Privacy Policy
Last updated May 19, 2026
This site is operated by Bloombilt LLC, a Minnesota limited liability company. We've kept this short and in plain language. If anything's unclear, email [email protected].
Who we are
Bloombilt LLC. Minnesota LLC, file #1647899600022. Registered agent: Northwest Registered Agent, Owatonna, MN. For all privacy questions: [email protected].
What we collect from site visitors
This section covers visitors to bloombilt.com. If your business uses one of our products, we also process data on your behalf. That's covered separately under Customer product data below.
Information you send us. When you fill in the contact form or email [email protected], we receive the name, email address, and message you submit. We use this to reply to you and to manage the engagement if you become a client.
Aggregate analytics. We use Cloudflare Web Analytics to count page views and referrers in aggregate. It does not set cookies, does not fingerprint browsers, and does not collect IP addresses we can tie back to you.
Server logs. Cloudflare keeps standard request logs (IP, user agent, timestamp) for a short window for security and abuse prevention. We don't combine these with any other data.
What we don't collect. No advertising cookies, no third-party tracking, no pixel tags, no session recording, no behavioral profiling.
How we use it
- To reply to your enquiries and run the engagement if you hire us
- To improve the site (aggregate analytics only)
- To meet legal and tax obligations
We don't sell your data. We don't share it for advertising.
Who processes site-visitor data for us
We use a small number of vendors for the site itself. Each one is contractually bound to handle data per our instructions. (For the vendors involved in delivering our products to customers, see Customer product data below.)
- Cloudflare: hosting, CDN, DNS, analytics, edge security
- Resend: sending and receiving transactional email on bloombilt.com
- GitHub: code repository (not visitor data)
Customer product data
If your business uses one of our products, we process data on your behalf as part of running it. This is separate from the site-visitor data above and is governed by our service agreement with you.
What we process. Lead data captured by the AI intake (caller name, callback number, address, and the nature of the request), call recordings and transcripts where applicable, and content you provide for your website (logos, photos, copy, team information).
Protection. Encrypted in transit (TLS 1.2 or better) and at rest, isolated from every other customer, and protected with reasonable administrative, technical, and physical safeguards.
No AI training. We don't use your lead data, call recordings, transcripts, or content to train AI or machine-learning models. The third-party AI services we use to deliver our products have confirmed they don't either.
Subprocessors. In addition to the site-visitor vendors above, we use third-party services for telephony, AI inference, hosting, error monitoring, and email delivery to run our products. A current list of those subprocessors and the data each one processes is available on request, and we give customers reasonable notice before adding or replacing a material subprocessor.
Sensitive data. Our products aren't designed for health, biometric, financial-account, or government-identification data, and customers agree not to submit it through the AI services.
After an engagement ends. Customers can export their lead data as a CSV on request. We then delete it after a short retention window so there's time to migrate, except for routine backups that we don't access for any other purpose.
Legal basis (for visitors in the EU/UK)
- Contact form submissions: processing is necessary to respond to your request and, if you become a client, to perform the contract.
- Aggregate analytics: our legitimate interest in understanding how the site is used. The provider is cookieless, so no consent banner is required.
- Server logs: legitimate interest in operating the site securely.
How long we keep it
- Contact form submissions: as long as needed to reply, then up to 24 months for follow-up
- Active client correspondence: for the duration of the engagement plus 7 years for tax records
- Server logs: 30 days at Cloudflare's default
- Aggregate analytics: retained at Cloudflare's defaults, not tied to individuals
Your rights
If you're in the EU, UK, or California, you have the right to access, correct, delete, or export the data we hold about you, and to object to how we process it. Email [email protected] and we'll respond within 30 days. You can also complain to your local data protection authority.
Children
The site isn't directed at children under 16, and we don't knowingly collect data from them. If you think we have, email us and we'll delete it.
International transfers
Cloudflare and Resend operate globally. Data may be processed in the United States or other jurisdictions. Where applicable, transfers from the EU/UK are covered by Standard Contractual Clauses.
Changes
We'll update the "Last updated" date at the top when we change this policy. Material changes get a notice on the site.