Marketing Bloom

Privacy Policy

Last updated: April 19, 2026

1. Introduction

Marketing Bloom ("we", "us", or "our") operates the website marketingbloom.ai and the related web application (together, the "Service"). This Privacy Policy explains what information we collect, how we use it, when we share it, and the rights you have over it.

By creating an account or connecting a third-party service, you agree to this Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account information

Name, email address, password (stored as a salted hash), organization name, role, and timezone.

2.2 Content data

Text, images, videos, blog drafts, hashtags, captions, and any other content you upload for distribution or scheduling. We store this to execute the Service you requested.

2.3 Third-party platform credentials

When you connect a social media, analytics, or search-console account, we receive and store OAuth access tokens and refresh tokens on your behalf. These tokens are encrypted at rest (AES-256-GCM) and are never shared with other users or third parties. We do not store your platform passwords.

2.4 Usage data

Server logs (IP address, user agent, page path, response status), feature usage telemetry, performance metrics. This is used to operate and improve the Service.

2.5 Payment data

Payment is processed by Stripe. We store only the last 4 digits of your card and the billing zip/country. Full card details are held by Stripe under its own privacy policy.

3. Google API Services & User Data

Marketing Bloom's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3.1 Scopes we request and why

We only request the minimum Google OAuth scopes needed to operate the features you see in the product. When you connect your Google account, Google will show you exactly which scopes are being requested.

  • openid email profile — used exclusively to identify your Google account during sign-in and display your name and avatar inside the app.
  • https://www.googleapis.com/auth/youtube — used to publish videos you explicitly author in the Marketing Bloom editor to your own YouTube channel, including setting custom thumbnails via thumbnails.set. The narroweryoutube.upload scope cannot set thumbnails or update video privacy after upload, so the broader youtubescope is required.
  • https://www.googleapis.com/auth/youtube.readonly — used to read your YouTube channel metadata and video statistics so we can show your YouTube data alongside your other platforms in the Analytics dashboard.
  • https://www.googleapis.com/auth/youtube.force-ssl — used to fetch comments on your YouTube videos and to post replies when you click "Reply" from inside the Marketing Bloom unified Inbox. The narrower youtube scope is read-only for comments; force-ssl is required to post replies.
  • https://www.googleapis.com/auth/yt-analytics.readonly — used to pull YouTube Analytics reports (views, impressions, engagement) for the Analytics dashboard.
  • https://www.googleapis.com/auth/analytics.readonly — used to read Google Analytics 4 session, conversion, and revenue data for the property you select, so we can attribute website outcomes to the social posts you distributed through the Service.
  • https://www.googleapis.com/auth/webmasters — used to read Search Console performance data (queries, pages, impressions, clicks, position) for sites you own, and — during onboarding — to register a site you have just verified ownership of, so you do not need to leave the app and re-enter Search Console manually. We do not modify or delete Search Console data.
  • https://www.googleapis.com/auth/siteverification — used during onboarding to generate a DNS TXT verification token and request verification on your behalf for domains you claim to own. Used once, during setup, at your explicit direction.

3.2 What we do with Google user data

Google user data is used only to provide or improve user-facing features that are visible to the requesting user. Specifically:

  • Display your YouTube, GA4, and Search Console data inside your own Marketing Bloom dashboard.
  • Compute derived insights (content decay alerts, striking-distance keywords, AI Overview citations, FAQ mining, etc.) that we surface to you inside your own account.
  • Attribute website conversions back to the social post that drove them, using UTM tags we generate on links you distribute.
  • Publish content to your YouTube channel when you explicitly click "Publish" inside the Marketing Bloom editor.

3.3 Limited Use — what we do NOT do with Google user data

We do not:

  • Transfer Google user data to serve ads, including retargeting, personalized advertising, or interest-based advertising.
  • Use or transfer Google user data to determine credit-worthiness or for lending purposes.
  • Sell, rent, or transfer Google user data to data brokers, third parties, or any other party for commercial purposes.
  • Use Google user data to train, fine-tune, or develop generalized AI/ML models. The AI features in Marketing Bloom (content decay briefs, FAQ clustering, AI Overview citation detection, etc.) call Anthropic's Claude API in real time with only the minimum context needed for that user's specific request; no Google user data is retained by, or used to train, any AI model.
  • Allow humans to read Google user data, except (a) with your explicit consent, (b) for security investigations, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.

3.4 Retention & deletion of Google user data

Refresh tokens and cached reports are retained only while the relevant integration is connected. When you disconnect a Google integration (Settings → Integrations → Disconnect), we immediately revoke the refresh token with Google and delete cached reports for that integration within 7 days. When you delete your account, all Google user data is purged within 30 days.

3.5 Revoking access

You can revoke Marketing Bloom's access to your Google account at any time from inside Marketing Bloom (Settings → Integrations → Disconnect) or from Google's third-party access page at myaccount.google.com/permissions.

4. Meta Platforms (Facebook, Instagram, Threads)

Marketing Bloom uses Meta's Graph API to publish content and read analytics on user-owned Facebook Pages, Instagram Business / Creator accounts, and Threads profiles. Our use of data obtained through Meta APIs complies with the Meta Platform Terms and Developer Policies.

4.1 Permissions we request

  • pages_show_list, pages_read_engagement, pages_manage_posts — list the Facebook Pages you manage, read your own page insights (reach, engagement, demographics you already see in Meta Business Suite), and publish posts to those Pages at your direction.
  • instagram_basic, instagram_content_publish, instagram_manage_comments, instagram_manage_insights — read your own Instagram Business account profile + media, publish posts and Reels at your direction, read and reply to comments inside our Inbox, and pull insights for your own account.
  • business_management (advanced access only) — resolve which Business Portfolio an account belongs to so we can route data into the correct workspace. Not used to make changes.
  • threads_basic, threads_content_publish, threads_manage_insights, threads_manage_replies — publish + read your own Threads profile content and replies.

4.2 What we do with Meta data

  • Publish posts, Reels, Stories, and videos you authored inside the Marketing Bloom editor to the Pages / Instagram accounts / Threads profiles you connected.
  • Read engagement metrics (views, likes, comments, shares, reach, saves) for your own content and surface them inside your Analytics dashboard.
  • Read comments + DMs where the scope allows, surface them in the Inbox, and send replies you type.

4.3 What we do NOT do with Meta data

  • Transfer or sell Meta user data to third parties other than the service providers listed in Section 6.
  • Use Meta data for advertising targeting, retargeting, or any ads served outside of Meta itself.
  • Train or fine-tune generalized AI/ML models on Meta user data.
  • Access any data beyond what the user-facing feature requires.

4.4 Revoking Meta access

You can revoke Marketing Bloom's access to your Meta accounts from inside Marketing Bloom (Connections → Platforms → Disconnect) or from Meta's Business Integrations page at facebook.com/settings?tab=business_tools. When Meta notifies us that you have removed our app or submitted a Data Deletion Request, we immediately deactivate the affected account and purge cached data within 7 days.

4.5 Data Deletion Request URL

Meta App Review requires apps to provide a callback URL that processes automated deletion requests. Our callback endpoints are:

  • Facebook: https://api.marketingbloom.ai/api/v1/platforms/facebook/delete
  • Instagram: https://api.marketingbloom.ai/api/v1/platforms/instagram/delete
  • Threads: https://api.marketingbloom.ai/api/v1/platforms/threads/delete

Users can also request deletion directly at marketingbloom.ai/data-deletion.

5. How We Use Other Information

  • To operate and maintain the Service
  • To distribute content to the platforms you have explicitly connected and selected
  • To send account, billing, and operational notifications
  • To respond to support requests
  • To compute analytics and insights that are shown back to you inside your own account
  • To comply with legal obligations

6. Data Sharing

We do not sell your personal information. We share data only with:

  • Third-party platforms you connect — to publish content at your direction and read analytics you have authorized. Each platform handles data under its own policy.
  • Infrastructure providers — AWS (server hosting, Singapore region), Cloudflare (DNS, CDN), Cloudflare R2 (media storage), Anthropic (AI model inference), Stripe (payments). Each of these is bound by a data-processing agreement and may only process data on our instructions.
  • Legal authorities — where required by valid legal process, after we have reviewed the request and, where legally permissible, notified you.

7. Data Security

Transport encryption (TLS 1.2+), at-rest encryption for OAuth tokens (AES-256-GCM), salted password hashing (bcrypt), role-based access control, least-privilege service accounts, routine dependency and vulnerability scanning. No system is perfectly secure; report any suspected issue to [email protected].

8. Data Retention

We retain active-account data while your account is open. On account deletion, personal data is removed within 30 days, with narrow exceptions for billing records required by law. See our Data Deletion page for details.

9. Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Export your data
  • Delete your account and associated data
  • Withdraw consent for data processing
  • Lodge a complaint with your local data-protection authority (EEA/UK users)

To exercise any right, email [email protected].

10. Cookies

We use first-party cookies for authentication and session management. We do not use third-party advertising or tracking cookies.

11. Children's Privacy

The Service is not intended for users under the age of 13 (or 16 in the EEA). We do not knowingly collect information from children.

12. International Transfers

Our primary data hosting is in Singapore (ap-southeast-1). If you are located outside Singapore, your data will be transferred there and stored under our commitments in this Policy. EEA/UK users: transfers rely on Standard Contractual Clauses where required.

13. Changes to This Policy

We may update this Policy. Material changes will be announced by email and via an in-product banner at least 14 days before taking effect.

14. Contact

Questions about this Policy or your data: [email protected].