Privacy Policy
Last updated: 31 March 2026
1. Who We Are
Bloom is a practice management platform for UK financial advisers, operated by Arthur Browns Wealth Management Ltd (FCA 825843), registered in England and Wales. We are the data controller for personal data processed through the Bloom platform.
ICO registration: Arthur Browns Wealth Management Ltd is registered with the Information Commissioner's Office as a data controller.
Contact: For any data protection queries, contact us at privacy@bloomflow.app
2. What Data We Collect
We collect and process the following categories of personal data:
Adviser users:
- Name, email address, phone number
- Firm name, FCA number, role
- Login credentials (passwords are hashed, never stored in plain text)
Client data (entered by advisers):
- Name, date of birth, address, contact details
- National Insurance number, tax status
- Employment and income details
- Financial information: pensions, investments, debts, properties, insurance policies
- Risk profile and attitude to risk
- Health and vulnerability information (where relevant to financial advice)
- Meeting recordings and transcripts (where the adviser uses this feature)
3. Lawful Basis for Processing
We process personal data under the following lawful bases:
- Contract: Processing necessary to provide the Bloom platform to adviser users and to manage client relationships
- Legal obligation: FCA regulatory requirements including record-keeping under SYSC 9, COBS 16, MiFID II (5-7 year retention)
- Legitimate interest: Platform improvement, analytics, security monitoring
- Consent: Marketing communications (you can unsubscribe at any time)
4. Where We Store Your Data
All personal data is stored within the United Kingdom. Our infrastructure is hosted in UK data centres (AWS eu-west-2, London) through our technology partners:
- Supabase (database and authentication) — London, UK (eu-west-2)
- Vercel (application hosting and serverless functions) — London, UK (lhr1)
Your data does not leave the UK. We do not transfer personal data to countries outside the United Kingdom unless required by a specific integration you have chosen to enable (e.g. connecting to a third-party platform), in which case we will inform you before any transfer takes place.
5. Sub-Processors
We use the following third-party services to operate Bloom:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | London, UK |
| Vercel | Application hosting, serverless functions | London, UK |
| Anthropic (Claude AI) | AI-powered features (Bloom AI, fact extraction) | US (no client PII sent) |
| OpenAI (Whisper) | Meeting transcription | US (audio processed, not stored) |
| Xero | Accounting integration (if enabled) | UK/EU |
6. How Long We Keep Your Data
We retain data for as long as necessary to provide our services and meet regulatory requirements:
- Client financial records: Minimum 7 years from the end of the advice relationship (FCA requirements)
- Suitability letters and advice records: Minimum 5 years (MiFID II)
- Meeting recordings and transcripts: Retained until deleted by the adviser, subject to regulatory minimums
- Account data: Retained while your account is active, then deleted within 90 days of account closure (unless regulatory retention applies)
7. Your Rights
Under UK GDPR, you have the right to:
- Access — Request a copy of the personal data we hold about you (Subject Access Request). We will respond within 30 days.
- Rectification — Ask us to correct inaccurate data
- Erasure — Ask us to delete your data (subject to FCA retention requirements)
- Portability — Request your data in a machine-readable format
- Restriction — Ask us to limit how we process your data
- Objection — Object to processing based on legitimate interest
To exercise any of these rights, email privacy@bloomflow.app. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO).
8. Security
We take the security of your data seriously:
- All data is encrypted in transit (TLS/HTTPS) and at rest (AES-256)
- Database access is protected by Row Level Security (RLS)
- Passwords are hashed using bcrypt
- Access to production systems is restricted and logged
- We use static IP addresses for platform integrations to enable IP whitelisting
9. Data Breaches
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay.
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify registered users of any material changes by email. The latest version will always be available at this page.