Privacy Policy

Last updated: May 18, 2026

Blossomn is a two-person software studio building focused productivity add-ons. We don't run an ad network, we don't sell data, and we don't train models on what you send through our apps. This policy is the long version of that promise.

It explains what we collect, why we collect it, and what you can ask us to do with it. It covers our four apps — SyncForm, PingStock, Pagely, and DriftSleep — and the Blossomn website (collectively, the "Services").

1. Who we are

Blossomn ("we," "our," "us") is operated from India. For any privacy question you can reach a real person at info@blossomn.com. We're the data fiduciary for the personal data described below under India's Digital Personal Data Protection Act, 2023 (DPDP Act), and the data controller for users in jurisdictions where GDPR applies.

2. What we collect, by app

Account basics (all apps): name, email address, and the account ID issued by the platform you sign in through (Google, Shopify, or Apple). If you pay us, our payment processor handles your card data — we only store the last four digits and the billing country.

SyncForm (Google Workspace add-on): the Google Forms you authorise, the destinations you configure (e.g., Slack, Notion, email), and metadata about each routed submission (timestamp, status, error if any). Submission contents pass through our routing layer only long enough to deliver them; we do not retain the field values once delivery succeeds.

PingStock (Shopify app): your shop domain, the inventory locations and SKUs you ask us to watch, the thresholds you set, and a 90-day history of alerts we sent you. We read product and inventory data through Shopify's Admin API at the scope you grant.

Pagely (iOS journaling app): your prompts, journal entries, streak data, and optional mood tags. Entries are encrypted on your device. If you enable iCloud sync, they sync through your private iCloud — we never read them.

DriftSleep (iOS audio app): listening history, favourites, sleep-timer settings, and (if you grant it) anonymous aggregated playback duration. We never request HealthKit data.

Automatic data (all apps): a minimal amount of usage and diagnostic data — feature interactions, error stack traces (with PII stripped), app version, device model, OS version, and approximate IP-based country. Used for debugging and capacity planning, not profiling.

3. How we use it

• To operate the Service you signed up for (this is the only reason we need most of the data above)
• To route or sync data between your connected platforms exactly as you configured
• To send necessary service email — receipts, outage notices, security alerts (you can't opt out of these without closing your account)
• To detect abuse, debug crashes, and respond to support tickets
• To meet legal, accounting, or audit obligations

We do not use your data to train AI models, target ads, build user profiles, or sell to data brokers. Ever.

4. Retention

• SyncForm submission payloads: in-memory only; purged after successful delivery (typically within seconds). Delivery metadata is kept for 30 days.
• PingStock alert history: 90 days, then deleted.
• Pagely entries: stored on your device; we hold nothing on our servers.
• DriftSleep listening history: 180 days on-device; aggregate counts on our servers indefinitely.
• Account & billing records: 7 years after account closure, as required for Indian tax and accounting law.
• Backups: rolling 30-day backups; deletion requests are honoured in the next backup cycle.

5. Who we share data with (subprocessors)

We share the minimum data needed with vetted third parties who help us run the Services. Each is bound by a written data-processing agreement.

• Amazon Web Services (Mumbai region) — hosting and storage
• Cloudflare — CDN, DDoS mitigation, edge logs
• Postmark — transactional email delivery
• Stripe / Razorpay — payment processing
• Sentry — error and crash reporting (with PII scrubbed at the SDK)
• Apple App Store / Google Workspace Marketplace / Shopify App Store — distribution, on-platform billing where applicable

The current list is the canonical one. We'll update this page at least 30 days before adding a new subprocessor that processes personal data.

We do not sell, rent, or trade your personal data. We may disclose data if compelled by lawful order from an Indian court or other authority of competent jurisdiction; where legally permitted, we'll notify you first.

6. Cookies and analytics

The Blossomn website uses one first-party cookie for session continuity and a self-hosted, cookieless analytics tool (Plausible-style) that records page views and country without setting cookies or tracking individuals. There are no advertising cookies, no Facebook pixel, no Google Analytics.

7. Security

Everything is encrypted in transit (TLS 1.2+) and at rest (AES-256). Production access is limited to a single administrator account, gated by a hardware security key and full audit logging. We run automated dependency scans and review every code change. If you discover a vulnerability, please email info@blossomn.com with "Security" in the subject line — we read these within one business day and operate a coordinated-disclosure policy.

If we ever experience a data breach affecting your personal data, we will notify you and the Data Protection Board of India within 72 hours of becoming aware of it, as required by the DPDP Act.

8. Your rights

Wherever you live, you can ask us to:

• Confirm what personal data we hold about you and get a copy of it
• Correct anything that's wrong
• Delete your account and the data associated with it
• Export your data in a machine-readable format (JSON or CSV)
• Withdraw any consent you previously gave (where consent is our legal basis)
• Nominate another person to exercise these rights on your behalf in case of incapacity or death (DPDP Act §14)

Email info@blossomn.com. We respond within 7 business days and complete most requests within 30 days, free of charge. If you believe we've mishandled your data, you may complain to the Data Protection Board of India or, for EU/UK residents, your local supervisory authority.

9. International transfers

Our primary infrastructure is in AWS Mumbai (ap-south-1). Some subprocessors (Stripe, Sentry, Cloudflare) process data in the United States and the EU. Where personal data moves out of India or the EEA, we rely on the contractual safeguards each provider offers (SCCs for EEA data, the equivalent under DPDP rules for Indian data).

10. Children

The Services aren't designed for or directed at children under 18. We don't knowingly create accounts for, or collect personal data from, children. If you believe a child has signed up, email us and we'll delete the account promptly. (Under India's DPDP Act, processing children's data requires verifiable parental consent, which we do not solicit.)

11. Changes

If we make a material change to this policy we'll email account holders and post a notice on this page at least 14 days before it takes effect. Smaller corrections (typo fixes, clarifications) will just bump the "Last updated" date above.

12. Contact

Grievance Officer: Blossomn Team · info@blossomn.com · Operated from India. We aim to acknowledge every privacy request within one business day.