Privacy policy.

Blooup collects the minimum data required to fulfill a Package, keep your account secure, and improve the product. We do not collect data we do not need, and we do not sell your data to anyone, ever.

The fields we store on our servers:

• Email address, used only for automated receipts and Package progress updates. Support itself runs entirely through our on-site Help Desk.
• Public social URL(s) you submit at checkout, used as the delivery target.
• Package metadata: the service you bought, quantity, timestamps, and status.
• Payment metadata: transaction reference, gateway used, amount, and currency. We never see or store full card numbers.
• Device and connection basics: IP address, browser string, and referrer, retained only for security and fraud detection.

Anything we do not explicitly list here we do not knowingly collect. If a form on the site ever asks for something that feels unnecessary, open the Help Desk and we will remove it.

Our delivery model runs entirely against public endpoints. That means there are whole categories of data we never need and never request:

• Passwords or two-factor codes for your social platforms.
• Access tokens, OAuth grants, or any other login-derived credentials.
• Private messages, DMs, drafts, or any non-public content.
• Raw card numbers, CVVs, or PINs. Payment data flows directly to our PCI-DSS compliant processors (Stripe, PayPal, crypto processors).
• Biometric identifiers, location coordinates, device contacts, or anything from your device beyond what a browser exposes to any site.

If a staff member or support agent ever asks for one of the items above, it is not us. Report it through the Help Desk on the site.

We use the data we collect for a short, defined list of purposes:

• Service delivery. Running your Package against the public URL you gave us, tracking its progress, and reconciling the result to your account balance.
• Communication. Sending receipts, progress updates, refill notifications, and replies when you reach out to support.
• Security and fraud prevention. Detecting abuse, chargeback fraud, scraping, and other attacks against our infrastructure or other customers.
• Product improvement. Aggregated, anonymized analytics on which services perform best, where users drop off, and what breaks, so we can fix it.
• Legal obligations. Responding to lawful requests and keeping the financial records our jurisdiction requires us to keep.

We do not use your data to profile you for third parties, feed ad networks, or train external AI models. Your data works for you and for the delivery you paid for.

We share data with a tight set of infrastructure partners, each of whom is contractually bound to only process the data on our behalf and only for the purposes described below.

• Payment processors. Stripe, PayPal, and crypto gateways receive the minimum data required to authorize and clear each transaction.
• Cloud hosting. Our application, database, and backups run on audited cloud platforms with SOC 2 / ISO 27001 posture.
• Email delivery. Automated transactional email (receipts and Package progress updates only) is sent through a reputable ESP. We do not run an inbound support inbox.
• Analytics. Privacy-respecting, aggregated product analytics that never receive personally identifying fields.
• Delivery network. The internal systems that perform the actual engagement delivery to the public URL you submit.

We do not share your data with advertisers, data brokers, social platforms, or any party whose business model is resale or targeting.

Every request to the site runs over TLS 1.2 or higher. Data at rest in our primary and backup stores is encrypted with AES-256 or a comparable industry standard.

Access to production systems is limited to a small number of engineers, mediated by short-lived credentials, and logged. Background access is reviewed on a rolling basis and revoked the moment it is no longer needed.

We run regular third-party security reviews of our payment flow, authentication stack, and delivery pipeline. When a vulnerability is found, it is fixed before the review closes.

No system is impossible to breach. If we ever suffer an incident that affects your data, we will notify you within the timelines required by applicable law and describe, in plain English, what happened and what we have done about it.

Our retention rules in one view:

• Package records. Retained for the period required by the financial laws of our jurisdiction (typically 5 to 7 years) to support accounting, tax, and dispute obligations.
• Active account data. Retained for as long as the account is active, and for up to 24 months after last activity to allow recovery.
• Security logs. Retained for up to 18 months, after which they are aggregated into anonymous counters and deleted.
• Support conversations. Retained for up to 24 months so we can reference context if you come back with a follow-up issue.

When retention ends, the data is deleted from our production systems and subsequently purged from backups on the next backup cycle.

We use a small number of cookies and a local-storage cache to make the site work. Categories in plain language:

• Session. Keeps you signed in and keeps your cart consistent across pages.
• Security. Detects replay attempts, CSRF, and other common attacks.
• Preferences. Theme, language, and display preferences so the site remembers how you like it.
• Anonymous analytics. Aggregate counts of which pages are used and which break. Never tied to your identity.
• Local Package history. The status page caches your own Package IDs in your browser so you do not have to dig through email. This data lives on your device and is never transmitted back to us.

You can clear these at any time from your browser settings. The site keeps working without them, just with fewer comforts.

You can exercise the following rights at any time, regardless of where you live:

• Right of access. Ask for a copy of the data we hold about you.
• Right to rectification. Ask us to fix data that is wrong or out of date.
• Right to erasure. Ask us to delete your account and associated data, subject to the retention rules above.
• Right to data portability. Export your data in a portable, machine-readable format.
• Right to object or restrict. Limit certain processing activities where local law allows it.
• Right to withdraw consent. Pull back any consent you have given us at any time.

Reach out through the Help Desk on the site and we will action your request within the legally required timeframe, usually inside 30 days.

Our infrastructure is global. Your data may be processed in regions other than your own, including jurisdictions that differ from your country of residence.

When we transfer data across borders we rely on recognized legal mechanisms, such as the EU Standard Contractual Clauses and equivalent instruments, to ensure your data is protected to at least the standard that applied in its origin region.

Blooup is strictly intended for users who are at least 18 years old, or at least the age of majority in their jurisdiction, whichever is higher.

We do not knowingly collect data from minors. If we discover that we have collected data from a user below the age threshold, we delete that data as soon as we can verify it, and we close the associated account.

We may revise this Privacy Policy to reflect changes in the product, the law, or our infrastructure. The revision date at the top of this page always reflects the version currently in force.

For material changes, we surface a notice inside the app and on the site so you do not have to hunt for it. Continued use after a revision means you accept the updated policy.

For any question about your data, including access requests, deletions, corrections, or security concerns, reach out through the Help Desk on the site. Messages are routed to the right internal team automatically.

For requests that need a written record, use the contact page. We confirm receipt of every privacy message and assign a tracking reference you can refer back to.