Security & Compliance

How we keep your data and your clients' payments safe.

The short version: Payments go through Stripe (PCI-DSS Level 1). Data lives on Supabase with row-level security and encryption at rest. Everything runs over TLS 1.3. You own your data and can export it any time.

Payments: handled by Stripe

Bloom never sees, stores, or transmits your clients' card numbers. All payment processing is handled directly by Stripe, a PCI-DSS Level 1 certified payment processor — the highest certification tier for payment security. Stripe is trusted by millions of businesses worldwide including Shopify, Lyft, Amazon, and Google.

When a client pays for a booking:

  1. The card details are entered in a Stripe-hosted checkout page (never in a Bloom form)
  2. Stripe tokenizes the payment and charges the card
  3. Bloom only receives a confirmation token and the amount charged — never the card number
  4. Funds are deposited directly into the provider's connected Stripe account (Stripe Connect, destination charges model)

Data storage and encryption

Your data lives on Supabase, a managed PostgreSQL platform running on AWS infrastructure with:

  • Encryption at rest — all database storage is encrypted using AES-256
  • Encryption in transit — every connection uses TLS 1.3
  • Row-level security— every database query is filtered by the authenticated user's permissions at the database level, so a bug in application code cannot leak another provider's data
  • Daily automated backups with point-in-time recovery

Application hosting

Bloom runs on Vercel, which provides automatic HTTPS with TLS 1.3, DDoS protection, and a global edge network with SOC 2 Type 2 certification. All traffic is served over HTTPS — we do not accept plain-HTTP requests.

Authentication

User accounts are managed through Supabase Auth with:

  • Bcrypt password hashing (never plaintext)
  • Secure HTTP-only session cookies
  • Optional magic-link sign-in (no password to leak)
  • Email verification on sign-up

Your data, your control

You own everything you put into Bloom. From your dashboard you can:

  • Export all your data as CSV or JSON at any time (bookings, clients, services, payment records)
  • Delete your account — we remove all your data within 30 days, keeping only records legally required for tax compliance
  • Control what your clients see — you choose your branding, services, and the notifications they receive

What we do NOT do

  • We do not sell, trade, or rent your data — ever
  • We do not train AI models on your client information
  • We do not use advertising or cross-site tracking cookies
  • We do not store credit card numbers on our servers
  • We do not share your data with third parties except:
    • Stripe (to process payments)
    • Resend (to send transactional emails)
    • Twilio (to send SMS, if you enable it)
    • Supabase (our database provider)
    • Vercel (our hosting provider)

Responsible disclosure

If you've found a security vulnerability in Bloom, please report it responsibly. Email security@bloomrdv.com with:

  • A clear description of the issue
  • Steps to reproduce
  • The potential impact

We commit to: acknowledging your report within 48 hours, investigating promptly, keeping you informed of progress, and crediting you in our security page (with your permission) once the issue is resolved. Please do not publicly disclose a vulnerability before we've had time to fix it.

Compliance

We design Bloom with privacy laws in mind — GDPR, CCPA, and similar. Your rights to access, export, and delete your data are first-class features, not afterthoughts. For questions about your specific compliance needs, reach out to hello@bloomrdv.com.

Stay informed

Read our Privacy Policy for more on how we handle personal data, and our Terms of Service for the contractual details.

← Back to Bloom