Please read this policy carefully before using Bloom’s services.
When visiting Bloom Diagnostics AG/GmbH (“Bloom”, “us”,”our” or “we”) website at www.bloomdiagnostics.com (our “Website”), using our Bloom System (mobile application: “Bloom App”, Bloom Lab and Bloom Test) or using any other of our offered services (the “Services”), it may be possible that we will need to process your personal data.
The protection and privacy of your personal data is very important to us and we are legally obliged to ensure it. We process your data exclusively on the basis of statutory provisions (GDPR, DSG, TKG 2003 (Telecommunications Act)). Below we will inform you about the processing of your personal data by us and the rights you are entitled to under the General Data Protection Regulations (GDPR).
Responsible for data processing (data controller) is Bloom, which consists of:
Bloom Diagnostics AG
8044 Zürich, Switzerland
Bloom Diagnostics GmbH (daughter company of AG)
Börseplatz 6 / 2 / 19-20
1010 Wien, Austria
Company number: FN 421045 i
General contact email address:
Tel.: +43 1 929 72 96
For all complaints, questions and suggestions on data protection, we are always at your disposal. We will treat your request with the necessary discretion and thoroughness.
Our data protection officer can be contacted via:
Tel.: +43 1 929 72 96
We process both the data that you announce to us and the data that we receive through your use of our online presence, products and services.
All locations and companies of Bloom have to follow the policies, processes and other GDPR-relevant instructions created and executed by Bloom Diagnostics GmbH (Controller).
2. Data strategy
Data will always be treated with confidentiality and only for the intended purpose, whilst always protecting the user’s/customer’s identity and privacy. To achieve these goals different security measures are in place. This includes e.g. pseudonymization, anonymization, data silos, as well as different organizational and administrative measures to protect all data. We will only process your personal data for the purpose for which data was collected, or for a purpose that we reasonably believe is compatible with the original purpose. Where we intend to further process your personal data for a purpose other than for which it was collected, Bloom Diagnostics will notify you prior to that processing and if necessary, ask for your consent. Please note, that processing of your personal data without your knowledge or consent will only happen if required by law.
3. Processing of personal data that you provide
We will only process your data in a GDPR-compliant way., The details depending on the respective activity are listed below. The following sections will describe in detail to you for which purposes and on what legal basis we process data, as well as if it is shared with any third parties. This should give you full transparency, as we never want to process data without your knowledge.
Personal data will be kept for as long as necessary to achieve its purposes but in no event longer than
- your account remains active
- Data is no longer needed for a specific purpose
- It is required by law that your request for deletion is accepted.
Personal data that we process falls under one of the following categories:
- Date of birth
- Contact Information: e.g.email address, phone number
- Address/Shipping Information
- Bank information
- Medical information: symptoms of your illness, potential causes of your illness/symptoms, your medical history, any allergies you have, or further information required of your current health status (only processed when using Bloom System)
- Browser data, server logs, cookies, IP addresses etc.
Not all data above is processed for all purposes listed. This depends on the purpose of processing, but we aim to use only the minimal required data necessary for the intended operation.
3.1 Data processing in the context of contacting us
If you contact us (e.g. by email, contact form, telephone), the processing of your data to carry out (pre)contractual measures to fulfill your request will take place. Your request and/or any data gathered during aiding you with your request, feedback or complaint, as well as the media of contact can be stored and processed, if it helps to solve current issues and prevent future issues, can benefit customers as well as on the legal basis of legitimate interests for Bloom Diagnostics.
If a request receives us, that we associate with one of our direct distributors, and/or a request cannot be handled in-house accordingly, your request and contact information, or any other data directly concerning this request, will be transferred to our direct distributor. This data transfer is on the basis of legitimate interests for our customers, as we want to provide adequate information on their requests and support in an efficient manner. Our partners are obligated as well to be fully GDPR compliant.
When we receive certain complaints we are obliged to notify competent authorities of the corresponding country (e.g. Austria - BASG) via their provided platform as a part of our legal obligation for medical device incident reporting. For this purpose some of your information might be shared with them on the legal basis of a legal obligation.
3.2 Data processing in the context of a (possible) business relationship
The processing of your data takes place to fulfill a (pre)contractual relationship in the context of a business relationship. Your data will be processed for the formal treatment of our business transactions, for the purposes of testing and evaluating, for customer satisfaction, to assess the quality of services used and for the sale of goods and services. This also includes (pre)sale activities, such as demo meetings, presentations and similar for possible customers.This business transaction will only cover the agreed on scope and data will not be used for additional purposes. If you decide against a business relationship but show interest in future products or services we will inform you of those on the basis of legitimate interest. We will then delete your data latest 3 years after your last interest was shown or, if requested by you, earlier.
When using our Webshop, we process your data (contact, shipping and payment information) on the legal basis of a contractual relationship. Necessary data is also processed by the webshop provider, payment agency that you have chosen, as well as with our logistic partner in order to properly handle your requested business transaction.
3.3 Data processing for the handling of events
If you participate in our events and for the organization and implementation of events, the processing of your data takes place for the fulfillment of a contractual relationship, our legitimate interests in a smooth handling of the event or your informed consent. If data shall be shared with third parties prior information would be provided.
3.4 Data processing for the purpose of direct mail
The processing of your data takes place on the basis of your consent (e.g. newsletter) and purposes in initiating business concerning our own delivery or service offer, as well as keeping you updated about Bloom as a company and its products.
3.5 Data processing in the context of app usage
When installing the app, the user can create an account, which data will be processed on the legal basis of a contractual relationship. Based on the legal basis of a contractual relationship the user agrees to allow Bloom the processing of medical and health(-related) data. Since that falls under special category data (Art. 9 GDPR) consent is legally required, additionally to the legal basis, to allow processing. We require your consent to use our product, as otherwise no correct and intended use is possible. This includes data from the measurement of a Bloom Test Strip itself and the data put in as part of the questionnaire taken whilst measuring. Other data (not medical/health) that is collected and processed is based on the legal basis of a contractual relationship. The medical data, and other data collected during the report generation, will only be used for the following purposes:
1. Providing full functionality of our products and services, according to the contract between Bloom Diagnostics and their users. These include a fully personalized analysis and report of a measurement conducted with Bloom Diagnostics’ testing system (App, Lab, Test).
2. Incorporating improvements to our products and services and increasing user satisfaction using pseudonymized (= direct identifiers replaced to avoid identification) and aggregated data. Data is used for research to identify e.g. difficulties of app usage and users’ needs. Additionally, data can provide the basis for factual decision making when it comes to product improvement and help to eliminate bugs. Data can also help to personalize the user experience. If analytical insights shall be shared with 3rd parties, the data is truly anonymous (all identifiers removed, identification not possible) and cannot be traced back to any individual.
3. Contributing to public health benefits by providing institutions and other companies with fully anonymized data insights. Together with measurement results and demographics of the users, health states of social groups can be predicted, for example identifying trends in disease outbreaks, spreads or deficiencies. Research in that direction with the help of Bloom Diagnostics’ collected data can improve forecasting, early diagnosis and targeted treatment. Clusters and risk groups could be characterized and supported with preventive measures.
To withdraw consent from processing health(-related) data you have to delete your account. Since our products rely on your data input, we cannot provide this service without permission. Revoking consent is equivalent to deleting your account.
When using the Android Bloom App, it might ask for your location upon pairing with Bluetooth. This is a requirement from Android, when using Android 6 or 7. Bloom does not track or process your location.
3.6 Data Storage
The user’s data and the medical reports are stored in encrypted form on the device within the Bloom App and as encrypted, binary data on the AWS (Amazon Web Services) server - the decryption key for the data and the reports is stored in a secure form only in your App. Neither Bloom nor anyone else can decrypt data without permission and support of the user.
Some information (questionnaire data, test results and device information of a taken test retrieved from the App) will be stored within our analytic stream in a pseudonymized form, so that an individual user cannot be directly identified. It will be used for data analysis for Bloom directly in order to improve our products. This data will not be shared outside of Bloom directly but aggregated data reports might be shared truly anonymized.
Contact details and other information provided to us (incl. email and physical address) will be stored depending on the use case on one of the following to allow us easier and proper processing: G-suite, logistics partner, Hubspot (customer service software) and BMD (finance software).
We will hold your personal data for as long as it is necessary for each dedicated purpose to provide you with our services or otherwise as is required by law or any relevant regulatory body. Data will be deleted otherwise. Once your account is terminated or deactivated, we shall delete the personal data relating to your account. For security reasons a backup will still be available. This backup will be deleted after 2 months.
If a person that we process data of may die, and Bloom Diagnostics has been informed about their death with sufficient evidence, their personal data will be deleted, as long as not required otherwise by law.
4. Processing personal data that we receive through your use of our app, website or other services
4.1 Server logs
No personal information is required to use our website. However, our web server still records the data communicated to us by your internet browser (including the IP address of the requesting computer, together with the date, time, the request, which file is requested (name and URL), which amount of data is transmitted to you, a message indicating whether the request was successful, recognition data of the browser used and the operating system used, as well as the website from which the access was made (should access be via a link).
The processing is based on our legitimate interest to ensure system security, to technically administer the website, and to optimize service quality. The server logs are stored for a maximum of 12 months.
We use the providers listed below to process data about your use of our website in order to adapt it to your interests in the best possible way.
We use Google Analytics as our web analytic service to analyze our website, as well as within our Bloom App for analysis (Google Firebase). We use IP anonymization, so your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Google will use this information on our behalf to evaluate your use of this website, to compile reports on our website activities and to provide us with other services related to website activity and internet usage. The IP address provided by Google Analytics as part of Google Analytics will not be merged with other Google data. You can prevent the storage of cookies by a corresponding setting of your browser software; however, we point out that in this case you may not be able to use all the functions of the websites in their entirety. Furthermore, you can prevent the collection by Google of the data generated by the cookies and related to your use of the website (including your anonymized IP address) as well as the processing of this data by Google by using the link below (http:///tools.google.com/dlpage/gaoptout?hl=en). Download and install the available browser plugin. Your browser settings for general cookie collection can also be changed individually within the settings. Please check your options for the following browsers: Chrome, Firefox, Safari, Internet Explorer.
Caution: we would like to inform all customers and users engaging in the Bloom App or on our website, that by currently consenting to cookies (other than essential cookies) your cookie information is shared to the US. A recent verdict of the European Court of Justice has decided that the data protection level in the US is not GDPR compliant and thus inadequate. By accepting these cookie transfers you do so at your own risk and acknowledge that the US might be able to gain access to your data and use it for surveillance, without informing you prior. You can always revoke this consent.
Caution: within the Bloom App we use Google Firebase, which incorporates Google Analytics. Google Firebase can currently not be removed from your App experience on an individual level. Thus when using our App there is a risk as described above. Alternatively, you can always delete your account in the Bloom App.
For more details about Google Analytics please visit: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
We also use third party pixels (such as Facebook) to measure purchase behavior on our website to improve your experience. The legal base for this is your consent. Note that you can revoke your consent at any time.
For more information and the ability to control your preferences, please visit:
4.4 Device information
When you visit our app or website we will automatically collect device-specific information, such as your hardware model, operating system version, unique device identifiers, browser type and where available your IP address. This information can not be used to identify you as an individual.
Additional information might be processed while aiding you when technical issues arise (debugging). This will only happen after you have contacted us, asked for help and consented to further data processing.
4.5 Product tracing
To comply with regulatory and quality management system requirements, we need to be able to track our devices (e.g. batch/serial number) when initially placed on the market. This is necessary to e.g. warn our customers when any issues may arise with the devices and to initiate a recall. Thus, when buying from Bloom Diagnostics directly, we will store your personal data (e.g. name, contact information) in combination with the delivered product identification number(s). We do this on the legal basis of a legal requirement.
5. Processing personal data with the involvement of third parties
Our Website and Apps may include links to websites of unrelated third parties. Such websites are governed by the privacy policies of those other websites which may be different from our policies. We have no control over them or liability for their collection or processing of data.
If we use contractors or data processors and they are asked to process data for us, we ensure their GDPR-compliance using adequate security and data processing agreements .
When choosing a software provider we are using GDPR-compliant systems and select that the storing and processing of personal data is done at european servers. Your data can be processed on one of the following systems, depending on the processing activities:
HubSpot Germany GmbH (Am Postbahnhof 17, 10243 Berlin, Germany); subsidiary of HubSpot, Inc. (25 First Street, 2nd Floor, Cambridge, MA 02141, United States): customer management and administration.
Amazon Web Services EMEA SARL (38 avenue John F. Kennedy, L-1855, Luxembourg); subsidiary of Amazon Web Services, Inc. (410 Terry Ave North, Seattle, WA 98109-5210, USA): report data storage (encrypted and pseudonymized) of app users.
Google Ireland Limited (Gordon House, Barrow Street 4, Dublin, Ireland); subsidiary of Alphabet Inc. (1600 Amphitheatre Parkway, Mountain View, California 94043, United States): data analysis (pseudonymous or anonymous only), incident monitoring.
BMD Systemhaus Steyr GesmbH (Sierninger Str. 190, 4400 Steyr, Austria): handling of financial transactions and management.
Shopify International Limited (Victoria Buildings, 2. Etage, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland); subsidiary of Shopify Inc. (151 O’Connor Street, Ground floor, Ottawa, ON K2P 2L8, Canada): webshop provider.
Thus a transmission to third countries is possible.
6. Your rights and additional information
You have the right to information about the stored data according to Art. 15 GDPR, to correct inaccurate data according to Art. 16 GDPR, to delete data according to Art. 17 GDPR, to restrict the processing of data according to Art. 18 GDPR, to data portability according to Art. 20 GDPR as well as opposition to the unreasonable data processing according to Art 21 GDPR. If you exercise one of your rights, we will aid in any reasonably possible way, to ensure those as quickly as possible. Bloom is also responsible to ensure that all data processors (e.g. Google Firebase) cohere to your request as well.
If processing takes place on the basis of a declaration of consent, you have the option of revoking it at any time without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation.
You have the right to complain to the supervisory authority. in Austria the data protection authority is responsible:
Austrian Data Protection Authority
Barichgasse 40 - 42
Telephone: +43 1 52 152-0
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter
Feldeggweg 1 | CH - 3003 Bern
Telefon: +41 (0)58 462 43 95 (Mo. bis Fr., 10.00 bis 12.00 Uhr)
The data that we request from you is only the data minimally necessary for each purpose. If data is not provided we are not able to provide the requested service(s).
Automated decision making including profiling does not happen. If we process your personal information for a purpose other than the one for which we collected this information, we will inform you of this fact and inform you of this other purpose, and if required, gather your consent, except when required by law otherwise
As our mother company is situated in Switzerland and our daughter company in Austria, your data can be processed in both countries. As Austria is situated in the EU we comply with the GDPR. The European Commission has determined with an adequacy decision based on article 45 of the Regulation (EU) 2016/679 that Switzerland has an adequate level of data protection and can therefore be seen as equally protective as the GDPR.