Privacy Policy

Effective Date: January 31, 2026 ยท Last Updated: January 31, 2026

Privacy at a Glance
๐Ÿ”’ Your data is encrypted in transit and at rest
๐Ÿšซ We never sell your personal data
๐Ÿ‘๏ธ Read-only access to your bank data
๐Ÿ—‘๏ธ Delete your data anytime
๐Ÿ‡ช๐Ÿ‡บ GDPR and UK GDPR compliant

Bloom Corp Ltd ("Bloom", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Lumo mobile application and related services (the "Service").

We are the data controller for the personal data we collect through the Service. We are committed to processing your data in compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018.

1. Information We Collect

1.1 Information You Provide

When you create an account and use our Service, you may provide:

Account Information
Name, email address, password (hashed)
Profile Information
Display name, preferences, settings
Financial Goals
Goal names, amounts, target dates, descriptions
Communications
Support requests, feedback, survey responses

1.2 Financial Data from Connected Accounts

When you connect your bank accounts through Open Banking, we receive:

Account Details
Account name, type, balance, currency, account identifiers
Transactions
Date, amount, description, merchant name, category (where provided)
Institution Info
Bank name, logo, connection status
Important: We only have read-only access. We cannot make payments, transfers, or changes to your accounts.

1.3 Information Collected Automatically

When you use the Service, we automatically collect:

Device Information
Device type, operating system, app version, unique device identifiers
Usage Data
Features used, screens viewed, interaction timestamps
Technical Data
IP address, error logs, performance metrics

1.4 Derived Information

We create derived information from your data to provide our Service:

  • Financial health scores and metrics
  • Transaction categories and merchant mappings
  • Spending patterns and trends
  • Cash flow forecasts and projections
  • Personalised insights and explanations

2. How We Use Your Information

We process your personal data for the following purposes and legal bases:

2.1 To Provide the Service (Contract Performance)

  • Creating and managing your account
  • Connecting to your bank accounts via Open Banking
  • Displaying your financial data and calculating health scores
  • Generating forecasts, insights, and explanations
  • Tracking your financial goals
  • Providing customer support

2.2 To Improve the Service (Legitimate Interests)

  • Analysing usage patterns to improve features
  • Training and improving our AI models on aggregated, anonymised data
  • Identifying and fixing technical issues
  • Conducting research and analytics

2.3 For Security and Compliance (Legal Obligation & Legitimate Interests)

  • Protecting against fraud and unauthorised access
  • Enforcing our Terms of Service
  • Complying with legal requirements
  • Responding to legal requests

2.4 For Communications (Consent & Legitimate Interests)

  • Sending service-related notifications (essential)
  • Sending product updates and tips (with consent)
  • Responding to your enquiries

3. How We Share Your Information

We do not sell your personal data. We may share your data with:

3.1 Service Providers

Open Banking Providers
To connect to your bank accounts (e.g., TrueLayer, Plaid)
Cloud Infrastructure
To host and operate our Service (Amazon Web Services)
Authentication
To secure your account (AWS Cognito)
AI Services
To provide insights and copilot features
Analytics
To understand and improve service usage

All service providers are contractually obligated to protect your data and use it only for specified purposes.

3.2 Legal Requirements

We may disclose your data if required by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice and any applicable choices.

4. Data Security

We implement robust security measures to protect your data:

4.1 Technical Safeguards

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest using AES-256
  • Secure token storage on your device
  • Regular security assessments and penetration testing
  • Multi-factor authentication support

4.2 Organisational Safeguards

  • Strict access controls and least-privilege principles
  • Employee security training
  • Incident response procedures
  • Regular audits and compliance reviews

4.3 Open Banking Security

When you connect bank accounts:

  • You authenticate directly with your bank - we never see your banking credentials
  • Connections use secure, regulated Open Banking APIs
  • Access tokens are stored encrypted and can be revoked at any time

5. Data Retention

We retain your data for as long as necessary to provide the Service and fulfil the purposes described in this policy:

Account Data
Until you delete your account, plus 30 days for deletion processing
Financial Data
Rolling 24 months of transaction history
Derived Insights
Until account deletion or data refresh
Usage Analytics
Aggregated and anonymised after 12 months
Legal/Compliance
As required by law (typically 7 years for financial records)

6. Your Rights

Under data protection laws, you have the following rights:

Right to Access
Request a copy of your personal data we hold. You can export your data directly from the app.
Right to Rectification
Request correction of inaccurate personal data. Update your profile directly in the app.
Right to Erasure
Request deletion of your personal data. Delete your account in Settings to exercise this right.
Right to Restrict Processing
Request that we limit how we use your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, commonly used format. Export available in app.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, please contact us through the app or via the contact details below. We will respond within 30 days.

7. Bank Connection Management

You maintain full control over your bank connections:

7.1 Connecting Banks

When you connect a bank account, you are redirected to your bank's secure authentication page. We never see your banking login credentials.

7.2 Disconnecting Banks

You can disconnect bank accounts at any time:

  • Through the Lumo app Settings
  • Through your bank's Open Banking management portal
  • By contacting us directly

When you disconnect, we revoke access tokens and stop receiving new data. Previously synced data can be deleted upon request.

7.3 Consent Duration

Open Banking consent typically lasts for 90 days, after which you may need to re-authenticate. We will notify you when re-authentication is needed.

8. AI and Automated Processing

8.1 How We Use AI

Lumo uses artificial intelligence to:

  • Categorise your transactions
  • Calculate financial health scores
  • Generate forecasts and projections
  • Provide explanations and insights through the copilot

8.2 Automated Decision-Making

We do not make automated decisions that have legal or similarly significant effects on you. All AI-generated insights are informational only and do not result in automatic actions on your accounts.

8.3 AI Training

We may use aggregated, anonymised data to improve our AI models. Your individual data is never shared in identifiable form for AI training purposes.

9. International Data Transfers

Your data may be processed in countries outside the UK or EEA. When we transfer data internationally, we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the UK/EU
  • Adequacy decisions for approved countries
  • Binding Corporate Rules where applicable

Our primary cloud infrastructure is hosted in AWS regions within Europe.

10. Children's Privacy

Lumo is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will take steps to delete it promptly.

11. Cookies and Tracking

Our mobile app does not use cookies. We may use the following tracking technologies:

  • Device identifiers for app analytics
  • Crash reporting for stability improvements
  • Push notification tokens for alerts

You can control tracking through your device settings.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through:

  • In-app notifications
  • Email to your registered address
  • Updated "Last Updated" date at the top of this policy

We encourage you to review this policy periodically. Continued use of the Service after changes indicates acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding your privacy or this policy:

Data Protection
Bloom Corp Ltd
United Kingdom
Email:

You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

Your privacy matters to us. If you have any questions