Privacy & Data Protection

PRIVACY & DATA PROTECTION

Children’s Data Is Sacred.

BloomBridge is designed with privacy-first principles from the ground up. Every architectural decision begins with the question: does this protect the child? Here’s exactly how we handle, store, and protect your school’s data.

Our Privacy Pledge

Encryption Everywhere

We encrypt all data at rest and in transit using industry-standard protocols.

No Third-Party Sharing

We never share children’s data with third parties. Ever. Not for advertising, not for analytics.

School Controls Data

Schools control data retention and deletion policies. You decide what stays and what goes.

DPDP & COPPA

We comply with India’s DPDP Act and align with COPPA principles for children’s data.

Audit Logs

We maintain comprehensive audit logs for accountability. Every access is tracked.

What Data BloomBridge Collects

Data Type Purpose Retention Period Who Can Access
Teacher observation notes Behavioral observations logged in plain language Until school requests deletion Teacher, Principal
Student age group Age categorization (3–6, 7–12, 13–18) Until student leaves school Teacher, Principal
Focus area categorizations AI-generated behavioral focus area identification 90 days post-intervention Teacher, Principal
Action plans Generated intervention plans with daily steps Until school requests deletion Teacher, Principal
Progress logs Teacher follow-up entries on intervention outcomes Until school requests deletion Teacher, Principal
Parent communication records Sent templates and communication history 12 months Teacher, Principal
Emergency alerts Triggered alerts for self-harm or aggression indicators 24 months (compliance requirement) Principal, Designated Safeguarding Lead

How We Protect Your Data

AES_256_REST

AES-256 Encryption at Rest

All stored data is encrypted with AES-256, the same standard used by banks and government agencies.

TLS_1_3_TRANSIT

TLS 1.3 for Data in Transit

All data transmitted between devices and servers uses TLS 1.3 encryption. No plaintext travel.

OAUTH_2_0_SSO

OAuth 2.0 with School SSO

Authentication through your school’s single sign-on system. No separate passwords to manage.

RBAC

Role-Based Access Control

Teachers see only their own cases. Principals see aggregated data. No cross-visibility without permission.

AUDIT_LOGGING

Comprehensive Audit Logging

Every data access, modification, and deletion is logged. Schools can request audit logs at any time.

PEN_TESTING

Regular Security Reviews

We conduct regular security reviews and penetration testing to identify and fix vulnerabilities proactively.

Regulatory Compliance

DPDP ACT · INDIA

DPDP Act (India)

Full compliance with the Digital Personal Data Protection Act, 2023. We are registered as a Data Fiduciary and process children’s data with explicit consent from schools. We do not track or profile children for behavioral advertising.

COPPA · ALIGNED

COPPA (Aligned)

Aligned with Children’s Online Privacy Protection Act principles. We do not collect more data than necessary, we provide parental access to data, and we maintain robust security standards appropriate for children’s data.

NEP 2020 · SUPPORTED

NEP 2020

Supports National Education Policy 2020 data and privacy guidelines for student wellbeing. Our reporting aligns with NEP 2020’s emphasis on holistic development and structured support.

School and Parent Rights

Right to Access

Schools can request all data stored about their students at any time. We provide a complete export within 7 days.

Right to Deletion

Schools can request permanent deletion of any student’s data. We process requests within 30 days.

Right to Export

Schools can export all data in standard formats (CSV, JSON) at any time. Your data is yours — always.

Right to Audit

Schools can request audit logs of all data access. We provide complete access logs for the requested period.

Data Flow Diagram

Teacher
Input
Input Layer
Encrypted
Transit
TLS 1.3
BloomBridge
AI Engine
Processing
Encrypted
Storage
AES-256
School
Dashboard
Output
Parent
Communication
Optional

Dashed arrows indicate encryption points. All data is encrypted at rest and in transit.

Questions about data privacy? Email us at hello@bloombridge.app.

Contact Our Team

Full Privacy Policy

01

Introduction

BloomBridge is a school psychological intervention app developed by Anagata IT Solutions. This Privacy Policy explains how we collect, use, store, and protect data within the BloomBridge platform. We believe children’s data is sacred, and this policy reflects our privacy-first design philosophy. By using BloomBridge, schools agree to the practices described in this policy.

02

Data Collection

BloomBridge collects the following categories of data:

  • Teacher observation notes: Behavioral observations logged by teachers in plain language.
  • Student age group: Age categorization (3–6, 7–12, 13–18) for age-appropriate intervention calibration.
  • Focus area categorizations: AI-generated behavioral focus areas with confidence scores.
  • Action plans: Generated weekly intervention plans with daily classroom steps.
  • Progress logs: Teacher follow-up entries on intervention outcomes.
  • Parent communication records: Sent templates and communication history.
  • Emergency alerts: Triggered alerts when observations include indicators of self-harm, aggression, or immediate danger.

We do not collect: student names (we use initials), student photos, biometric data, location data, browsing history, or any data unrelated to behavioral observation and intervention.

03

Data Use

Data collected through BloomBridge is used exclusively for:

  • Generating structured action plans for teachers.
  • Tracking intervention progress and outcomes.
  • Providing aggregated, anonymized reporting to school management.
  • Triggering emergency alerts when safety indicators are detected.
  • Improving the AI categorization model (using anonymized, aggregated data only).

We do not use children’s data for advertising, marketing, profiling, or selling to third parties. Ever.

04

Data Storage & Encryption

All data is stored on encrypted servers with the following security measures:

  • AES-256 encryption for all data at rest.
  • TLS 1.3 encryption for all data in transit.
  • OAuth 2.0 authentication with school single sign-on (SSO).
  • Role-based access control (RBAC): Teachers see only their own cases. Principals see aggregated data. No cross-visibility without explicit permission.

Servers are hosted in India to comply with DPDP Act data localization requirements. Data is backed up daily with encrypted backups stored in geographically separated facilities.

05

Data Sharing

BloomBridge does not share children’s data with third parties. This is a non-negotiable principle. We do not sell data. We do not share data with advertisers. We do not share data with analytics providers. We do not share data with any external organization unless legally required by a court order or government mandate, in which case we will notify the school before compliance (unless legally prohibited from doing so).

06

Data Retention

Data retention periods are as follows:

  • Teacher observation notes: Until school requests deletion.
  • Focus area categorizations: 90 days post-intervention.
  • Action plans: Until school requests deletion.
  • Progress logs: Until school requests deletion.
  • Parent communication records: 12 months.
  • Emergency alerts: 24 months (compliance requirement under DPDP Act).

Schools can request deletion of any data at any time. We process deletion requests within 30 days.

07

User Rights

Schools and parents have the following rights regarding their data:

  • Right to Access: Request all data stored about their students.
  • Right to Deletion: Request permanent deletion of any student’s data.
  • Right to Export: Export all data in standard formats (CSV, JSON).
  • Right to Audit: Request audit logs of all data access for a specified period.

To exercise these rights, contact hello@bloombridge.app. We respond to all requests within 7 days.

08

Children’s Data Specific Protections

As a platform handling children’s behavioral data, we apply additional protections:

  • We do not collect student full names — only initials are used.
  • We do not collect biometric data, photos, or location data.
  • We do not track children’s behavior across other apps or websites.
  • We do not use children’s data for behavioral advertising or profiling.
  • AI categorization uses only the observation text provided by the teacher — no external data sources.
  • All AI processing happens on secure servers. No data is sent to third-party AI APIs.
09

DPDP Act Compliance

BloomBridge is fully compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India:

  • We are registered as a Data Fiduciary under the DPDP Act.
  • We process children’s data with explicit consent from schools (verifiable parental consent for children under 18).
  • We do not track, target, or profile children for behavioral advertising.
  • We comply with data localization requirements — all data is stored in India.
  • We provide the rights to access, correction, erasure, and grievance redressal as required by the DPDP Act.
10

Data Breach Response

In the unlikely event of a data breach, we follow this protocol:

  • Immediate containment: Affected systems are isolated within 1 hour of detection.
  • Assessment: Our security team assesses the scope and impact within 24 hours.
  • Notification: Affected schools are notified within 72 hours of breach confirmation, as required by the DPDP Act.
  • Remediation: Vulnerabilities are patched, and affected data is restored from encrypted backups.
  • Post-incident review: A detailed report is shared with affected schools within 30 days.
11

Contact Information

For any questions, concerns, or requests related to this Privacy Policy:

Last Updated: July 2, 2026