Privacy policy

Bloomyroom is a small studio operating from Dubai, United Arab Emirates. When this policy refers to "we", "us" or "Bloomyroom" it refers to the studio. For any privacy-related question, contact us at the email shown at the bottom of this page.

Our service is intended for clients in the United Arab Emirates. We follow the principles of the UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law) and the EU General Data Protection Regulation as best practice.

When you submit the floral brief on /start we collect: your first name and family name, email address, WhatsApp number, the city of the space, the type of space (apartment, restaurant, etc.), photos of the space you upload, the optional space size in sqm, the moods you choose, any colors or flowers you want to avoid, allergies if you mention them, environmental constraints (pets, children, air conditioning), maintenance level, budget per delivery, frequency, optional brand keywords for venues, and the locale (English or French) you are browsing in.

Once we generate your floral plan we also store the plan details and the analysis the AI produced from your photos. If you confirm the order we record the order status, the partner florist we assign, the pre-delivery validation photo when applicable, and the delivery details.

For technical reasons we also process your IP address (rate limiting and security) and minimal cookie data (your language preference, and an admin session cookie that only applies if you are signed in to the admin dashboard).

Performance of contract: most of the data is necessary to design and deliver the floral program you requested. Without your name, contact details, photos and brief we cannot create the plan or schedule the delivery.

Legitimate interest: rate-limiting protects the service from abuse, error monitoring helps us fix bugs, and audit logs protect you and us from disputes about what was confirmed and when.

Consent: you give consent by submitting the brief. You can withdraw it at any time by emailing us — see "Your rights" below.

Partner florists: when we assign a florist to your order, the florist receives the brief required to prepare the arrangement, including the address window for delivery and the photos you uploaded. Florists are bound by our briefing process and use the data only to fulfil your order.

Anthropic, PBC: photos and the brief text are sent to api.anthropic.com to generate the floral plan. Anthropic is a sub-processor for the AI step. Their privacy practices are documented at anthropic.com/privacy.

Supabase, Inc.: stores the database rows and the photos in the cloud. Region: Singapore by default.

Resend, Inc.: sends operational emails (admin notifications when a plan is generated). Resend processes the recipient address and email body only.

Vercel, Inc.: hosts the website and the serverless functions that run the application.

Sentry, Inc.: receives error reports when the application crashes, with personally identifiable fields stripped before transmission.

We never sell your data. We never share it for marketing or advertising. The list above is exhaustive.

Draft plans: 48 hours from generation. After that they are marked expired automatically and stop being shown.

Confirmed plans and orders: kept for as long as the business relationship lasts, plus six years after the last interaction for accounting and dispute-resolution requirements under UAE commercial law.

Photos you uploaded: kept while the plan is active. Photos are removed when you ask us to delete your data.

Pre-delivery validation photos: kept for 90 days after delivery, then removed.

Audit log: kept for 24 months for security and dispute resolution, then aggregated.

You can ask us at any time to: see the data we hold about you, correct anything that is wrong, delete your data, receive a copy of your data in a portable format, restrict how we process it, or object to processing on legitimate-interest grounds.

To exercise any of these rights, send an email to the address at the bottom of this page from the address we have on file. We will reply within 30 days and process the request within the same window.

If you believe we have not handled your data correctly you can lodge a complaint with the UAE Data Office at dataoffice.gov.ae or, if you are an EU resident, with your national data protection authority.

We set two cookies, both strictly functional. We do NOT use any tracking, advertising, or analytics cookies. We do NOT use Google Analytics, Meta Pixel or similar.

`flor_locale`: stores your language preference (en or fr). Set when you click the language switch. One year. Read both server- and client-side.

`flor_admin`: a signed admin session cookie. Only set if you sign in to the admin dashboard at /admin. HttpOnly, Secure, SameSite=Strict, expires after seven days.

Our service is intended for adults purchasing floral programs. We do not knowingly collect data from anyone under the age of 18. If you believe a minor has submitted information, contact us and we will remove it.

We may update this policy as the service evolves. The "last updated" date at the top reflects the most recent change. Material changes will be communicated by email to clients with active orders.

For any privacy-related question or to exercise a right described above: hello@bloomyroom.com (or the email used to send your floral plan).