BLOOM⁴³ App Privacy Policy 

Introduction 

This Privacy Policy explains how Plexāā Ltd. (“we”, “us”, or “our”) collects, uses, and protects your personal information when you use our mobile application (the “BLOOM⁴³ app”). This policy also applies to customers who use the e-commerce functionality available within the BLOOM⁴³ app to purchase products from our US subsidiary, Plexāā Inc. 

Who is responsible for your personal data? 

We are Plexāā, a trading name of Plexāā Ltd a company with number 11798195 and registered office at 20-22 Wenlock Road, London, Greater London N1 7GU, United Kingdom. 

Plexāā is the controller of your personal data. You can contact us at: 
Email: support@plexāā.com 
Address: 20-22 Wenlock Road, London, Greater London N1 7GU, United Kingdom                               

Our Data Protection Officer (DPO) contact details are provided below. 

We may use your personal data to: 

  • enable you to access the BLOOM⁴³ app and website (the “app”); 

  • provide you with health information and support in connection with your breast surgery experience; 

  • enable you to log information within your ‘My Health Hub’ on the app; 

  • allow you to participate in our community on the app; 

  • allow you to purchase our product and services on the app; 

  • generate anonymised statistics to share with others for the purposes of research; and 

  • send you information about the app, our company, and the development of the app. 

The above is an overview of how your personal data may be processed and is by no means exhaustive – please see below for information on how specific types of personal data are collected, processed, and shared. 

Personal data we collect 

We collect only the minimum amount of personal data necessary to provide and improve our services.  We collect the following categories of personal information from users. 

We collect personal data about you in a number of different ways, including: 

  • Information you share with us through our website or BLOOM⁴³ app, by email or phone, or otherwise. 

  • Information within communications from you (such as emails and live chats) and information about how you have engaged with email communications that we have sent you. 

The personal data that we process about you will mainly fall into one of the following categories: 

 

When you use the e-commerce feature within the BLOOM⁴³ app, the personal data that we process about you will also fall into one of the following categories: 

 

 

How and why we use your personal data 

We process your personal data for the following purposes and under the corresponding legal bases, in compliance with applicable data protection laws such as the General Data Protection Regulation (GDPR): 

1. To provide and manage our products and services: 

  • Creating and managing your user account 

  • Processing and fulfilling your e-commerce orders (including shipping and delivery) 

  • Managing deposits, coordinating returns, and issuing refunds 
    Legal basis: Performance of a contract (Article 6(1)(b) GDPR) 

 

2. To improve our app and services: 

  • Analyzing usage patterns to enhance functionality and user experience 
    Legal basis: Legitimate interests (Article 6(1)(f) GDPR) 

 

3. To communicate with you: 

  • Sending updates, order confirmations, and responding to customer service queries 
    Legal basis: Performance of a contract or legitimate interests (Article 6(1)(b) or (f) GDPR) 

 

4. To comply with legal obligations: 

  • Regulatory requirements related to the sale of medical products 

  • Fraud prevention, accounting, and record-keeping 
    Legal basis: Compliance with a legal obligation (Article 6(1)(c) GDPR) 

 

5. To ensure proper delivery and compliance in relation to medical products: 

  • Using the surgery date to ensure timely delivery 

  • Recording your self-certification of a valid prescription 

  • Collecting healthcare provider details (doctor's name, email, and hospital) 
    Legal basis: Consent (Article 6(1)(a) GDPR) 

 

6. To provide optional features or marketing communications: 

  • Sending newsletters or promotional updates (if you opt in) 
    Legal basis: Consent (Article 6(1)(a) GDPR) 

 

Below, we have tried to provide you with as much information as we possibly can to explain how your personal data may be used.  

How is your data processed to enable you to access the app? 

Data collected directly from you 

We obtain the following personal data directly from you: 

  • your full name; 

  • your display name; 

  • a valid email address; 

  • your phone number*; 

  • your date of birth; 

  • your ethnic origin; 

  • your sex assigned at birth, and 

  • your country of residence. 

 

We refer to this information as the “access data”. 

*Phone Number Usage: We collect your mobile number solely for the purpose of providing two-factor authentication to secure your account. Your mobile number will not be used for any other purpose or shared with third parties. This information is stored securely and is only used to help verify your identity and protect your account. By providing your mobile number, you consent to its use for this purpose only. 

How long is access data kept for?      

We retain your access data for up to 7 years after the date on which your membership account is closed, unless you request deletion earlier under your CCPA rights, subject to legal exceptions. 

How do we use your access data? 

We use your access data to log you in to the app and to verify that you are a real person.  Our legal basis for processing this data is contractual necessity. Without this processing we wouldn’t be able to authorise you to access and use the app. 

How is your data processed to provide health information and support? 

Where do we obtain your health data from? 

When you first register for the app and at various points after that, we will ask you to provide health data and complete questionnaires about your surgery and medical history.  This includes questions about your symptoms, surgery procedure, breast cancer treatments, and health background. You can update your answers at any time via the app. You also have the option of uploading personal images and clinical documents for your personal use only which are protected by iOS/Android biometric authentication. We refer to this personal data above as health data”. 

Sensitive Personal Information 

Some of the personal data we collect, including details about your health, medical history, and ethnicity, is classified as Sensitive Personal Information under applicable privacy laws, including the California Consumer Privacy Act (CCPA). We collect and process this information solely for the purpose of providing you with personalised health information, tracking symptoms, and improving our services. 

We do not use or disclose Sensitive Personal Information for any purposes beyond what is necessary to operate the app, provide support, and comply with legal obligations. Our legal basis for processing this data is your explicit consent, which you can withdraw at any time by contacting us or deleting the app. 

How long is your health data kept for? 

We retain all your health data for up to 7 years after the date on which your membership account is closed, after which it will either be deleted or anonymized, unless you request deletion earlier under your CCPA rights, subject to legal exceptions. 

How do we use your health data? 

We use your health data to provide you with tailored health information and support, and so that it can be used in the generation of your symptoms tracker report.  

Our legal basis for processing this data is your consent, which you can withdraw at any time by notifying us using the contact details contained in the “Your rights and how to exercise them” below, and deleting the app.  As the data involved relates to your health, then we shall ensure that any such consent obtained is explicit consent.   

Please note that without your consent to do this, we will be unable to offer you access to the app.  This is because your health data is necessary for us to provide the support and information. 

How is your data processed to allow you to participate in our community? 

Where do we obtain your community data from? 

Once you have registered to use the app, you may choose to engage in group conversations, propose new discussion topics, and join live sessions with expert speakers.  By engaging with our community, you agree to share your username with other members of the community on the app. We refer to this personal data below as “community data”. 

How long is your community data kept for? 

We retain all your community data for up to 7 years after the date on which your membership account is closed, after which it will either be deleted or anonymized, unless you request deletion earlier under your CCPA rights, subject to legal exceptions. 

How do we use your community data? 

We store your community data on the app and will display the community data that you have chosen to share with others with other members of the community. 

Our legal basis for processing this data is your consent, which you can withdraw at any time by notifying us using the contact details contained in the “Your rights and how to exercise them” below, and deleting the app.  By sharing within the community you are making your shared health data public. 

How is your data processed to allow anonymised statistics to be shared with others? 

We also use your health data and in-app questionnaires data to generate anonymous statistics that may then be used by us and shared with third parties for research purposes.  This means that your health data in-app questionnaires data may be used to generate statistics, but you won’t be identifiable from that data.  Our legal basis for processing this data is consent, which you can withdraw at any time by notifying us using the contact details contained in the “Your rights and how to exercise them” below, and deleting the app.  As the data involved relates to your health, then we shall ensure that any such consent obtained is explicit consent.  

How is your data processed to enable us to send you information about the app, our company, and the development of the app? 

We will use your access data (see the “How is your data processed to enable you to access the app” section above for more details as to what this data is) to contact you and provide you with information about our activities and developments and improvements to the app.  We do so on the basis of our legitimate interests in keeping you up-to-date with changes in our business and products.  In doing so, we will offer you an opportunity to refuse marketing when your details are first collected and in subsequent messages. 

How Is Your Data Processed When You Purchase Through Our E-Commerce? 

When you use the e-commerce functionality available in our BLOOM⁴³ app, your order is processed by our US subsidiary, Plexāā Inc. The data you provide during the purchase process is collected and processed solely to: 

  • Allow you to place and complete an order, including delivery logistics and customer service. 

  • Ensure the correct timing of delivery based on your indicated surgery date. 

  • Verify that you are eligible to receive the product by requiring a self-certification that you have a valid prescription. 

  • Facilitate payment, including the collection of a refundable deposit, and the processing of bank account information to issue the deposit refund after the product is returned. 

Your information, including sensitive data (such as address details and financial information), is handled securely and only shared with third parties (e.g., payment providers, shipping partners) as necessary to fulfill the transaction. Plexāā Inc. does not sell your personal data, and your information is stored only for the duration needed to meet legal, regulatory, and operational requirements. 

Sharing and transferring your personal data 

Data Selling and Sharing 

We do not sell personal data for monetary compensation. However, we may share certain data with third parties for purposes such as research, analytics, or advertising, in line with applicable laws and privacy regulations. 

All third-party service providers must comply with strict contractual obligations that limit their use of personal data to our specified purposes, in compliance with the CCPA and CPRA. 

For California residents, under the CCPA and CPRA, you have the right to opt-out of any sharing of your personal information for targeted advertising or analytics purposes. If you wish to opt out, please contact us at support@Plexāā.com. 

We ensure that any data shared with third parties is either anonymised or subject to strict contractual agreements to protect your privacy. 

Sharing within Plexāā 

Most of Plexāā’s processes, procedures and systems are shared across Plexāā Ltd and its subsidiaries, which means that we need to share your personal data between us. We make sure that access to your personal data is limited to those of our staff who need it, and that all staff understand how and why we protect your personal data.  

Sharing with third parties 

We share your personal data with certain third party service providers. They only have access to the personal data they need to perform those services. For example, your order and delivery details will be shared with the designated courier. They are required to keep your personal data confidential, must not use it other than instructed by us and must always act in accordance with data protection law. 

The third parties providing services fall into the following categories: 

  • Our service providers, for instance the companies that manage our IT infrastructure, companies that provide us with cloud-based IT systems and our external advisors, for instance, IT consultants, accountants, and lawyers; 

  • Distributors, who help us to sell and deliver our products to you; 

  • Payment processors and banking partners to manage order payments and deposit refunds; 

  • Our regulators, law enforcement, intelligence services and other government authorities, where they require us to do so; 

  • Potential buyers of or investors in our business where necessary in connection with a due diligence exercise 

Your personal data will only be shared for the purposes previously described with those parties that have entered into legally binding contracts that contain obligations that protect the security of your data. 

Transfers, storage and the global handling of your personal data 

The relevant Plexāā company will collect personal data from you in the country in which you live. We, and those third parties that we share your personal data with, then host, store and otherwise handle that information in the UK, in the countries within the European Economic  

In some circumstances the third parties who assist us in providing the services (suppliers), may transfer personal data outside the EEA. We will make sure that any transfers of your personal data from one country to another comply with GDPR protection and privacy laws which apply to us. 

European data protection laws, in particular, include specific rules on transferring personal data outside the EEA. When transferring personal data outside the EEA, we will: 

  • include standard data protection clauses approved by the European Commission for transferring personal data outside the EEA into our contracts with those third parties; or 

  • ensure that the country in which your personal data will be handled has been deemed "adequate" by the European Commission. 

In any case, our transfer, storage and handling of your personal data will continue to be governed by this privacy notice. 

Plexāā declares that data have been and will be collected and processed in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. 

 

Your control and choices 

The law gives you certain rights in respect of the personal data that we hold about you.  Below is a short overview of those rights (for more information about the rights you have in respect of your personal data please visit the Information Commissioner’s Office website: www.ico.org.uk). 

  • Access – You can request a copy of the personal data we hold about you. 

  • Correction – You can ask us to correct any inaccurate or incomplete data. 

  • Deletion – You can request deletion of your data in certain cases (e.g., if it's no longer needed), unless we are legally required to keep it. 

  • Objection – You can object to our processing when we rely on "legitimate interests," though we may continue if we have strong reasons. 

  • Marketing Opt-Out – You can ask us to stop sending marketing messages at any time, usually via the “unsubscribe” link in our emails. 

  • Restriction – You can ask us to pause how we use your data in certain situations (e.g., if you’ve challenged its accuracy). 

  • Withdraw Consent – If we’re processing your data based on consent, you can withdraw it at any time. This may affect your ability to use some features. 

To exercise any of your rights, you can: 

  • email us on support@Plexāā.com; or 

  • writing to us at 20-22 Wenlock Road, London, Greater London N1 7GU, United Kingdom 

 

You may also contact our Data Protection Officer: 
Dr. Phil Griffiths 
Email: sar@thedpo.co.uk 

Please note that in order to protect your privacy, we may ask you to prove your identity before we take any steps in response to a request you have made. 

Plexāā shall endeavour to respond to any requests with regards to the rights of the data subjects without undue delay but in any event within one calendar month. 

We treat the protection of your personal data with the utmost importance but if you have cause to complain, we would always ask that you contact us first so we can attempt to resolve the matter for you. However, you also have the right to lodge a complaint about our handling of your personal data with the Information Commissioner’s Office.  You can contact them on 0303 123 1113 or via their website www.ico.org.uk/make-a-complaint 

California Residents’ Rights (CCPA & CPRA) 

If you are a California resident, you have specific rights regarding your personal data under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These include: 

  • Right to Know: You can request details about the personal data we collect, use, disclose, or sell. 

  • Right to Delete: You can request deletion of your personal data, subject to certain legal exceptions. 

  • Right to Opt-Out of Sale or Sharing: We do not sell or share your personal data for monetary gain. However, if we share certain information for targeted advertising, you may opt out by emailing us at support@Plexāā.com. 

  • Right to Correct: If your personal data is inaccurate, you have the right to request a correction. 

  • Right to Limit Use of Sensitive Data: If we collect sensitive personal data (such as health data), you can request restrictions on its use. 

  • Non-Discrimination: Exercising your privacy rights will not result in any unfair treatment or discrimination. 

How to Exercise Your California Privacy Rights: You may submit a request by: 

  • Emailing us at support@Plexāā.com. 

  • Writing to us at: 
    Plexāā Ltd 
    20-22 Wenlock Road, London, Greater London N1 7GU, United Kingdom 

We will verify your request by matching information you provide with the data in our records. If we cannot verify your identity, we may deny your request. 

For more information about your privacy rights under California law, visit the California Attorney General’s website at www.oag.ca.gov/privacy/ccpa. 

Do Not Track and Global Privacy Control 

Some web browsers and devices allow you to send a Do Not Track (DNT) signal or use Global Privacy Control (GPC) to indicate your privacy preferences. Currently, there is no universally accepted standard for recognising and responding to these signals. As a result, we do not respond to DNT or GPC signals at this time. 

However, we respect your privacy choices and provide other ways for you to control the collection and use of your data. You can manage your privacy settings within the app, opt out of marketing communications, and exercise your rights under applicable privacy laws as described in the "California Residents' Rights" and "How to Exercise Your California Privacy Rights" sections. 

Additional information for transparency 

  • Data retention: We retain personal data only as long as necessary to fulfill the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements. Where possible, we define specific retention periods based on the type of data. 

  • Your rights: You have the right to request access to your personal data, request correction or deletion, restrict processing, object to processing, and request data portability. 

  • Withdrawing consent: If we rely on your consent to process personal data, you may withdraw it at any time. This does not affect the lawfulness of any processing carried out before your withdrawal. 

  • Supervisory authority: You have the right to lodge a complaint with a data protection authority if you believe your data is not being handled in accordance with the law. 

  • Automated decision-making: We do not use your personal data for automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. 

  • Further processing: If we intend to use your personal data for a purpose other than that for which it was collected, we will inform you before that processing takes place. 

 

How we Protect your data 

We implement industry-standard security measures to protect your personal data. All communications between the app and our servers are encrypted using SSL (Secure Sockets Layer) to ensure the secure transmission of personally identifiable data. Additionally, personal data is securely stored in a PostgreSQL database operated by Heroku. Heroku's infrastructure complies with recognised industry security standards and certifications. For more information, please refer to Heroku’s Security Policy: https://www.heroku.com/policy/security

In the unlikely event that we do suffer a security breach which compromises our protection of your personal data and we need to let you know about it, we will do so. 

Changes to this privacy notice 

We may change this privacy policy at any time. Where we make significant changes, for instance where we use your personal data for materially different purposes, we will email you to let you know. If there are any changes to the purpose for which we collect or use personal data, we will update this Privacy Policy accordingly and, where required by law, obtain your renewed consent before processing your data for the new purpose. 

 

Contact 

You may contact us by: 

  • Emailing us at support@Plexāā.com 

  • Writing to us at: 
    Plexāā Ltd, 20-22 Wenlock Road, London, Greater London N1 7GU, United Kingdom 

  • You may also contact our Data Protection Officer: 
    Dr. Phil Griffiths 
    Email: sar@thedpo.co.uk