Blūm Privacy Policy

Effective Date: March 14, 2026 Last Updated: March 14, 2026

Introduction

We built Blūm to help people on GLP-1 medications get more from their treatment by connecting their medication with the daily habits that support it.

Using Blūm means sharing personal and health information with us. We take that responsibility seriously.

This Privacy Policy explains:

  • What we collect
  • How we use it
  • Who we share it with
  • Your rights and choices
  • How to contact us

This Privacy Policy includes a Consumer Health Data Privacy Policy section at the end of this document with additional details about how we handle sensitive health information, as required by applicable state laws.

If anything here conflicts with platform-specific rules (e.g., Apple HealthKit), those platform rules apply in addition to this Policy.

Where This Policy Applies

Platform

How it works

iOS App

Requires account creation. Your data is stored securely in our cloud infrastructure in the United States.

Website

Static marketing site with basic analytics. We do not collect personal or health data on the website.

What We Collect (and Why)

Account Information

  • Name or display name
  • Email address
  • Sign in with Apple or Google credentials

Why? To create your account, sync your data, and enable account recovery.

Health Data (Optional)

If you choose to track your health in Blūm, we collect:

  • GLP-1 injection records (date, injection site, dose, time)
  • Medication type, dosage, and schedule
  • Side effects and wellness notes
  • Weight and body measurements
  • Protein intake, hydration, calorie balance, sleep, and movement data
  • Progress photos you choose to upload

Why? To provide your Blūm Score, estimated medication levels, habit tracking, and progress insights.

Estimated Medication Levels

Blūm generates an estimate of your active drug levels based on your medication type, dose, and injection schedule combined with published pharmacokinetic data. This is a computational estimate designed for personal awareness only. It is not a clinical measurement, diagnosis, or medical recommendation, and it is not reviewed or supervised by any healthcare professional. You should not use estimated medication levels to adjust your dosing or make treatment decisions without consulting your prescriber.

Why? To power your Blūm Score and help you understand where you are in your medication cycle.

Food Logging Data

Blūm offers three ways to log food: photo, voice, and manual entry. When you use photo or voice logging, your data is sent to the Anthropic API for nutritional analysis.

  • Photo logging: Your meal photo is transmitted to the Anthropic API for processing. Photos are not stored by Anthropic after processing is complete.
  • Voice logging: Your voice input is converted to text on-device and the text transcript is sent to the Anthropic API. We do not store audio recordings.
  • Manual entry: Processed and stored locally within Blūm.

Why? To estimate the nutritional content of your meals and contribute to your daily habit score.

AI Features (Chatbot, Notifications, and Insights)

Blūm uses the Anthropic API to power several features:

  • AI Chatbot: When you ask Blūm a question, your query is sent to the Anthropic API along with relevant context from your profile (such as your medication type and current habits) to generate a personalized response. Blūm’s AI draws from a knowledge base of over 100 expert GLP-1 articles.
  • Proactive Notifications: Blūm generates notifications based on your estimated medication levels and habit data. Notification content is generated using the Anthropic API.
  • Insights: Personalized insights about your progress are generated using the Anthropic API.

Your data is not used by Anthropic to train their models. Anthropic does not retain your data after processing is complete. Anthropic processes data in accordance with their API data usage policy. No AI-generated content in Blūm is reviewed, approved, or supervised by a medical professional before being delivered to you.

Why? To provide you with relevant, personalized guidance and timely prompts throughout your medication cycle.

Social Features (Pods)

Pods are optional accountability groups of typically 3 to 8 people. If you join a Pod, the following data is visible to other members:

  • Your display name
  • Your Blūm Score (percentage)
  • Your streak

The following data is never shared with Pod members:

  • Your weight or body measurements
  • Your calorie, protein, or nutrition data
  • Your medication type, dose, or schedule
  • Your progress photos
  • Your AI chatbot conversations

Joining a Pod is voluntary and requires your consent.

Why? To provide accountability and community support while keeping sensitive health details private.

Community Feed

Blūm includes a social community feed where users can post text, images, and other content visible to other Blūm users. If you post to the Feed, the following data may be visible to other users:

  • Your display name or username
  • Your profile photo (if you choose to add one)
  • The content of your posts (text and any images you upload)
  • Your post history within the Feed

The following data is never displayed in the Feed or visible to other users through it:

  • Your weight or body measurements
  • Your calorie, protein, or nutrition data
  • Your medication type, dose, or schedule
  • Your Blūm Score (unless you choose to share it in a post)
  • Your progress photos (unless you choose to share them in a post)
  • Your AI chatbot conversations
  • Your injection records

Content you choose to disclose. You may voluntarily share personal health information in Feed posts (e.g., writing about your experience with a side effect). Once posted, this information is visible to other users. Blūm is not responsible for personal health information you choose to disclose publicly through the Feed.

Content moderation and removal. We reserve the right to review, remove, or restrict Feed content that violates our Terms of Use. You can report content using the in-app reporting feature. You can delete your own posts at any time.

Data retention for Feed content. Feed posts are retained while your account is active. If you delete a post, it is removed from the Feed. If you delete your account, all of your Feed posts are permanently deleted within 30 days, consistent with our general data retention practices.

Why? To foster community, shared experience, and peer support among people on GLP-1 medications.

Provider-Ready PDF Reports

Blūm can generate summary reports of your progress that you can share with your healthcare provider. These reports are generated locally on your device and do not involve sending your data to the Anthropic API or any third party. Blūm does not transmit report data to any healthcare provider. You control if and when a report is shared.

Apple Health (Optional)

With your permission, Blūm can import data from Apple Health, including weight, steps, and other activity data. We use Apple Health data solely to provide and improve the features you request. We do not use Apple Health data for advertising, sale, or data brokering, and we do not combine it with third-party ad platforms.

You can disconnect Apple Health at any time in the app. Previously synced data in Blūm remains until you delete it.

Why? To reduce duplicate tracking and give you a more complete view of your daily habits.

Device and Technical Information

Automatically collected:

  • Device type and OS version
  • IP address and time zone
  • Crash logs and performance data
  • App usage analytics

Payment Information

Handled by the Apple App Store via our subscription management provider. We do not have access to your payment details.

Analytics

We use third-party analytics and attribution services to understand how people use and discover Blūm. All analytics data is encrypted in transit and at rest. Analytics services receive non-health data only. We do not send the contents of your health logs (injection records, weight, side effects, nutrition data, or wellness notes) to analytics or attribution providers.

Purposes and Legal Bases for Processing

We use your information for the purposes below. If you are in the EEA or UK, we also indicate our legal bases under the GDPR/UK GDPR.

Provide and Secure the Service

Create your account, maintain features, authenticate, prevent abuse, fix bugs, and secure the platform.

Legal bases: Contract (Art. 6(1)(b)); legitimate interests in security and fraud prevention (Art. 6(1)(f)); legal obligations where applicable (Art. 6(1)(c)).

Wellness Tracking and Insights (Health Data)

Store your injection, weight, and side effect logs, visualize trends, calculate your Blūm Score, and provide in-product insights.

Legal bases: Explicit consent for health data (Art. 9(2)(a)) combined with contract (Art. 6(1)(b)). You can withdraw consent at any time (see Your Privacy Rights).

AI-Powered Features (Health Data)

Process relevant health log data, medication information, and habit data to power the AI chatbot, proactive notifications, food logging analysis, and personalized insights via the Anthropic API.

Legal bases: Explicit consent for health data (Art. 9(2)(a)) combined with contract (Art. 6(1)(b)). You can withdraw consent at any time.

Community and Social Features

Enable Pods and the community Feed, including displaying your chosen display name, Blūm Score, streak, and Feed posts to other users.

Legal bases: Contract (Art. 6(1)(b)); consent where required for sharing health-adjacent information (Art. 6(1)(a)).

Analytics and Product Improvement

Understand feature adoption, diagnose performance issues, and improve the user experience.

Legal bases: Legitimate interests (Art. 6(1)(f)). We do not include the contents of your health logs in third-party analytics payloads.

Communications

Send transactional messages (account, security, legal), respond to support requests, and send marketing messages with your consent where required.

Legal bases: Contract; legitimate interests (service communications); consent (marketing).

Compliance

Comply with law, enforce our Terms, and protect our rights and users.

Legal bases: Legal obligations (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)).

Where and How We Store Your Data

Storage

Notes

Cloud hosting infrastructure

Data stored securely in the United States

Anthropic API

Data processed for AI features only; not retained by Anthropic after processing

Apple Health

Data stays on your device and in your iCloud account

All data is encrypted in transit and at rest.

How Long We Keep Your Data

Data Type

Retention

Account and contact information

Life of account + 30 days after deletion

Health logs (injections, weight, side effects, nutrition)

Until you delete them, or 24 months of inactivity, whichever comes first

AI chatbot conversations and notification logs

Until you delete them, or 24 months of inactivity, whichever comes first

Feed posts

Until you delete them, or until account deletion (permanently removed within 30 days)

Support emails and tickets

24 months

Event telemetry and server logs

12 to 18 months

Crash and performance logs

12 to 18 months

Backups

Rolling 30 to 90 days

Privacy rights requests and appeals records

24 months (compliance audit trail)

Aggregated, non-identifiable analytics

May be retained indefinitely for product improvement

Your Privacy Rights

Depending on where you live, you may have rights to:

  • Access your data
  • Export your data
  • Correct inaccurate data
  • Delete your data
  • Restrict or object to certain uses
  • Withdraw consent at any time

You can manage these directly in the app under Settings > Account, or email us at: contact@joinblum.com

We honor Global Privacy Control (GPC) signals as an opt-out of sale or sharing where applicable under law.

See the Region-Specific Disclosures section below for additional details about your rights based on your location.

Who We Share Data With (and Why)

We share data only with trusted service providers who help us operate Blūm. These providers can only use your data to provide their specific services.

Category

Purpose

Cloud hosting provider

Data storage and infrastructure

AI processing provider (Anthropic)

Chatbot, notifications, insights, and food logging analysis

App distribution and payments (Apple)

App Store distribution, payments, and HealthKit integration

Subscription management provider

Managing subscriptions and purchase metadata

Crash reporting and error monitoring provider

Bug tracking, crash reporting, and app reliability

Analytics provider

Product analytics (non-health data only)

Attribution provider

Install and source attribution (non-health data only)

Email delivery provider

Transactional and marketing email delivery

We name Anthropic and Apple explicitly because of the nature of their role in processing your data. Other providers are described by category. Processors may change over time; we will update this Policy when material changes occur.

We enter Data Processing Agreements (DPAs) with processors, require appropriate technical and organizational measures, and use lawful transfer mechanisms (e.g., Standard Contractual Clauses, UK IDTA) when data moves internationally.

We do not sell your data. We do not share your data for advertising purposes. We do not engage in data brokering. We do not combine your health data with third-party advertising platforms.

Third-Party Collection

We do not intend to allow third parties to collect health data from you on the Blūm website. Within the app, we do not send your health entries (injection logs, dosage, side effects, weight entries, nutrition data, or wellness notes) to analytics or attribution providers.

Region-Specific Disclosures

European Economic Area (EEA) and United Kingdom

Controller: Blum Incorporated

Legal bases: See the Purposes and Legal Bases for Processing section above.

Your rights: Access, rectification, erasure, portability, restriction, objection (including to processing based on legitimate interests), and the right to withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing performed before withdrawal.

Complaints: You can lodge a complaint with your local supervisory authority. We welcome contacting us first at contact@joinblum.com.

EEA/UK privacy contact: contact@joinblum.com

If we appoint an EU/UK representative or Data Protection Officer, we will update this Policy.

United States: California (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act and the California Privacy Rights Act.

We do not sell or share personal information for cross-context behavioral advertising.

Your CCPA/CPRA rights include: The right to know what personal information we collect, access it, correct it, delete it, and port it; the right to limit use and disclosure of sensitive personal information; and the right not to be discriminated against for exercising your rights.

Categories of personal information collected: Identifiers (name, email), account records, internet and app activity data (event telemetry), health information you provide, and inferences we generate to provide insights and your Blūm Score.

Sources: Directly from you; your device and app; integrations you connect (e.g., Apple Health).

Purposes and disclosures: See the Purposes and Legal Bases for Processing section and the Who We Share Data With section above.

Sensitive personal information: We use health data only to provide the features you request. We do not use it to infer characteristics about you for advertising purposes.

Global Privacy Control: We honor GPC signals as an opt-out of sale or sharing where applicable. As of the effective date of this Policy, we do not sell or share personal information.

Authorized agents: You may authorize an agent to submit privacy requests on your behalf. We may require written proof of authorization and may still verify your identity directly.

Automated decision-making: Blūm does not use automated decision-making technology to make decisions that produce legal or similarly significant effects concerning you.

How to submit a request: Email contact@joinblum.com. We will verify your identity and respond within the timelines required by California law. If we deny a request, you may appeal by replying to our response.

United States: Washington (My Health My Data Act) and Nevada (Consumer Health Data)

We collect consumer health data that you provide, including injection logs, weight, side effect entries, nutrition data, and optional Apple Health data. We use it only for the purposes described in this Policy. We obtain your consent before collecting health data and you may withdraw consent at any time.

We do not sell consumer health data. We do not share consumer health data for advertising. We do not engage in geofencing around healthcare facilities or other locations to identify, track, collect data from, or send notifications to individuals for the purpose of inferring health status.

Your rights (WA/NV): Access, delete, withdraw consent, and appeal denials.

How to submit a request: Email contact@joinblum.com. We will verify your identity and respond within the timelines required by law. If we deny a request, you may appeal by replying to our response. If you remain unsatisfied, you may contact your state Attorney General.

United States: Other States

Residents of other U.S. states with applicable consumer privacy laws (including but not limited to Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia) may have similar rights to access, correct, delete, and port their personal data, and to opt out of certain processing. To exercise any privacy right available to you under applicable law, email contact@joinblum.com. We will verify your identity and respond within the timelines required by your state’s law. If we deny a request, you may appeal by replying to our response.

Data Controller

Blum Incorporated is the data controller responsible for your information under this Privacy Policy.

Blum Incorporated 30 N Gould St, Ste R Sheridan, WY 82801 United States

For any questions or privacy requests, contact us at: contact@joinblum.com

International Data Transfers

Your data may be stored or processed in the United States. Where required (such as under GDPR), we use appropriate safeguards including Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), plus supplementary measures as needed, for international data transfers.

Details are available on request at contact@joinblum.com.

Children’s Privacy

Blūm is not intended for individuals under 18. We do not knowingly collect data from anyone under 18. If we learn we have collected such data, we will delete it. If you believe someone under 18 has provided us data, contact contact@joinblum.com.

Security

We use administrative, technical, and physical safeguards appropriate to the nature of the data we process, including encryption in transit and at rest, access controls, and regular review of systems and logs. No method of transmission or storage is 100% secure.

Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will notify you in-app or by email and indicate the effective date at the top. Continued use of Blūm after the effective date means you acknowledge the updated Policy. We will always post the latest version at joinblum.com/privacy.

Contact Us

Have questions or feedback? Email us at: contact@joinblum.com

Consumer Health Data Privacy Policy

This policy supplements our main Privacy Policy and explains how we handle sensitive health information, as required by state consumer health data laws including Washington’s My Health My Data Act (MHMDA), Nevada’s SB 370, and other applicable state privacy laws including those in Connecticut, Virginia, California, Colorado, Maryland, and other states with consumer health data protections.

What This Policy Covers

This policy applies to “consumer health data” as defined under applicable state laws, which broadly includes personal information linked to a consumer that identifies their past, present, or future physical or mental health status.

Health Data We Collect

  • GLP-1 injection records (date, site, time, dosage)
  • Medication type, dosage, and schedule
  • Side effects and wellness notes
  • Weight and body measurements
  • Nutritional data (protein, hydration, calories, sleep, movement)
  • Progress photos
  • Estimated medication levels (derived from pharmacokinetic modeling based on your inputs)
  • Data imported from Apple Health (with your permission)

We collect this data when you enter it directly into the app, through AI-assisted food logging (photo and voice), or through Apple Health integration with your permission.

How We Use Health Data

  • To provide Blūm’s core features, including your Blūm Score, estimated medication levels, and habit tracking
  • To generate AI-powered notifications, insights, and chatbot responses via the Anthropic API
  • To generate provider-ready PDF reports locally on your device
  • To display your Blūm Score to Pod members (if you opt in to a Pod)
  • To enable the community Feed, where you may voluntarily share health-related experiences with other users
  • To improve app reliability, security, and performance
  • To comply with legal obligations

We will never use your health data for advertising. We will never sell your health data. We do not engage in data brokering with your health data. We do not combine your health data with third-party advertising platforms.

Who We Share Health Data With

We may share health data with:

  • Anthropic for AI processing (chatbot, notifications, insights, food logging). Anthropic does not use your data for model training and does not retain your data after processing is complete.
  • Trusted infrastructure providers (such as cloud hosting) for secure storage and core app functionality
  • Other Blūm users only when you voluntarily post health-related content to the community Feed or share your Blūm Score and streak through Pods. We do not automatically share your structured health data (injection records, weight, nutrition, medication details) with other users.
  • Service providers if needed to resolve a support issue
  • In a corporate transaction (if Blūm is acquired or merged, you will be notified and will have the opportunity to delete your data before any transfer takes effect)

All vendors are required to handle your data securely and only for the purposes of providing their services.

Third-Party Collection

We do not intend to allow third parties to collect health data from you on the Blūm website or within the app. We do not send your health entries to analytics or attribution providers.

Your Rights

Under applicable state consumer health data laws, you have the right to:

  • Access your health data
  • Export your health data
  • Delete your health data, including from archived or backup systems
  • Withdraw consent for collection or sharing at any time

You can exercise these rights directly in the app under Settings > Account, or by emailing us at contact@joinblum.com. We will respond to requests within 45 days.

If we deny a request, you can appeal by emailing us. If you are still unsatisfied, you may contact your state Attorney General.

Consent

We collect health data based on your consent or when processing is necessary to provide a feature you have requested. If we intend to use your health data for any purpose not described in this policy, we will obtain your consent first. You may withdraw consent at any time.

Data Retention and Deletion

We retain your health data while your account is active, subject to the retention schedule in the main Privacy Policy. If you delete your account, identifiable health data is permanently deleted within 30 days, including from archived and backup systems. Aggregated, non-identifiable data may be retained for product improvement.

To delete your account: Settings > Account > Delete Account in the app, or email contact@joinblum.com.

Geofencing

We do not use geofencing around healthcare facilities or other locations to identify, track, collect data from, or send notifications to individuals for the purpose of inferring health status.

Questions?

Email us at: contact@joinblum.com