Bloom

Privacy Policy

Last updated: June 30, 2026

Bloom is an email-tracking tool for Gmail, operated by Kevin Koudache (“Bloom”, “we”, “us”), based in France. This policy explains what we collect, why, and the rights you have. Bloom is currently in beta. For any question or request, contact us at privacy@bloomtag.io.

Data we collect

  • Account data. When you sign in with Google, we receive your email address, name, and profile picture. We never receive your Google password.
  • Workspace data. The workspaces you create or join, your role within them, and your notification settings.
  • Tracking data. When you send a tracked email from Gmail using our extension, we store the recipient’s email address, the subject, and the time it was sent, along with the tracking events generated when that email is opened or its links are clicked.
  • Event metadata. For each open or click we store a timestamp, a one-way hashed version of the recipient’s IP address (we never store raw IP addresses, and this is the recipient’s IP, not yours), an approximate country derived from that IP, the user-agent string, and automated/bot-detection signals.

How the extension works

To record opens and clicks, the Bloom extension modifies the body of an email you send: it inserts a small invisible tracking pixel and rewrites the links so they pass through our tracking endpoint. This happens in your browser, only at the moment you send, and only on the emails you choose to track. The extension does not read, scan, or store the text of your messages or anything else in your mailbox, and it does not use the Gmail API.

Google user data

Bloom uses Google sign-in to authenticate you, and receives your email address, name, and profile picture from Google for that purpose only. The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.

What we do not do

  • We do not read, scan, or store the contents of your mailbox, and we do not use the Gmail API.
  • We do not sell your data, and we do not share it for advertising.

Why we process this data

Under the GDPR, our legal bases are: performance of our contract with you (authentication, sending tracked emails, and showing you engagement), and our legitimate interest in securing the service and distinguishing automated traffic from real recipients.

Where your data is stored

Your data is stored in the European Union. We rely on the following sub-processors, each bound by a data-processing agreement:

  • Supabase — database and authentication, hosted in the EU (eu-west-1).
  • Vercel — dashboard hosting, EU region (fra1).
  • Cloudflare — the tracking endpoint runs on Cloudflare’s edge network; requests are processed at the nearest edge and written to our EU database.

Optional CRM integration

If you choose to connect Attio (a customer-relationship tool), the engagement data for your tracked emails (the recipient email address and the open or click events) is also sent to Attio so it appears next to your contacts. This integration is optional and stays off until you enable it. Attio processes that data under its own privacy terms, which may place it outside the European Union.

Data retention

We keep tracking data for as long as your workspace is active. Configurable retention controls are on our roadmap. You can request deletion of your data at any time.

Your rights

You have the right to access, correct, delete, restrict, port, or object to the processing of your personal data. To exercise any of these, email privacy@bloomtag.io. You may also lodge a complaint with your local data-protection authority (in France, the CNIL).

Cookies

The dashboard uses strictly necessary cookies to keep you signed in and to remember the workspace you have selected. We do not use advertising or third-party tracking cookies.

Children

Bloom is not intended for anyone under the age of 16.

Changes to this policy

We may update this policy from time to time. We will update the date above and, for material changes, notify you.