Privacy Policy
Last updated: 25 May 2026
This Privacy Policy explains how your personal data is processed when you use Bluumme — both the mobile app (iOS, Android) and the website at https://bluumme.com. We comply with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
1. Controller
Emir Atay Metzer Str. 62 40476 Düsseldorf Germany Email: hello@bluumme.com
A Data Protection Officer is not required by law (Art. 37 GDPR, § 38 BDSG).
2. Data we process
2.1 Account data
When you sign up, we collect: email address, username, password (hashed), optional display name, optional profile picture.
For "Sign in with Apple": an anonymised Apple identifier, optional email (including Apple's private relay). For "Sign in with Google": email, name, profile picture URL if available.
2.2 Content
Photos, videos, captions, comments, likes, saved challenges, streak data and ranking data.
2.3 Location data (only with consent)
If you choose to attach a location to a post, we store the approximate coordinates of that post. You can revoke location access at any time in your device settings or in the app's settings.
2.4 Device and usage data
IP address (truncated in logs), device type, OS version, app version, language setting, crash reports, performance metrics.
2.5 Push notifications (only with consent)
If you enable notifications, we store a device-specific token in order to send you e.g. streak reminders or challenge updates.
2.6 Moderation and safety data
When you use the safety tools in the app we store the minimum data needed to act on them:
- Reports — if you report a post or another user, we store your user id, the reported id, the chosen reason category (spam, harassment, nudity, hate, or other), and a timestamp.
- Blocks — if you block another user, we store both user ids and a timestamp so we can hide content in both directions.
- EULA acceptance — we record the timestamp and version of the terms you accepted at sign-up so we know when re-acceptance is required.
2.7 Automated content filtering
At post creation we run a small profanity filter over captions and usernames that blocks universally recognised slurs in the languages we ship. No content is logged; only the rejection event is surfaced to you in the app.
2.8 Direct messages
If you choose to send a direct message (DM) to another Bluumme user, we store the following so the conversation can be delivered and shown to both participants:
- The sender and recipient user ids.
- The message content (text and, if attached, the in-app captured image or video reference).
- A timestamp and read/delivery state.
DMs are transmitted over TLS (HTTPS) and stored encrypted at rest by our processor (Google Cloud / Firestore, AES-256 server-side encryption). They are not end-to-end encrypted — Bluumme staff can in principle access message contents in order to respond to lawful requests, abuse reports, or court orders. We do not read DMs for advertising, profiling, or model training, and we do not share their contents with third parties.
You can delete an individual message or an entire conversation at any time from within the app. Deleting your account also deletes all DMs you sent; DMs you received are removed from your view but remain in the recipient's inbox until they delete them (this mirrors how email works).
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Providing the service (account, feed, posts, ranking) | Art. 6(1)(b) GDPR — performance of a contract |
| Direct messages between users | Art. 6(1)(b) GDPR — performance of a contract |
| Location attached to posts | Art. 6(1)(a) GDPR — consent |
| Push notifications | Art. 6(1)(a) GDPR — consent |
| Security, abuse prevention, moderation | Art. 6(1)(f) GDPR — legitimate interest |
| Crash reports and performance analysis | Art. 6(1)(f) GDPR — legitimate interest |
| First-party analytics — understanding how features are used (sign-ups, activation, retention) to improve the app | Art. 6(1)(f) GDPR — legitimate interest |
| Compliance with legal obligations (e.g. deletion requests) | Art. 6(1)(c) GDPR |
4. Recipients and international data transfers
We use the following processors:
4.1 Google (Firebase)
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (with data processing also in the United States by Google LLC). Services used: Firebase Authentication, Firestore (database), Cloud Storage, Cloud Functions, Crashlytics. Legal basis for US transfer: EU-US Data Privacy Framework (DPF). Google is certified under the DPF. Privacy Policy: https://policies.google.com/privacy DPF entry: https://www.dataprivacyframework.gov
4.2 Apple (Sign in with Apple, App Store, Push)
Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Privacy Policy: https://www.apple.com/legal/privacy/
4.3 Website hosting
Firebase Hosting (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
4.4 Internal moderation alerting
New reports trigger an internal notification to the operator via a private Discord webhook so we can meet the 24-hour review commitment. The webhook receives the report id, reason category, and the public handle of the reported account — never private account information, post content beyond the public caption, or any personal data of the reporter beyond their public display name.
We do not sell data to third parties. We do not share data with advertising networks.
5. Retention
| Data | Retention period |
|---|---|
| Active account data | As long as your account exists |
| Posts, comments, likes | As long as your account exists or until you delete them |
| Direct messages | Until you delete the message/conversation, or until either participant deletes their account |
| EULA acceptance timestamp + version | As long as your account exists |
| Block records | Until you unblock the user or your account is deleted |
| Reports (post or user) | 12 months for abuse prevention |
| Data after account deletion | Up to 30 days in backups, then irrevocably deleted |
| Server logs (truncated IP) | 14 days |
| Crash reports | 90 days |
6. Your rights
Under the GDPR you have the right to:
- Access (Art. 15 GDPR) — find out what data we hold about you.
- Rectification (Art. 16 GDPR) — correct inaccurate data.
- Erasure (Art. 17 GDPR) — the "right to be forgotten". In the app: Settings → Delete account.
- Restriction of processing (Art. 18 GDPR).
- Data portability (Art. 20 GDPR) — export your data in JSON format. In the app: Settings → Export data.
- Object (Art. 21 GDPR) to processing based on legitimate interests.
- Withdraw consent (Art. 7(3) GDPR), e.g. for location or push notifications, in the app's settings.
To exercise these rights, contact hello@bluumme.com or use the in-app controls.
Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection authority, in particular:
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW) Kavalleriestraße 2-4, 40213 Düsseldorf, Germany https://www.ldi.nrw.de
7. Minors
Bluumme is intended for users aged 13 and over. In Germany, persons under 16 require parental consent under Art. 8 GDPR. We do not knowingly register children under 13.
8. Security
We use TLS for data in transit, Firebase default encryption for data at rest, hashed passwords (bcrypt via Firebase Auth), and restrict access to production data to the controller.
9. Cookies and tracking
The Bluumme app itself does not set cookies. The website uses only strictly necessary cookies (session, language preference). No advertising or analytics cookies are set without your explicit consent.
10. Automated decisions
We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR. The ranking system is based on published posts and interactions but has no legal or similarly significant effect on you.
11. Apple Privacy Nutrition Label & Google Data Safety
The following summary corresponds to our declarations on the App Store and Google Play.
Data linked to your identity: email, username, photos, videos, profile information, location (if opted in). Data used for app functionality: all of the above plus crash data and performance data. Data used for first-party analytics: usage and interaction data (e.g. posts, follows, challenge participation) is processed only by us, in aggregate, to understand how features are used and to improve Bluumme. This data is never used for advertising and is never shared with third parties for their own purposes. Data used for advertising or cross-app tracking: none. Data sold or shared with brokers: none. Data retention: see section 5.
12. Changes to this Privacy Policy
We may update this Privacy Policy to reflect new legal requirements or changes to the service. We will announce material changes in the app and by email at least 14 days before they take effect.