Version 1.0 · Effective 2026-07-11
Privacy policy
Effective July 11, 2026. Version 1.0.
This policy explains how SOBO Consulting LLC, a California limited liability company (1265 Beech St, East Palo Alto, CA 94303), handles personal information in connection with BloomOS and bloomos.org.
There's an important split running through this document, so we'll state it up front.
Data we control. Information about you: visiting this site, filling in the walkthrough form, having a BloomOS login, emailing us. This policy governs it.
Data you control. Everything inside your BloomOS account: your donors, your grants, your program participants, your budget. Your nonprofit is the controller of that data. We're the processor. We only handle it on your instructions, under the data processing addendum and the terms of service. This policy doesn't grant us any right to it. See your data.
What we collect, and why
If you visit bloomos.org. We use Vercel Analytics, which counts page views without cookies and without identifying you. We don't run advertising trackers, we don't run session recording, and we don't fingerprint your browser. This is why you've never seen a cookie banner here. We also keep standard server logs (IP address, timestamp, page requested, user agent) for a short period, for security and debugging.
If you request a walkthrough. We collect your name, your email address, and optionally your organization. We use it to contact you about a walkthrough and to follow up about BloomOS. That's the entire purpose. We don't sell it, we don't rent it, and we don't add you to a list you didn't ask for.
If you have a BloomOS account. We collect your name, work email address, role, and the organization you belong to. We collect authentication data (a hashed password, session tokens) so you can sign in. We collect activity logs so you and your organization have an audit trail. If your organization pays by card, our payment processor collects your billing details, and we never see or store your card number.
If you email us. We keep the email.
What we do with it
We use the information above to run BloomOS, answer your questions, keep the service secure, meet our legal obligations, and tell you about things that matter to your account. If we ever want to email you marketing, we'll ask first, and you can leave with one click.
We do not sell personal information. We do not share it for cross-context behavioral advertising. Under California law those terms have specific meanings, and we mean them in the specific sense: no money changes hands for your data, and we don't hand it to advertising networks.
Who we share it with
Only the companies that help us run the service, listed by name with what each one does on our subprocessors page. Each is bound by a contract to process data only on our instructions.
We'll also disclose information if we're legally required to, and we'll tell you when we're permitted to tell you.
If SOBO Consulting is ever acquired or merged, your information may transfer as part of that. You'd get notice, and this policy would continue to apply to information collected before the transfer until it's replaced by one that's at least as protective.
How long we keep it
Walkthrough requests: 2 years, unless you ask us to delete it sooner.
Account data: for as long as your organization has a BloomOS account, then per the schedule in your data. In short: 30 days after cancellation, then deleted, with encrypted backups rolling off within 7 more days.
Server logs and security records: up to 12 months.
Audit logs: for the life of the account, because that's their purpose.
Your rights
Depending on where you live, you have the right to know what personal information we hold about you, to get a copy of it, to correct it, to delete it, and to not be discriminated against for asking. California residents have these rights under the CCPA as amended by the CPRA.
To exercise any of them, email privacy@bloomos.org from the address we have on file, or tell us how else to verify it's you. We'll respond within 45 days. There's no charge.
If your request concerns data held inside a nonprofit's BloomOS account (for example, you're a donor asking about your record), we'll route you to that nonprofit, because they control it and we can't act on it without their instruction. See your data.
Children
BloomOS is business software sold to organizations. We don't knowingly collect personal information from anyone under 13 through this site or through a BloomOS login, and BloomOS has no participant-facing login.
Some BloomOS customers are youth-serving organizations that store records about minors, entered by their staff. That's customer data. The customer controls it, we process it under the DPA, and we don't do anything with it beyond storing it and showing it back to them.
Security
Described in detail, mechanism by mechanism, in the security overview. Short version: encrypted in transit and at rest, row-level isolation enforced in the database, one named person with administrative access, 72-hour breach notification.
No system is perfectly secure, and anyone who tells you otherwise is selling something.
Where your data lives
The United States. We don't replicate personal information outside the US.
Changes to this policy
If we change this policy in a way that materially reduces your protections, we'll email the primary contact at every customer organization at least 30 days before it takes effect, and we'll update the version and date at the top of this page. Every prior version is available on request.
Contact
SOBO Consulting LLC 1265 Beech St East Palo Alto, CA 94303 United States