Service regardless of how they access it — web browser, mobile app, or connected devices (smart scales).
By using the Service, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a legal basis, we will ask for it explicitly before processing your data.
2. Data Controller
Not Blossom is currently operated by its founder. Incorporation in the State of Delaware, United States, is in progress. Upon incorporation, this section will be updated with the registered entity name, address, and tax identification number.
Contact email: privacy@notblossom.com
We comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") when processing personal data of individuals in the European Economic Area (EEA) and the United Kingdom. We also comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), for California residents.
3. Data We Collect
3.1 Account Data
- Email address — used as your unique account identifier and for all communications.
We do not collect your name, phone number, or physical address unless you voluntarily provide them.
3.2 Authentication Data
- One-time passcodes (OTP) — we use email-based OTP codes for authentication. We do not use passwords. OTP codes are ephemeral: they expire within minutes of issuance and are not stored after verification.
- Session tokens — generated upon successful OTP verification to maintain your logged-in state.
3.3 Health & Body Composition Data
When you connect a compatible BLE smart scale to the Service, we collect:
- Weight
- Body fat percentage
- Muscle mass
- Bone mass
- Body water percentage
- BMI (Body Mass Index)
- Basal metabolic rate (BMR)
- Visceral fat rating
This data is classified as special category data under GDPR Article 9 (health data). We process it only with your explicit consent.
3.4 Physical Attributes
You may voluntarily provide:
- Biological sex
- Height
- Date of birth
These attributes are used alongside body composition data to generate personalized nutrition plans.
3.5 AI Conversation History
When you interact with our AI nutrition agent, we store:
- Your messages and queries
- AI-generated responses and recommendations
- Diet plans and nutritional guidance produced during the conversation
Conversation history is retained to provide continuity across sessions and to improve the quality of your personalized recommendations.
3.6 Payment Data
Subscription billing is handled entirely by Stripe, Inc. We do not receive, process, or store your full credit card number, CVV, or other sensitive payment credentials.
We do receive from Stripe:
- Subscription status and plan type
- Payment confirmation and invoice identifiers
- Billing dates
- Last four digits of your card (for display purposes only)
3.7 Device Data
For connected smart scales and other BLE devices:
- Device identifiers (serial number, MAC address)
- Firmware version
- BLE pairing information
- Device registration and provisioning status
3.8 Usage Data
We collect basic usage analytics:
- Pages and features visited
- Session duration and frequency
- Device type, operating system, and browser
- Error logs and crash reports
We do not use third-party advertising trackers or analytics platforms that profile you across other websites.
3.9 HealthKit & Health Connect Data
If you grant permission, our mobile apps may read from or write to:
- Apple HealthKit (iOS) — body measurements, weight, body fat percentage
- Google Health Connect (Android) — equivalent body composition metrics
This integration is entirely optional and initiated only by you. We access only the specific data categories you authorize. We never sell HealthKit or Health Connect data, use it for advertising, or share it with third parties beyond what is described in this policy.
4. How We Use Your Data
| Purpose | Data categories used |
|---|---|
| Deliver the Service — generate personalized diet and nutrition plans | Health data, physical attributes, AI conversation history |
| AI personalization — tailor recommendations based on your body composition trends | Health data, physical attributes, conversation history |
| Authentication — verify your identity when you sign in | Email address, OTP codes |
| Billing — process subscription payments and manage your plan | Email address, payment data (via Stripe) |
| Device management — pair, provision, and receive data from your smart scale | Device data, health data |
| Product improvement — understand usage patterns to improve features | Usage data (aggregated and anonymized where possible) |
| Communications — send transactional emails (OTP codes, payment receipts, subscription updates) | Email address |
| Legal compliance — respond to lawful requests, enforce our terms | All categories as required |
We do not use your data to serve advertisements or build advertising profiles.
5. Legal Basis for Processing
Under GDPR Article 6 (and Article 9 for health data), we rely on the following legal bases:
| Legal basis | Applies to |
|---|---|
| Explicit consent (Art. 9(2)(a)) | Health and body composition data, HealthKit/Health Connect integration |
| Performance of a contract (Art. 6(1)(b)) | Account creation, service delivery, AI nutrition plans, subscription billing |
| Legitimate interest (Art. 6(1)(f)) | Usage analytics for product improvement, security monitoring, fraud prevention |
| Legal obligation (Art. 6(1)(c)) | Tax and billing records retention, responding to legal requests |
You may withdraw consent at any time (see Section 9). Withdrawal does not affect the lawfulness of processing performed before withdrawal.
6. Data Sharing & Third Parties
We share personal data only with the following categories of third parties, and only to the extent necessary:
6.1 Stripe, Inc.
- Purpose: Payment processing and subscription management.
- Data shared: Email address, subscription plan, payment events.
- Stripe's privacy policy: https://stripe.com/privacy
6.2 Amazon Web Services (AWS)
- Purpose: Cloud infrastructure — hosting, data storage, email delivery (SES), database services.
- Data shared: All data described in Section 3 is stored on AWS infrastructure.
- Region: US East (us-east-1).
- AWS's privacy policy: https://aws.amazon.com/privacy/
6.3 Anthropic (Claude AI)
- Purpose: AI-powered nutrition consultations and diet plan generation.
- Data shared: Conversation messages, relevant health data and physical attributes needed to generate personalized recommendations.
- Anthropic's privacy policy: https://www.anthropic.com/privacy
6.4 Apple HealthKit / Google Health Connect
- Purpose: Optional user-initiated sync of body composition data between our app and the device health platform.
- Data shared: Only the categories you explicitly authorize.
- These integrations are governed by Apple's and Google's respective privacy policies.
6.5 What We Do Not Do
- We do not sell your personal data to anyone.
- We do not share data with advertising networks.
- We do not allow third parties to use your data for their own independent purposes beyond what is described above.
7. International Data Transfers
Our infrastructure is hosted on AWS in the United States (us-east-1 region). If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your data will be transferred to the United States.
We ensure adequate protection for these transfers through:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with AWS, Stripe, and Anthropic.
- Supplementary measures including encryption in transit and at rest, access controls, and data minimization.
You may request a copy of the applicable SCCs by contacting us at privacy@notblossom.com.
8. Data Retention
| Data category | Retention period |
|---|---|
| Account data (email) | Until you delete your account |
| Authentication data (OTP codes) | Deleted immediately after verification or expiration (max 10 minutes) |
| Session tokens | Expire after 30 days of inactivity; revoked on logout |
| Health & body composition data | Until you delete your account or request erasure |
| Physical attributes | Until you delete your account or request erasure |
| AI conversation history | Until you delete your account or request erasure; may be retained in anonymized form for model improvement |
| Payment data | Transaction records retained for 7 years per IRS record-keeping requirements |
| Device data | Until the device is unpaired or account is deleted |
| Usage data | Aggregated and anonymized within 12 months; raw data deleted |
| HealthKit / Health Connect data | Stored only in the respective platform; we do not independently retain a copy beyond the active session |
When you delete your account, we remove or anonymize all personal data within 30 days, except where retention is required by law.
9. Your Rights
Under GDPR, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten") |
| Restriction (Art. 18) | Request that we limit processing of your data |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Object (Art. 21) | Object to processing based on legitimate interest |
| Withdraw consent (Art. 7(3)) | Withdraw consent at any time for consent-based processing |
| Lodge a complaint | File a complaint with your local data protection supervisory authority (see Section 14) |
To exercise any of these rights, contact us at privacy@notblossom.com. We will respond within 30 days. We may ask you to verify your identity via OTP before processing your request.
You can also delete your account and associated data directly from the app settings.
10. Data Security
We implement technical and organizational measures to protect your data:
- Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2+.
- Encryption at rest: All stored data is encrypted using AES-256 (AWS-managed keys).
- Access controls: Role-based access with the principle of least privilege. Production data access is restricted and audited.
- Infrastructure security: AWS-managed infrastructure with network isolation, security groups, and automated patching.
- Authentication security: OTP-based authentication eliminates password-related attack vectors (credential stuffing, password reuse, phishing of static credentials).
- Payment security: Card data is handled exclusively by Stripe, a PCI DSS Level 1 certified processor. We never see or store full card numbers.
No system is 100% secure. If we discover a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.
11. Children's Privacy
The Service is intended for users aged 18 and older. We do not knowingly collect personal data from anyone under 18.
If you believe a minor has provided us with personal data, please contact us at privacy@notblossom.com and we will promptly delete it.
12. Cookies & Tracking
We use a minimal set of cookies strictly necessary for the Service to function:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| Session cookie | Maintain your authenticated session | Session / 30 days | Essential |
| Device override | Remember your device-type preference (desktop/mobile) | Persistent | Functional |
We do not use:
- Third-party advertising cookies
- Cross-site tracking pixels
- Social media tracking widgets
- Analytics cookies that identify individual users
Because we use only essential cookies, no cookie consent banner is required under ePrivacy Directive Article 5(3). If we introduce non-essential cookies in the future, we will update this policy and implement a consent mechanism.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last updated" date at the top.
- We will notify you via email or an in-app notification at least 14 days before the changes take effect.
- Continued use of the Service after the effective date constitutes acceptance of the updated policy. If you disagree, you may delete your account.
14. Contact
For any privacy-related questions, requests, or complaints:
Email: privacy@notblossom.com
Not Blossom is currently operated by its founder. Incorporation in the State of Delaware, United States, is in progress. Upon incorporation, the registered entity name, address, and tax identification number will be published here.
If you reside in the EEA and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For example, in Spain, the Agencia Española de Protección de Datos (AEPD):
- Website: https://www.aepd.es
- Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
