Privacy Policy

Last updated: November 3, 2025

1) Who we are and our role

BloomSpark, operated by Mordi Levi
Address: Yavor 18, 2770 Bansko, Bulgaria
Email: listed on our website (contact page)

Role split

We act as Data Controller for website, marketing, billing, account administration, and studio operations data.

We act as Data Processor for client-uploaded content inside Brand Space (e.g., brand assets, briefs, files) and process it only on your documented instructions to deliver the services. You (or your company) are the Data Controller for that content.

If a section below references “we/us” and concerns Brand Space content, read it as “we as processor on your behalf.”

2) What data we collect

Account & contact data: name, email, role/title, company, billing contact.

Communications: messages, briefs, approvals, feedback.

Service data: files you upload, brand assets you provide, request history, activity logs in the Brand Space.

Billing data: invoicing details, payment confirmations (we don’t store full card data; our payment processor does).

Website usage data: device, browser, pages viewed, referral source, and approximate location via analytics cookies (if enabled).

Support/ops data: incident notes, access logs, audit trails where available.
We do not intentionally collect special categories of data and ask you not to upload them.

3) How we collect data

Directly from you (forms, email, calls, Brand Space).

Automatically via our website/tools (cookies, logs, analytics—subject to consent where required).

From your organization (when a colleague adds you).

4) Why we use your data (purposes + lawful bases)

Provide services (Brand Foundation, packs, subscriptions, Brand Space access): Contract (controller) / Processor (Brand Space content).

Customer support and operations: Legitimate interests.

Billing, accounting, tax: Legal obligation and Contract.

Security and abuse prevention: Legitimate interests.

Service improvement and analytics (non-essential cookies): Consent.

Marketing to business contacts: Legitimate interests or Consent where required.

Portfolio & testimonials (logo/name only; never confidential content): Legitimate interests with opt-out.

5) Sharing and subprocessors

We use vetted processors/subprocessors to host and operate the service:

Workspace & collaboration: Notion (Brand Space)

Hosting/CDN: site and asset delivery provider

Email & communications: email service and transactional email

Payments & invoicing: payment processor and accounting tools

Analytics & consent: privacy-respecting analytics and cookie banner

We require written data protection terms (e.g., DPAs or SCCs), limit access, and instruct processors to act only on our documented instructions.

Subprocessor change notice

We may add or replace subprocessors. For material changes affecting Brand Space content or personal data, we will notify you at least 15 days in advance (email or in-app). If you reasonably object within that period due to a legitimate data protection concern, we will discuss alternatives. If none are feasible, you may object and wind down services for the affected part; we’ll assist export of your data and provide a fair pro-rated resolution where applicable.

We do not sell personal data.

6) International transfers

Some providers may process data outside the EU/EEA. We rely on lawful transfer mechanisms (e.g., Standard Contractual Clauses) and appropriate safeguards.

7) Retention

Project/Brand Space content: kept while your engagement is active. If you don’t subscribe after Foundation, your space becomes read-only and is archived; archives are kept for 12 months and may then be deleted.

Account/billing/legal records: retained as required by Bulgarian law.

Support/ops logs: retained for a reasonable period for security and traceability.
We delete or anonymize data when no longer needed.

8) Your rights (EU/EEA)

You can request access, rectification, erasure, restriction, portability, and objection (including to marketing based on legitimate interests). Where we rely on consent, you can withdraw it at any time.
Contact us via the email on our site. We may verify identity.

You may complain to the Bulgarian data protection authority (CPDP).

9) Security

We apply reasonable technical and organizational measures: access controls, least-privilege, encrypted transport, secure processor selection, and regular housekeeping. No system is perfect; please report issues promptly.

10) Brand Space specifics

You control who from your organization is granted access and what is uploaded. We process that content as your processor.

Brand Space is not a records-retention system; download and back up final assets you need to keep.

We may rate-limit or suspend access for abuse, suspected fraud, or security threats.

11) Cookies and similar technologies

Strictly necessary cookies: run to deliver the site and basic functions.

Analytics/functional/advertising cookies: used only with consent where required.
You can change or withdraw consent via our cookie banner or browser settings. See our Cookie Policy for details.

12) Children

Business audience only; we do not knowingly collect data from children.

13) Third-party links

Third-party sites have their own privacy practices.

14) Changes to this policy

We may update this policy; we’ll mark a new “Last updated” date and highlight material changes. If changes meaningfully affect you, we’ll provide additional notice where appropriate.

15) Contact

For questions or requests about your data: use the email hello@bloomspark.ai