GDPR Compliance

All data is stored and processed within the United Kingdom. Our database is hosted in London (AWS eu-west-2) via Supabase, and our application servers run in London (lhr1) via Vercel. No client data leaves the UK.

Data is encrypted in transit using TLS 1.2+ (HTTPS everywhere) and at rest using AES-256 encryption. Passwords are hashed with bcrypt. Database access is secured with Row Level Security (RLS) ensuring users can only access their own data.

We support all data subject rights under UK GDPR: access, rectification, erasure, portability, restriction, and objection. Subject Access Requests are handled within 30 days. The right to erasure is balanced against FCA record-keeping requirements (SYSC 9, MiFID II) which require certain records to be retained for 5-7 years.

The financial adviser firm is the data controller for client data entered into Bloom. Bloom (Arthur Browns Wealth Management Ltd) acts as the data processor. We process data only on your instructions and in accordance with our Data Processing Agreement.

We retain data only as long as necessary. Client financial records are kept for a minimum of 7 years (FCA requirements). Advice records are retained for a minimum of 5 years (MiFID II). Account data is deleted within 90 days of account closure, subject to regulatory retention periods.

In the event of a data breach, we will notify the ICO within 72 hours and notify affected data subjects without undue delay, in accordance with Articles 33 and 34 of UK GDPR.