Privacy policy

Blumi ("we", "us", "our") is an Australian platform committed to protecting the privacy of every person who uses our service — participants, families, support workers, practitioners and administrators. We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains what personal information we collect, how we use it, who we share it with, and the choices you have.

1. Who we are

Blumi is a software platform designed for organisations supporting neurodivergent people. When your organisation uses Blumi, your organisation is the controller of the personal information you enter, and Blumi acts as a processor on its behalf.

2. Information we collect

Account information

When you create an account we collect your name, email address, role, organisation, and password (stored as a salted hash). Participants who sign up via an enrolment code provide their name and email.

Health and support information

Blumi is used to record behaviour logs, mood check-ins, goals, milestones, forms and notes about participants. This information is sensitive and is treated as such.

Communication content

Messages sent through Blumi's safeguarded messaging are stored so authorised members of a thread can read them.

Technical information

We log basic technical information (IP address, browser, timestamps) for security, debugging and abuse prevention.

3. How we use information

• To provide the Blumi service to you and your organisation.
• To keep your account and data secure.
• To send essential service notifications (account, security, billing).
• To improve Blumi based on aggregate, de-identified usage patterns.
• To meet legal obligations.

We do not sell your personal information. We do not use participant data to train third-party AI models.

4. Sharing

We share personal information only with:

• People in your organisation who have been granted access.
• Sub-processors we use to run Blumi (hosting, email delivery, error monitoring) under written agreements that protect your data.
• Regulators or courts where we are required by law.

5. Where your data lives

Blumi data is hosted in Australia using providers that meet recognised security standards. Where any limited processing occurs overseas (for example, transactional email delivery), we take reasonable steps to ensure overseas recipients comply with APP 8 (cross-border disclosure) before disclosing personal information.

6. How long we keep data

We keep personal information for as long as your organisation needs it to provide care, and for any longer period required by NDIS, clinical or legal record-keeping obligations. When you or your organisation deletes data, we remove it from active systems within 30 days and from backups within 90 days.

7. Your rights

Under APP 12 and APP 13 you can ask to access or correct your personal information at any time. Contact your organisation's administrator or email privacy@blumi.app. If you're unhappy with how we've handled your information you can lodge a complaint with us first and then, if unresolved, with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

8. Children

Blumi is used to support people of all ages, including children. Where a child is the participant, an authorised adult must set up the account and remains responsible for the use of the platform.

9. Security

We use role-based access, audit logging, encrypted backups and the principle of least privilege. We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth) — if an eligible data breach affects you, we'll notify you and the OAIC as soon as practicable.

10. Changes

If we make material changes we'll notify you in-app or by email before they take effect.

11. Contact

Questions? Email privacy@blumi.app.