Data minimisation
Bloom’s most effective data loss prevention control is to not hold the data in the first place.- No customer personal data is stored. Email addresses and phone numbers submitted through the storefront widget are validated and passed straight to Shopify and Klaviyo. They are never written to Bloom’s database.
- Shopify and Klaviyo are the systems of record. All customer personal data lives there, under their own security, backup, and access controls.
- Bloom stores operational data only. Shop configuration, settings, pre-order and selling-plan config, aggregated analytics, billing state, and session tokens. No names, addresses, emails, or phone numbers.
Technical controls
- Encryption in transit. All data travels over HTTPS/TLS. Customer contact details submitted via the storefront proxy reach Shopify and Klaviyo over encrypted connections only.
- Encryption at rest. Application data is stored in Cloudflare D1 and R2, both encrypted at rest by Cloudflare. Backups inherit that encryption.
- Point-in-time recovery. Cloudflare D1 Time Travel restores to a point in time, recovering from accidental deletion or corruption.
- Soft deletion. Records are soft-deleted - for example an
uninstalled_attimestamp on uninstall - not hard-deleted, preventing accidental irreversible loss and supporting controlled cleanup. - Environment separation. Production and staging run against separate databases. Production data never leaks into lower environments.
- Secret management. Runtime secrets - API keys, tokens - are stored in 1Password and injected at deploy time. Secrets are never committed to source control.
- Error reporting hygiene. Sentry is configured to exclude merchant and customer data - emails, IDs, tokens - from error and performance monitoring.
- Access logging. Customer personal data is reachable only through the Shopify and Klaviyo admin interfaces, which log administrative access and login history. These logs are the audit trail and are reviewed periodically.
- Mandatory privacy webhooks. Bloom implements Shopify’s
customers/redact,customers/data_request, andshop/redactwebhooks to honour data subject and erasure requests.
Policies and standards
- Least privilege. Access to systems that can reach customer personal data - Shopify, Klaviyo, Cloudflare - is limited to staff who need it for their role and reviewed periodically.
- Strong authentication. Staff accounts on every system handling or able to reach customer data require strong passwords and multi-factor authentication.
- Retention. Personal data is not retained by the app. Operational data is kept only as long as needed to run the service and is removed following uninstall.
- Change management. Code changes are reviewed and deployed through CI. Database changes are applied through versioned migrations.
- Incident response. Suspected data loss or breach is handled under our incident response policy, which defines severity, roles, escalation, and notification obligations.
