Privacy · June 12, 2026
Privacy notice.
This notice explains what LOOKSY TECH - FZCO (“Bloomsee”, “we”, “our”) collects when you use bloomsee.app or the Bloomsee Plus service (together, the “Service”), what we do with it, and the rights you have. It is written for users in the regions where Bloomsee currently offers the Service, as determined at signup. The Service is not available in all jurisdictions; eligibility is enforced at checkout.
Plain-English summary. You upload one reference photo. We use it — and only it — to generate the styled photos you ask for. We store it encrypted, we do not sell it, we do not train AI on it ourselves (vendor-side AI practices vary; see section 3), and we delete it when you tell us to from your account page. Stripe handles your payment card; we never see your card number, CVC, or PIN — only the last four digits, card brand, expiry, and the city / postal code / state / country attached to it. We send transactional emails through a third-party email provider and route image generation through third-party AI image-generation providers. Full detail follows.
1. Information we collect
Account & subscription. Email address (you provide and verify it at sign-up; for subscriptions started through an off-site checkout link, Stripe collects it at Checkout and sends it to us). Stripe customer and subscription identifiers, where you have started a subscription. Subscription tier, status, period start and end, trial start and end, and cancellation timestamp. Whether you have affirmed you are 18 or older (timestamp only). Whether you have viewed your history (timestamp only).
Reference photograph and biometric identifiers. The single photograph you upload at onboarding and any photograph you upload to replace it. We derive a reusable photo profile (the “Photo Profile”) from that photograph. Under Illinois law (740 ILCS 14, the Biometric Information Privacy Act, “BIPA”) and the California Consumer Privacy Act as amended by the CPRA, the photograph and the derived profile are “biometric identifiers” and “sensitive personal information.” We treat them accordingly. See sections 4 and 5.
Generated outputs. The styled photographs the Service produces in response to your requests. These are stored under your account so you can re-download them from your history.
Generation metadata. Style slug, model identifier, vendor identifier, request and completion timestamps, frame-level success or failure status, gender selected at onboarding (used only to filter the style catalog), and the snapshot of the BIPA consent text version and hash you affirmed.
Payment metadata. Last four digits of your card, card brand, expiry, the country your card was issued in, and transaction status — all delivered by Stripe through webhook. Where Stripe also collects a billing address at Checkout, we receive the city, postal code, state, and country attached to your card. We never receive or store your full card number, CVC, or PIN.
Consent record. At the moment you submit the BIPA consent form at /onboarding/avatar, we additionally record the IP address and browser user-agent of the submission, solely as evidence that you gave the consent, as a defense to any later challenge under 740 ILCS 14/15(b).
Session, attribution, and product telemetry. An HMAC-signed session cookie carrying a per-account identifier, a per-session identifier, a CSRF token, and (write-once) the UTM parameters and landing timestamp from your first visit. Server-side product events such as which page you viewed, when you started a generation, when an allowance event occurred — stored without your IP address. We additionally run Microsoft Clarity, a session-replay and heatmap product, to understand where users get stuck in the Service. Clarity records your interactions (clicks, scrolls, viewport size, page navigations) together with a DOM recording of your session; email fields, file uploads, your reference photograph, your generated photographs, and the canonical BIPA consent text are masked in the browser before any data is transmitted to Microsoft. Clarity receives your IP address at request time, which Microsoft anonymises server-side per its published policy. We use advertising and measurement tools — currently the Meta Pixel and the server-side Meta Conversions API, and we may add other advertising or analytics partners in the future — to measure which ads bring people to Bloomsee. We share with our advertising and measurement partners (currently Meta Platforms) only commercial funnel events — such as creating an account, viewing the pricing page, starting checkout, or subscribing — keyed to a hashed identifier such as your email and standard ad-matching signals such as your IP address, browser user-agent, and partner cookies (for example Meta’s _fbp and _fbc); this is a “share” for cross-context behavioral advertising. Because a subscription may start days after you first arrive, we retain the ad-matching signals captured when you create your account (advertising cookies, and the IP address and browser user-agent of the sign-up request) on your account record, solely to attribute a later trial or subscription to the ad that brought you; they are deleted when you opt out of ad sharing or delete your account. We never share your reference photograph, your Photo Profile, any generated photograph, or any biometric or other sensitive personal information with any advertising or analytics partner; those are excluded from all advertising sharing.
Operational logs. Web server logs (request method, path, response status, timing) retained by Fly.io for a rolling window. Error reports forwarded to Sentry with personally identifying fields scrubbed: cookies, authorization headers, and request bodies are stripped before transmission; S3 object-key fragments have the user-identifying portion replaced by a one-way hash.
2. Why we collect it (purposes)
We use your information solely to provide and operate the Service, specifically to: deliver the photographs you request; sustain your subscription, billing, and allowance; send transactional email (sign-in codes and links, late-delivery notifications, deletion confirmations); enforce the Acceptable Use rules in our Terms of Service; debug, secure, and improve the Service; comply with our legal obligations (tax, audit, fraud prevention); and respond to lawful requests from regulators or courts. We do not use your reference photograph, your Photo Profile, or your generated outputs for any purpose other than serving your account.
3. We do not sell, share, or train AI on your data; safety checks excepted
No sale; limited share for advertising measurement. We do not sell personal information for money or other valuable consideration. We do share a limited set of commercial funnel events — keyed to a hashed identifier such as your email together with standard ad-matching signals (your IP address, browser user-agent, and advertising cookies) — with our advertising and measurement partners (currently Meta Platforms) to measure and optimize our advertising. This is a “share” for cross-context behavioral advertising within the meaning of California Civil Code § 1798.140(ah). We exclude from this sharing your reference photograph, your Photo Profile, any generated photograph, and all biometric and other sensitive personal information.
No model training on your data. Bloomsee itself does not train, fine-tune, or otherwise improve any AI model on your reference photograph, your Photo Profile, or your generated outputs. We engage our AI image-generation providers only to return the photographs you request, on the basis of each provider’s published service terms; we do not directly authorize them to use your inputs to train any model. Vendor-side processing of inputs (including any retention windows or training rights) is governed by the vendor’s own service terms. If we learn that a vendor has used your inputs for training in a manner inconsistent with the basis on which we engaged them, we may terminate the vendor relationship and will notify you. We have no plans to authorize training on your inputs. If that ever changes, we will (a) bump the BIPA written-consent version naming the new purpose and obtain fresh affirmative written release before any further processing under the new arrangement, and (b) for biometric data already collected under the prior consent, continue to honor the original consent’s limits until you re-affirm the new version. The current vendor list is available on request at support@bloomsee.app.
Safety checks on generated outputs. We may run safety checks on each generated output to enforce our Acceptable Use rules — for example, a face-presence check, an adult-content detector, and a similarity comparison to your Photo Profile. These checks do not train, fine-tune, or update any model. Each check produces only a pass/fail decision per image (plus a short reason code if it fails), retained only as long as needed to document any resulting enforcement action against the account.
Onward deletion to service providers. When you delete your biometric data from your account, we promptly notify our AI image-generation providers and request deletion of any vendor-side copies, consistent with each provider’s deletion API or contractual deletion procedure. We cannot guarantee a vendor’s retention beyond what its service terms allow, but we do not withhold our own deletion notice and we follow up where a vendor offers a confirmation interface. This satisfies our onward-deletion obligation under California Civil Code § 1798.105(c) for biometric data; for non-biometric data, we follow the same notify-and-request procedure where the vendor exposes one.
4. Illinois BIPA disclosures
Notice in writing. Before we collect, capture, or store any biometric identifier from you, we present a written notice at /onboarding/avatar that (a) states we are collecting and storing biometric identifiers and biometric information; (b) identifies the specific purpose (creation and ongoing use of your Photo Profile to generate photographs you request); and (c) states the length of the term for which the information will be collected, stored, and used. The text of that notice is versioned; the cryptographic hash of the version you affirmed is stored against your account so that the exact text you saw can be reproduced.
Written release. By submitting the onboarding form with the consent box checked, you provide a written release under 740 ILCS 14/15(b)(3). Electronic signatures are valid written releases under Illinois and federal law (E-SIGN Act, 15 U.S.C. § 7001).
Retention schedule. Biometric identifiers (your reference photograph and the Photo Profile we derive from it) are retained for as long as you maintain a Bloomsee account, because the purpose for which we collected them — generating the photographs you request from your reusable Photo Profile — continues for as long as your account exists. We destroy them when that purpose is satisfied: you can delete your Photo Profile or your entire account from /account at any time, which runs the destruction flow described below. When you replace your Photo Profile from your account, the prior reference photograph is queued for permanent deletion within 30 days. We do not impose an automatic time-based purge; you decide when your biometric data is destroyed, and you can trigger that destruction at any time.
How deletion works. When you initiate account deletion from /account, deletion enters a 24-hour grace period during which you can cancel the request from the same page. After the grace period closes, deletion is irrevocable; we then permanently destroy your reference photograph from our biometric storage and mark the Photo Profile record in our database as deleted (so it is no longer used to generate further photographs), typically completing within a further 24 hours.
Destruction guarantee. Permanent deletion of your biometric identifiers means object deletion of your reference photograph from our biometric S3 bucket, deletion stamping of the corresponding rows in our database, and marking of the Photo Profile record as deleted so that no further generation can be performed against it. Our cleanup worker retries up to three times on failure; if all retries fail, the failure is paged to a human operator who completes the deletion manually. We do not retain a copy of the reference photograph in “cold storage,” backup vault, or archive after deletion is complete. Our error-monitoring system (Sentry) may, for up to 90 days after deletion, retain references to the deleted object’s storage path with the user-identifying portion replaced by a one-way hash; these references contain no image bytes and roll out of Sentry on a fixed 90-day window.
Scope of biometric deletion versus generated photographs. The destruction guarantee in the preceding paragraph applies to the biometric identifier itself — your reference photograph and the Photo Profile record in our database. The styled photographs the Service produced for you are not biometric identifiers under 740 ILCS 14/10 (they are AI-generated images derived in part from your photograph, not raw scans of your face geometry); they remain in your history so you can re-download them. If you want the generated photographs deleted in addition to the biometric identifier, email support@bloomsee.app from your account email and we will remove them from S3 and from your history within 30 days. Generated outputs are stored in a separate S3 bucket with its own AWS KMS customer-managed key, on the same encryption and access-logging posture as your reference photograph.
Application to other states. The commitments in this section — written notice, written release, deletion on request, encryption, and destruction guarantee — are written to the Illinois standard, which is the most fully-litigated biometric-privacy regime currently in force. Our encryption, access-control, and disposal posture is comparable to the requirements of other US biometric-privacy regimes, including Tex. Bus. & Com. Code § 503.001 (CUBI) and RCW 19.375 (Washington WBIPA). We apply the same operational protections to residents of any state whose biometric-privacy law would otherwise apply.
No disclosure or dissemination. We do not sell, lease, trade, or otherwise profit from your biometric identifiers. We do not disclose them to any third party except (i) our AI image-generation providers for the strictly limited purpose of generating a photograph you have requested, (ii) AWS as our encrypted-at-rest storage provider, (iii) where compelled by valid legal process — including subpoenas, court orders, or warrants — whether served on Bloomsee or on a service provider acting on Bloomsee’s behalf, or (iv) to a successor entity in a merger or acquisition that commits in writing to honor this notice and the BIPA written consent on the same terms. Where we receive a legal-process request, we will notify you by the email on your account, unless we are legally prohibited from doing so. The current names of our AI image-generation providers are stated in the BIPA written consent you affirmed at onboarding and are available on request at support@bloomsee.app.
5. California (CCPA / CPRA) disclosures
Categories of personal information collected, by CPRA category. Identifiers (email, account identifier, IP address in transit). Customer records (subscription metadata). Commercial information (subscription tier, purchase history). Internet or other electronic network activity (referrer, UTM, session events). Geolocation (coarse, derived from IP at request time; not stored). Visual information (your reference photograph and generated outputs). Sensitive personal information under Cal. Civ. Code § 1798.140(ae): biometric information processed to uniquely identify you. We do not collect government IDs, financial-account numbers, precise geolocation, health, racial or ethnic origin, religion, union membership, mail or message contents, or genetic data. The only categories we share for cross-context behavioral advertising (see section 3) are Identifiers (a hashed identifier such as your email, plus the IP address and user-agent of the originating request) and Internet or other electronic network activity (commercial funnel events). We do not share Visual information, biometric or other sensitive personal information, or any other category for advertising.
Sources. Directly from you; from Stripe at checkout; from your browser at request time.
Purposes for sensitive personal information. We use sensitive personal information only for the purposes authorized by Cal. Civ. Code § 1798.121(a) (providing the service you requested, security, debugging). We do not use it to infer characteristics about you. California law allows us to use sensitive personal information without offering a “Limit the Use” link when that information is necessary to provide the service you asked for (11 Cal. Code Regs. § 7027(m)). Your biometric data falls into this category — without it, the Service cannot generate photos. You still have the right to ask us to delete it; see “Your California rights” below.
We do not sell sensitive personal data. We do not sell sensitive personal data within the meaning of California, Tex. Bus. & Com. Code § 541.102, Fla. Stat. § 501.71, or the equivalent provisions of any other state law.
Retention. See section 4 for biometric retention. Email, subscription, and ledger records are retained for the life of the account plus the period required for accounting, tax, and audit obligations (commonly seven years for tax records). Operational logs roll out of Fly.io storage in days, Sentry events in 90 days.
Your California rights. You may (i) request to know the categories and specific pieces of personal information we hold about you; (ii) request deletion; (iii) request correction; (iv) opt out of the sharing of personal information for cross-context behavioral advertising (see section 3), which you may exercise by emailing us at the address below; (v) be free from retaliation for exercising any of these rights. To exercise any of these rights, email support@bloomsee.app from the email address tied to your account, or initiate account deletion from /account. For requests involving sensitive personal information, biometric identifiers, or specific pieces of personal information, we may require you to verify (a) the email address on file, (b) the approximate date your account was created, and (c) where applicable, the last four digits of the payment card on file, plus a signed declaration under penalty of perjury that you are the consumer or authorized agent. Where no payment card is on file (for example, an account that never completed checkout), we will substitute an alternative verification factor of comparable confidence. We will respond within 45 days, extendable to 90 days where the law allows. An authorized agent may submit on your behalf with written authorization and identity verification.
6. PIPEDA disclosures
For users subject to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), Bloomsee follows the ten fair information principles set out in Schedule 1: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance. Meaningful consent — not pre-checked or implied — is required for the collection of biometric identifiers, and we obtain it expressly at /onboarding/avatar. You may withdraw consent at any time by deleting your Photo Profile from /account; withdrawal terminates the subscription because the Service cannot operate without a profile.
Quebec. Bloomsee does not currently serve Quebec residents. Quebec’s Act respecting the protection of personal information in the private sector (Law 25) requires a 60-day pre-implementation notice to the Commission d’accès à l’information before any biometric processing of Quebec residents, a French translation of all material disclosures, and a designated Privacy Officer in Quebec. Until Bloomsee completes those steps, Quebec residents may not sign up for the Service.
Filing a complaint. You may direct privacy concerns to support@bloomsee.app. If you are not satisfied with our response, you may complain to the Privacy Commissioner at priv.gc.ca.
6a. Other US state privacy laws
If you reside in a US state with a comprehensive consumer-privacy law — including (without limitation) Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia — you may exercise the rights granted to you under your state’s law, including the rights of access, deletion, correction, portability, and (where applicable) opt-out of sale, opt-out of targeted advertising, opt-out of profiling, and limit-use of sensitive personal data. Submit requests to support@bloomsee.app from your account email; we will verify your identity and respond on the schedule applicable to California requests under section 5 above (within 45 days, extendable to 90 days where the law allows).
Opting out of cross-context behavioral advertising. Where your state’s law provides it, you may opt out of the sharing of personal information for cross-context behavioral advertising described in section 3 by contacting us at support@bloomsee.app.
7. How we store and protect your information
Encryption. Your reference photograph and your generated outputs are stored in two separate Amazon S3 buckets located in the AWS us-east-1 region. Each bucket is encrypted at rest using SSE-KMS (server-side encryption with AWS Key Management Service customer-managed keys), with a distinct key per bucket so that destroying one key cannot affect data secured by the other. Both buckets reject any object upload that is not SSE-KMS-encrypted with the bucket’s key, and reject any object retrieval over a non-TLS connection. All API access is logged to AWS CloudTrail.
Access control. Object keys include your account identifier as a path segment; our application code only ever issues short-lived presigned URLs scoped to a single object. The administrative panel is protected by HTTP Basic authentication, denied iframe embedding, and accessible only to the founder.
Transport. All traffic to bloomsee.app, all webhooks from Stripe, and all webhook callbacks from our AI image-generation providers are required to use TLS 1.2 or higher. Generation callbacks are additionally authenticated by HMAC-SHA-256 with a rotating signing key; replay attacks are rejected at a 5-minute window.
Authentication. Bloomsee uses sign-in codes (with a one-click link as fallback) sent to your email — no passwords to leak. Codes and links are valid for 15 minutes, single-use, rate-limited per email and per IP, and consumed atomically against the database.
No security controls are perfect. If we determine that personal information has been compromised in a way that creates a risk of harm to you, we will notify you without unreasonable delay and consistent with applicable law (within 30 days for California residents per Cal. Civ. Code § 1798.82; as soon as feasible for residents subject to PIPEDA per Section 10.1; per the timing required by each applicable state breach-notification law). Where required, we will also notify state attorneys general and the federal Privacy Commissioner.
8. Third parties that process your information
We engage companies in the following categories to provide services on our behalf. We restrict their use of your information to the purposes disclosed in this notice, under each provider’s standard service terms or any data-processing addendum we have negotiated. If we learn that a transfer to any vendor does not meet the service-provider requirements under California or sister-state law, we will renegotiate the terms, replace the vendor, or add a “Do Not Share” mechanism and update this notice. The current list of specific vendors in each category — including the names of our AI image-generation providers, which are also stated in the BIPA written consent you affirmed at onboarding — is available on request at support@bloomsee.app.
- Payment processor — subscription billing, recurring charges, and any one-time purchases (such as Coin packs). Receives your email, payment card (directly from you, never via us), and subscription and payment events.
- Transactional email provider — delivery of sign-in codes and links, late-delivery notices, and other account email. Receives your email address and the rendered email body.
- Cloud infrastructure provider — encrypted object storage, encryption key management, audit logging, application hosting, and request logging.
- AI image-generation providers (primary and fallback) — the providers that produce the styled photographs you request. Receive your reference photograph bytes and the selected style prompt for the duration of generation. Vendor-side training practices are governed by each provider’s own service terms; see “No model training on your data” above. Specific provider names appear in your BIPA written consent and are available on request.
- Error-monitoring provider — receives error stack traces with personally identifying fields scrubbed (Cookie, Authorization, X-CSRF-Token, request body, and S3 object-key fragments) before transmission. Does not receive your photograph.
- Product analytics provider (Microsoft Clarity) — session-replay and heatmap aggregation. Receives interaction events (clicks, scrolls, page navigations, viewport size); a DOM recording of your session in which email fields, file uploads, your reference photograph, your generated photographs, and the canonical BIPA consent text are masked at the browser before transmission; subscription-state cues rendered on your account page (plan tier, subscription status, renewal or cancellation date, remaining Coin balance); and your IP address at request time (Microsoft anonymises IP server-side per its published Clarity policy). Does not receive your name, your email address, your payment details, or your photograph. Retention is governed by Microsoft Clarity’s published policy.
- Managed Redis provider — rate-limit counters and queue coordination. Receives hashed identifiers; does not receive your photograph.
- Managed PostgreSQL provider — hosts our application records and ledger.
- Advertising and measurement partners (currently Meta Platforms) — receive a limited set of commercial funnel events (such as viewing the pricing page, starting checkout, or subscribing) keyed to a hashed identifier such as your email, together with the IP address and user-agent of the originating request and advertising cookies (such as Meta’s
_fbpand_fbc), for cross-context behavioral advertising measurement. Do not receive your email in the clear, your name, your photograph, your Photo Profile, any generated output, or any biometric or other sensitive personal information.
Except for our advertising and measurement partners, which receive the limited advertising-measurement data described in section 3 for cross-context behavioral advertising, none of these providers is authorized to sell, share, or use your information for their own marketing.
9. Cookies and similar technologies
Bloomsee sets a single first-party session cookie, signed with our application key, used to keep you signed in and to carry your CSRF token and the UTM parameters from your first visit. The cookie is SameSite=Lax and Secure in production. Microsoft Clarity additionally sets first-party cookies (named _clck and _clsk) that stitch a returning visitor’s interactions into a single replay session; these cookies carry an opaque identifier and no PII, and they are first-party so they are not visible to any third-party advertising network. Our advertising and measurement partners (currently Meta) set advertising and measurement cookies in your browser (such as Meta’s _fbp) for the cross-context behavioral advertising measurement described in section 3.
10. Age requirement
The Service is for adults aged 18 or older. We require an affirmative age statement at avatar creation and time-stamp it on your account. We do not knowingly collect personal information from anyone under 13 (the federal threshold under the Children’s Online Privacy Protection Act, 15 U.S.C. § 6501), from anyone under 16 (the California CCPA opt-in-to-sale-or-share threshold, though we do not sell or share), or from anyone under 18 (our own threshold). If we learn that we have collected information from a minor, we will delete it and terminate the account — except where the upload would constitute apparent child sexual abuse material (CSAM) within the meaning of 18 U.S.C. § 2256, in which case we will preserve the image and associated metadata, and report it to the National Center for Missing & Exploited Children CyberTipline, using the same procedural standards as 18 U.S.C. § 2258A applies to providers registered with NCMEC.
11. Controller, data location, and cross-border processing
Who controls your data. Bloomsee is operated by LOOKSY TECH - FZCO, a free-zone company with its registered office at IFZA Properties, Dubai Silicon Oasis, Dubai, UAE. For your personal information, LOOKSY TECH - FZCO is the “business” and “controller” under the California Consumer Privacy Act as amended by the CPRA and analogous state privacy laws; the “private entity” that collects, captures, and stores biometric identifiers and biometric information within the meaning of the Illinois Biometric Information Privacy Act, 740 ILCS 14; and the “organization” that is responsible for the personal information under its control under the Personal Information Protection and Electronic Documents Act (PIPEDA).
Where your data lives. All personal information you submit — including the biometric identifiers and biometric information governed by BIPA — is stored and processed in the United States, in Amazon Web Services data centers located in the us-east-1 region (Northern Virginia). Bloomsee does not maintain a duplicate copy of your personal information outside that region.
Operational access. Bloomsee’s administrative and support personnel are based at the registered office identified above and need to look at user data to operate the Service — including resolving a support ticket, investigating a suspected Acceptable Use violation, processing a deletion request that needs human review, debugging a failed generation, performing reconciliation against the payment processor, applying a discretionary comp grant from the administrative panel, and other operational tasks consistent with the purposes in section 2. When that happens, your personal information is accessed (and, for the duration of the access, briefly transferred) from the United States to the jurisdiction of the registered office. We minimize what is accessed to what is needed for the specific task, log administrative access, and do not maintain a duplicate operational data store outside the United States. Incidental traces of accessed data on personnel devices (browser cache, downloaded attachments, email threads, screenshots) are protected by disk encryption and an internal clean-desk / device-hygiene policy and are purged on a routine basis.
Cross-border exposure to US law for users subject to PIPEDA. Users subject to PIPEDA acknowledge that their personal information will be transferred to and processed in the United States, and is subject to federal national-security access regimes including the Foreign Intelligence Surveillance Act, 50 U.S.C. ch. 36, and the CLOUD Act, 18 U.S.C. ch. 121. These laws may not provide the same level of protection as PIPEDA, and are one of the operational reasons Bloomsee does not currently serve Quebec residents.
Cross-border exposure during administrative access. During the operational-access bursts described above, information accessed by Bloomsee personnel is, for the duration of that access, also subject to the laws of the United Arab Emirates — including UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, UAE Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrime, and UAE national-security and law-enforcement access regimes. UAE legal protection of personal information may differ from the protection available in your jurisdiction in scope, in the procedural safeguards available to data subjects, and in the visibility of government access. By using the Service you consent to the cross-border transfers described in the preceding paragraphs — to the United States for storage and processing, and on an as-needed basis to the United Arab Emirates for administrative access by Bloomsee personnel — for purposes of PIPEDA sections 5(3) and Schedule 1, Principle 4.1.3.
12. How to reach us
Privacy questions, rights requests, and complaints: support@bloomsee.app. General support: support@bloomsee.app. Mailing address: LOOKSY TECH - FZCO, IFZA Properties, Dubai Silicon Oasis, Dubai, UAE.
13. Changes to this notice
We may update this notice from time to time. When we do, we post the updated notice on this page and revise the “Effective” date at the top; changes take effect when posted unless we state otherwise. Where applicable law requires advance notice of a particular change, we will provide it. Prior versions are available on request to support@bloomsee.app.