Bianca Lopes



Our business is a people’s business: we want to connect with you. That means we need to collect some of your personal information.

The following privacy notice outlines what, when, how and why we collect data.

Reading it won’t take much of your time (4 minutes, to be exact).


Data privacy matters.

Data privacy and ethics is one of the most important topics of our time. Yet currently it’s nothing more than a footnote, designed to deceive people from its meaning and power. Together, we can change this. Break down barriers, jargon and make it more accessible.

My business and its online presence is built with this in mind.

Data linked to you

The following data is collected and linked to you

Data not linked to you

The following data is collected and not linked to you

Data linked to you

The following data is collected and linked to you

Data not linked to you

The following data is collected and not linked to you

“We” and “Our” in this notice means “Bloom Media”. That’s the company as a legal fiction I use to run my business. “You” means you as a human, website visitor or potential commercial or non-commercial partner.

What, when and why we collect your data

As a website vistor

We believe in data minimisation. So when you visit this website, we don’t collect any personal data. We’re using a privacy preserving analytics service called Plausible. No cookies required.

If you want to learn more about Plausible and the way they approach web analytics, check the company’s data policy.

When you contact us

When you contact us via webform we collect the information you share with us. This will allow us to start a conversation with you about working together or any other enquiries. We only collect the bare minimum:

  • Your name
  • Your email address
  • The message you share

This data passes through our hosting provider’s servers in the Netherlands, GreenGeeks. Our email service provider is ProtonMail.

Learn more about how they approach data security and privacy:

How and wy we process data

Legal basis for processing

Our legal grounds for processing your “non sensitive” personal data is contract because we only process personal data to:

  1. fulfil a contractual obligation to you (e.g. start a commercial conversation and deliver a service to you); or
  2. do something asked by you with the intent of entering into a contract (e.g. discuss a speaking engagement, request a workshop, ask us to meet you regarding a business challenge you have, etc.)

Automated decision making and profiling

We do not use your personal data to automatically evaluate or make inferences about who you are, what you might think and how you might act.

We do not use your personal data to make automated decisions about you.

Much rather, we’d like to start a personal conversation and find mutual value in building a sustainable relationship.

Data accuracy

Our operational processes ensure that the data we process is accurate.

You can reach out at any time via to:

  • Request and view the data we have on you
  • Correct it in case it’s not accurate, and;
  • Have us delete it if you no longer want us to use it in any way

Sharing your data

Your data is not our business. We do not and will never engage in the direct exchange of your data.

The services we use for our business act as data processors, so they have access to your personal data. Let’s use an example. When you choose to contact us via our contact form, our hosting provider would process this data on our behalf. The message is sent to our email address managed by ProtonMail.

In the context of the European General Data Protection Regulation, this means we are a controller (“A controller determines the purposes and means of processing personal data”) and GreenGeeks is a processor (“A processor is responsible for processing personal data on behalf of a controller).

The exact services and data we or they have access to is detailed above, in the second clause of this policy.

Security of your data

The limited personal data we process is secured via role-based access rights. Executing risk-based workflows helps to decrease the likelihood of breaches. However, if we believe a data breach may have occurred, we execute an operational process aligned to what is specified under Art. 33 of the GDPR. If this ever happens, we notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach we:

  1. Assess the incident
  2. Mitigate the impact
  3. Communicate with relevant stakeholders, and;
  4. Ensure any preventable weaknesses are improved as quickly as possible


In other words, if we make a mistake, we’ll own it and ensure we don’t make it again.

Your data rights

Your data is yours. You should control it and you should benefit from sharing it, if you choose to do so.

If you’ve shared your data with us directly and want to:

  1. View what we have
  2. Receive a copy of what we have
  3. Edit what we have, or;
  4. Delete what we have


You are more than welcome to do it. Get in touch via to request or discuss any matter regarding your data. We’ll need evidence of your identity before we can grant access to information about you. This is to protect the privacy of you and others.

Our obligations

We’re bound by specific jurisdictional regulations. But we’re not going to stop there. We will do whatever we can to make our use of data as safe and human-centric as possible. Our focus first and foremost is doing the right thing by you. With this approach, regulations and requirements will naturally be met.

Updating this notice

We plan to grow our business. As it happens, our use of data will evolve as long as it aligns to our core values.

This version is dated 20/09/2021.

If any changes are made to this Privacy Notice affect you as a client directly, we will let you know via email.

If you have read this far, it means Data Privacy is as important to you as to us.

Thank you.