Security & Compliance

Your data is safe.We built it that way.

Childcare data is some of the most sensitive information there is. Bloomily uses enterprise-grade security practices to keep it protected.

AI Transparency

AI you can trust with your families

Bloomily's assistant works on words and operations — never the child.

Words and operations, never the child

The assistant helps with the busywork — drafting messages, translating, summarizing, and handling admin. It never scores behavior, profiles children, or watches them.

Your data never trains AI models

Children's and families' information is never used to train external AI models.

You stay in control

The assistant suggests and drafts; you decide what happens. It works inside your permissions, never around them.

Built for children’s privacy

COPPA-aligned data handling: we collect only what is needed, honor parental consent, and restrict access to sensitive records.

Data Protection

Your data is encrypted everywhere it goes and everywhere it lives. Row-level security means organizations can never see each other's data.

All data encrypted in transit (TLS 1.3) and at rest (AES-256)
Row-Level Security (RLS) ensures organizations can only access their own data
Database backups with point-in-time recovery
No data shared between tenants

Access Controls

Fine-grained permissions keep staff focused on what they need. Session management and security headers protect against common attack vectors.

9 granular staff roles with module-level permissions
TOTP MFA support for administrator and platform-team accounts
Session management with automatic timeouts
CSRF protection on all forms
Security headers (HSTS, CSP, X-Frame-Options)

Infrastructure

Built on proven infrastructure with enterprise-grade reliability. Automatic failover keeps your data safe and your service running.

Hosted on SOC 2 Type II certified infrastructure providers
PostgreSQL 17 with enterprise reliability
Automatic failover and high availability
Regular security patches and updates

Childcare-Specific

Childcare data is sensitive. Bloomily is built with that in mind, from COPPA-aware handling to restricted access for medical information.

COPPA-aware data handling practices
Photo sharing with parent consent controls
Medication and allergy data with restricted access
Audit trails for sensitive operations

Privacy

We take privacy seriously. Analytics are configured with privacy defaults, and we never sell your data.

Session recording disabled for sensitive pages
Input masking enabled by default in analytics
No selling of customer data
Data deletion available on request

Questions about security?

Our team is happy to discuss our security practices in detail.

No card · Nothing to install · You can't break anything