BlumiGet started

Legal

Data processing addendum

How Blumi handles personal information you enter into the service, aligned to the Australian Privacy Principles.

Effective 1 January 2025. Questions? Email hello@blumi.app.

1. Roles

You (the customer) are the APP entity responsible for the personal information you collect from your participants and team. Blumi handles that personal information on your behalf and only on your documented instructions, consistent with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. Subject-matter & duration

Blumi processes personal information to provide the Blumi platform for the duration of your subscription, plus any limited retention period set out in the Privacy Policy.

3. Nature & purpose of processing

Storage, organisation, retrieval, consultation, analysis, transmission and deletion of personal information necessary to provide the platform you've contracted for.

4. Categories of personal information

  • Identification and contact data (names, emails, phone numbers).
  • Role and organisational data.
  • Sensitive health and support data: behaviour logs, mood data, notes, goals, forms.
  • Communication content within the platform.

5. Sub-processors

We engage a limited set of sub-processors (hosting, email delivery, error tracking). A current list is available on request. We'll notify you before adding or replacing a sub-processor and give you an opportunity to object.

6. Security

We maintain appropriate technical and organisational measures, including encryption in transit and at rest, role-based access controls, audit logging, regular backups and a documented incident response plan.

7. Personnel

Our personnel are bound by confidentiality and access personal information only on a need-to-know basis.

8. Data subject rights

We'll provide reasonable assistance so you can respond to data subject requests under applicable law.

9. International transfers

Personal information is hosted in Australia. Where any limited disclosure to an overseas recipient is required (for example a transactional email provider), we take reasonable steps under APP 8 to ensure the recipient handles the information consistently with the APPs.

10. Breach notification

We'll notify you without undue delay after becoming aware of an eligible data breach affecting your data, and will assist you to meet your obligations under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988 (Cth)).

11. Audits

We'll make available information reasonably required to demonstrate compliance with this DPA and allow audits subject to reasonable confidentiality and security conditions.

12. Return or deletion

On termination, we'll return or delete personal information as you instruct, subject to any retention required by law.