Privacy policy

Version: 1.0
Effective date: 01.03.2026
Last updated: 01.03.2026

This Privacy Policy explains how Clownfish Web Artur Cichosz, a sole entrepreneur (JDG) registered in Poland, processes personal data in connection with the BloomLightly SaaS platform (the "Service").

1.1. Controller: Clownfish Web Artur Cichosz, Blacharska 32/2B, 53-206 Wrocław, Poland, NIP: 8992691252, VAT UE: PL8992691252.
1.2. Contact email for privacy matters: support@bloomlightly.com.
1.3. Unless explicitly stated otherwise, this entity is the data controller within the meaning of Article 4(7) GDPR.

2.1. This Policy applies to personal data processed through:
(a) user accounts and authentication;
(b) subscription and billing flows (including Stripe-hosted checkout and customer portal);
(c) farm operations features (tasks, logs, reports, integrations, webhooks);
(d) optional camera snapshot webhooks and related security metadata;
(e) multi-tenant collaboration features (farm staff roles, invitations, membership management, and role-permission enforcement);
(f) support and compliance communications; and
(g) security and anti-abuse controls.
2.2. This Policy applies to users in the EU/EEA and UK. Where local mandatory laws provide additional rights, those rights remain unaffected.

3.1. Identification and account data: name, email, account ID, organization/farm information, role, language and timezone settings.
3.2. Authentication and security data: login metadata, token/session metadata, password hash (if applicable), IP addresses, device/browser metadata, security logs, API and webhook security events.
3.3. Operational data that may contain personal data: farm activity logs, planning and work records, user-generated notes, environment and production records, audit trails.
3.4. Billing and contract data: plan, subscription status, billing country, VAT ID (if provided), invoice metadata, Stripe customer and subscription IDs, payment status.
3.5. Support and legal data: support requests, incident reports, complaint correspondence, records needed to establish or defend legal claims.
3.6. Camera Snapshot Data (if feature enabled): still images, camera/webhook identifiers, timestamps, technical headers, source IP, and webhook security events.
3.7. Collaboration/membership data: farm invitation records (token metadata, invited email, inviter identity, role key, invite status and expiry), farm membership status, role/permission assignments, and related audit logs.
3.8. Analytics and optimization inputs: telemetry streams, production-flow records, quality ratings, and outcome metadata used to generate optimization insights and generalized recipe intelligence.
3.9. We do not store full payment card numbers in our systems. Card details are processed by Stripe-hosted payment components.

4.1. Directly from you (registration, profile settings, support requests, billing data).
4.2. From your organization administrators and authorized users.
4.3. Automatically from your use of the Service (logs, telemetry, security events).
4.4. From third-party providers used to deliver the Service (e.g., Stripe and hosting/email vendors).

5.1. Contract performance (Art. 6(1)(b) GDPR), including:
(a) account creation and access management;
(b) operation of farm management workflows and API features;
(c) subscription handling and service delivery;
(d) customer support and service communications.

5.2. Legal obligations (Art. 6(1)(c) GDPR), including:
(a) accounting, tax and bookkeeping obligations under Polish law;
(b) handling lawful requests from public authorities;
(c) mandatory incident and compliance recordkeeping.

5.3. Legitimate interests (Art. 6(1)(f) GDPR), including:
(a) service security, fraud prevention, abuse detection and platform integrity;
(b) prevention of plan circumvention (including consistency checks between declared and observed usage patterns);
(c) product analytics and reliability improvements;
(d) establishment, exercise or defense of legal claims.

5.4. Consent (Art. 6(1)(a) GDPR), where required, including non-essential communications/cookies. Consent may be withdrawn at any time without affecting prior lawful processing.
5.5. For camera snapshot features, lawful basis for image capture content is generally determined by the customer/controller. We process such data on behalf of the customer under documented instructions where applicable.
5.6. For collaboration and farm staff features, we process invite, membership, and role-permission data to enable secure tenant-scoped access management, authenticate authorized users, and maintain action traceability (Art. 6(1)(b) and Art. 6(1)(f) GDPR).
5.7. We process telemetry and production-quality data to generate customer-facing AI optimization suggestions as part of service functionality (Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR).
5.8. We process operational datasets for analytics, model improvement, and derivation of anonymized/aggregated community or public optimization outputs (Art. 6(1)(f) GDPR before anonymization). After irreversible anonymization, resulting datasets are no longer personal data under GDPR.

6.1. To protect platform integrity and fair billing, we may process technical and operational signals to detect suspected misuse, including unauthorized access attempts, API abuse, and potential under-reporting of usage metrics.
6.2. For free-tier eligibility enforcement, we may compare declared inputs (e.g., tray size or growing area) against other operational indicators (e.g., water, substrate, seed, task, and telemetry patterns) and flag anomalies for review.
6.3. Such checks are based on legitimate interest (Art. 6(1)(f) GDPR) and include reasonable safeguards: human review before material adverse action, data minimization, and logging of decisions.
6.4. We may also monitor tenant-boundary and permission-abuse signals (e.g., suspicious cross-farm access attempts, invitation token abuse, anomalous privilege changes) to secure customer data and prevent unauthorized third-party access.
6.5. Where processing is based on legitimate interests, we apply balancing safeguards, role-limited access, and data minimization, and we support the right to object under Art. 21 GDPR as applicable.

7.1. We act as an independent controller for account, security, billing, and business administration data.
7.2. Where users input personal data about their own staff or third parties, we may act as a processor on documented instructions of the customer organization, subject to separate data processing terms.
7.3. For camera snapshot deployments, the customer organization is responsible for determining camera purposes, capture scope, retention settings, and required transparency obligations under GDPR/local law.
7.4. For farm collaboration features, the customer organization is responsible for deciding which third-party users are invited, what role/permissions they receive, and when access must be changed or revoked.

8.1. Personal data may be disclosed to service providers strictly as needed for service delivery, including hosting, infrastructure, email delivery, monitoring, and payment processing.
8.2. Stripe is used for payment processing and may act as an independent controller and/or processor depending on the processing context.
8.3. Within a farm workspace, data may be accessible to owner/staff users according to customer-configured roles and permissions.
8.4. Data may also be disclosed to professional advisors, auditors, insurers, and authorities where required by law or to defend legal claims.
8.5. We may publish or share anonymized and aggregated analytics outputs (including generalized recipes, benchmarks, and optimization insights) that do not identify individuals or specific customer operations.
8.6. We may use Google Analytics provided by Google Ireland Limited to analyze usage of the Service and improve functionality. Analytics processing occurs only where a valid legal basis exists, typically user consent for non-essential cookies.
8.7. A current list of subprocessors is available at: bloomlightly.com/legal/subprocessors

9.1. If personal data is transferred outside the EEA/UK, we apply safeguards required by Chapter V GDPR, such as:
(a) an adequacy decision (Art. 45 GDPR);
(b) Standard Contractual Clauses (Art. 46 GDPR); and/or
(c) supplementary technical/organizational safeguards where necessary.

10.1. We retain personal data only as long as necessary for the purposes listed in this Policy, including legal, tax, accounting, and claim-defense obligations.
10.2. Typical retention logic:
(a) account and contract data: for account duration plus limitation periods;
(b) billing/tax records: for periods required by applicable Polish tax/accounting law;
(c) security logs and incident records: proportionate periods needed for security and compliance;
(d) backup copies: rolling retention windows with secure deletion/overwriting;
(e) collaboration and invitation logs: for the period necessary to maintain access integrity, incident traceability, and legal defense;
(f) camera snapshot records: minimal retention by design (latest snapshot model and/or configured retention controls, depending on enabled feature settings).
(g) pre-anonymization analytics datasets: only for the period needed to compute and validate anonymized outputs and service-improvement models.

10.3. Where retention is no longer required, data is deleted or irreversibly anonymized.

11.1. Subject to GDPR conditions, you have rights to:
(a) access (Art. 15 GDPR);
(b) rectification (Art. 16 GDPR);
(c) erasure (Art. 17 GDPR);
(d) restriction (Art. 18 GDPR);
(e) portability (Art. 20 GDPR);
(f) objection (Art. 21 GDPR), including objection to processing based on legitimate interests;
(g) not be subject to solely automated decisions producing legal or similarly significant effects (Art. 22 GDPR), where applicable.

11.2. You may exercise rights by contacting support@bloomlightly.com. We may verify identity before fulfilling requests.
11.3. You have the right to lodge a complaint with a supervisory authority, including the Polish President of the Personal Data Protection Office (Prezes UODO).

12.1. We implement appropriate technical and organizational measures under Art. 32 GDPR, including access controls, encryption in transit, credential security, logging, backup procedures, and least-privilege administration.
12.2. For camera webhook endpoints, security controls may include HTTPS enforcement, secret-based authentication, optional HMAC/timestamp validation, replay-window checks, rate limiting, input size/pixel limits, and metadata stripping/re-encoding controls.
12.3. For analytics and model-improvement pipelines, we apply technical and organizational measures aimed at reducing re-identification risk (including aggregation thresholds, minimization, access controls, and separation of identifiers from analytical features).
12.4. No method of transmission or storage is fully risk-free; however, we continuously improve controls proportionate to risk.

13.1. We maintain an incident response procedure.
13.2. Where required, we notify the competent supervisory authority without undue delay and, where feasible, within 72 hours (Art. 33 GDPR).
13.3. If a breach is likely to result in high risk to individuals, we notify affected data subjects without undue delay (Art. 34 GDPR).

14.1. Essential technologies required for login, session security, and core functionality are processed on necessity grounds.
14.2. Non-essential analytics/marketing technologies are used only where a valid legal basis applies (typically consent), in line with GDPR and applicable ePrivacy rules (Directive 2002/58/EC, as implemented nationally).

15.1. The Service is intended for professional/business use and is not directed to children.
15.2. If we learn that personal data was provided by a child without required legal basis, we will delete it or otherwise restrict processing as required by law.

16.1. We may update this Policy to reflect legal, technical, or business changes.
16.2. Material changes will be communicated through the Service and/or by email where appropriate.
16.3. The current version will always be available at bloomlightly.com/legal/privacy .
16.4. Current camera-specific security guidance is available at bloomlightly.com/legal/camera-user-guidance and bloomlightly.com/legal/camera-security-whitepaper.
16.5. Recommended controller compliance templates for camera deployments are available at bloomlightly.com/legal/camera-dpia-and-signage-template-for-eu, and controller-processor camera instructions are available at bloomlightly.com/legal/dpa-annex-camera-snapshot-processing-instructions.
16.6. Current collaboration and third-party access governance requirements are available at bloomlightly.com/legal/access-governance-policy.
16.7. A short Legitimate Interest Assessment for analytics/AI optimization processing is available at bloomlightly.com/legal/legitimate-interest-assessment.

16A.1. We may use statistical and machine-assisted analysis of operational data to provide optimization suggestions within the Service.
16A.2. These suggestions support user decision-making and are not intended to produce solely automated decisions with legal or similarly significant effects on individuals under Art. 22 GDPR.
16A.3. We may derive anonymized and aggregated models, recipes, and benchmarks for broader community/public benefit, provided outputs are designed to avoid identification of individuals or specific customer operations.

17.1. Regulation (EU) 2016/679 (GDPR).
17.2. Directive 2002/58/EC (ePrivacy Directive), as implemented in national law.
17.3. Polish Act of 10 May 2018 on the Protection of Personal Data.
17.4. Applicable Polish tax/accounting laws for statutory retention obligations.

For any privacy, data protection, or rights request, contact: office@bloomlightly.com.