Privacy Policy

Last Updated: July 06, 2026

This Privacy Policy describes how Floralpro 2025 Ltd ("we," "our," or "us"), trading as BLUME, collects, uses, stores, and protects your information. This policy complies with the Google API Services User Data Policy, including the Limited Use requirements.

1. Introduction

BLUME is a flower shop management system that helps florists manage events, calculate costs, track inventory, and streamline business operations. This Privacy Policy explains how we collect, use, store, and protect your personal information and data from third-party integrations.

2. Information We Collect

2.1 Account and User Information

When you create an account with BLUME, we collect:

  • Account Information: Account name, email address, billing email, phone number, website
  • Business Details: Business address (address line 1, address line 2, city, state/region, postal code, country), tax ID, account type
  • User Information: First name, last name, email address, time zone, preferred language, currency preference, country code
  • Authentication Data: Encrypted passwords, password reset tokens, email confirmation tokens
  • Two-Factor Authentication: OTP secrets and backup codes (if enabled)
  • Account Assets: Logo and avatar images uploaded to your account

2.2 Business Data

As you use BLUME, we collect and store:

  • Events: Event names, dates, descriptions, status, locations, client assignments, reference numbers
  • Clients: Client names, contact information, addresses, notes, Xero contact IDs
  • Flower Orders: Flower order details, items, quantities, pricing, arrival dates, pickup dates
  • Flowers: Flower catalog entries, names, descriptions, pricing (high/low season), images
  • Suppliers: Supplier information, contact details, order history
  • Materials: Additional materials catalog, pricing, inventory tracking
  • Hire Items: Hire item catalog, pricing, availability
  • E-Signatures: Signature requests, signed documents, signature tokens, completion status

2.3 Google Calendar Data

When you connect your Google Calendar account to BLUME, we access the following Google Calendar data:

  • Calendar Events: Event titles (summary), descriptions, locations, and metadata
  • Event Times: Start dates, start times, end dates, and end times
  • Attendees: Information about event attendees when present in your calendar events
  • Calendar IDs: Your primary calendar identifier and any calendar IDs you select for synchronization
  • Event Metadata: Event IDs, HTML links, and other calendar event properties

We store OAuth tokens (access tokens and refresh tokens) that are required to maintain your connection to Google Calendar. These tokens are encrypted at rest in our secure database.

2.4 Xero Accounting Data

When you connect your Xero account to BLUME, we access the following Xero data:

  • Organization Information: Xero organization (tenant) ID, organization name
  • Contacts: Contact names, email addresses, addresses, phone numbers, account numbers, tax numbers
  • Transactions: Invoice and quote data including line items, amounts, due dates, reference numbers
  • Accounting Settings: Tax rates, account codes, payment terms, invoice settings
  • Bills: Supplier bill information when syncing flower orders as bills

We store OAuth tokens (access tokens and refresh tokens) that are required to maintain your connection to Xero. These tokens are encrypted at rest in our secure database.

2.5 Payment Information

When you subscribe to BLUME, we collect payment information through Stripe:

  • Billing Information: Billing email, billing address, payment method details (processed securely by Stripe)
  • Subscription Data: Subscription plan, billing period, payment history, subscription status
  • Payment Processing: Payment transactions are processed by Stripe. We do not store full credit card numbers or CVV codes

Note: BLUME uses Stripe for payment processing. Credit card information is collected and stored securely by Stripe, not by BLUME. We only receive payment confirmation and subscription status information from Stripe.

2.6 Usage and Technical Data

We automatically collect certain technical information:

  • Log Data: IP addresses, browser type, device information, access times, pages viewed
  • Cookies: Session cookies for authentication and application functionality
  • Error Reports: Application errors and performance data for troubleshooting

3. How We Use Your Information

3.1 General Use

We use your information to:

  • Provide and maintain the BLUME service
  • Process transactions and manage subscriptions
  • Send you service-related communications (notifications, updates, support)
  • Improve our services and develop new features
  • Ensure security and prevent fraud
  • Comply with legal obligations

3.2 Google Calendar Integration

We use Google Calendar data exclusively for the following purposes:

  • Sync Events: Synchronize events created in BLUME to your Google Calendar
  • Display Events: Display your Google Calendar events within the BLUME calendar interface
  • Create Events: Create new calendar events in Google Calendar on your behalf when you create events in BLUME
  • Update Events: Update existing Google Calendar events when you modify corresponding events in BLUME
  • Delete Events: Remove events from Google Calendar when you delete them in BLUME
  • Sync Delivery Dates: Sync flower delivery arrival and pickup dates to Google Calendar as reminders
  • Import Events: Import Google Calendar events into BLUME when you choose to do so

We do not use Google Calendar data for any other purposes, including but not limited to advertising, marketing analytics, or training artificial intelligence models.

3.3 Xero Integration

We use Xero data exclusively for the following purposes:

  • Sync Contacts: Synchronize client information from BLUME to Xero as contacts
  • Create Invoices/Quotes: Create invoices or quotes in Xero based on BLUME events
  • Update Invoices: Update existing Xero invoices/quotes when you modify corresponding events in BLUME
  • Sync Supplier Bills: Create bills in Xero for supplier flower orders when requested
  • Retrieve Contact Information: Retrieve existing Xero contact information to populate client details

We do not use Xero data for any other purposes, including but not limited to advertising, marketing analytics, or training artificial intelligence models.

4. Data Storage & Security

4.1 Storage

Your data is stored securely in our cloud database:

  • Primary Storage: PostgreSQL database hosted on Railway.app cloud infrastructure
  • File Storage: Account logos, avatars, and uploaded files are stored securely
  • OAuth Tokens: Google Calendar and Xero OAuth tokens are stored encrypted at rest
  • Payment Data: Payment information is stored by Stripe, not in our database

4.2 Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption at Rest: All sensitive data, including OAuth tokens and passwords, is encrypted using Rails' built-in encryption mechanisms
  • Encryption in Transit: All data transmitted between your browser and our servers uses HTTPS/TLS encryption
  • Secure Cloud Provider: Our application and database are hosted on secure cloud infrastructure (Railway.app) with restricted access
  • Access Controls: Only authorized BLUME personnel with necessary permissions can access encrypted data, and only for support purposes
  • Token Refresh: OAuth tokens are automatically refreshed before expiration to maintain secure connections
  • Password Security: Passwords are hashed using bcrypt and never stored in plain text
  • Two-Factor Authentication: Available for additional account security

5. Data Sharing

We do not sell, rent, or share your personal data or third-party integration data with third parties.

We may share your data only in the following limited circumstances:

  • Service Providers: We use trusted third-party service providers who act as data processors:
    • Railway.app: Cloud hosting provider (acts as data processor, contractually obligated to maintain security standards)
    • Stripe: Payment processor (handles payment information securely, compliant with PCI DSS)
    • SendGrid: Email delivery service (for transactional emails only)
  • Legal Requirements: We may disclose data if required by law or to protect our rights and safety
  • Business Transfers: In the event of a merger, acquisition, or sale, your data may be transferred as part of the transaction

We do not share Google Calendar or Xero data with:

  • Advertising networks
  • Data brokers
  • Analytics services (except for basic application performance monitoring)
  • Third-party service providers (except our secure cloud hosting provider, which acts as a data processor)

6. Data Retention & Deletion

6.1 Retention Period

We retain your data for as long as necessary to provide our services:

  • Account Data: Retained while your account is active
  • Business Data: Events, clients, orders, and other business data are retained while your account exists
  • OAuth Tokens: Google Calendar and Xero tokens are stored until you disconnect the integration
  • Payment Data: Retained as required by law and for accounting purposes

6.2 Deletion

You can request deletion of your data at any time:

  • Account Deletion: Contact us to delete your account and all associated data
  • Integration Disconnection: When you disconnect Google Calendar or Xero:
    • All OAuth tokens are immediately deleted from our database
    • All integration connection settings are removed
    • Synced data remains in the third-party service (Google Calendar/Xero) but is no longer accessed by BLUME
  • Data Export: You can export your data before deletion by contacting us

To request data deletion, contact us at admin@blumequote.com.

7. User Rights & Controls

You have complete control over your data:

  • Access: You can access and view all your data through the BLUME interface
  • Update: You can update your account information, preferences, and business data at any time
  • Delete: You can request deletion of your account and data
  • Export: You can request a copy of your data
  • Revoke Integration Access: You can disconnect Google Calendar or Xero at any time:
    • Google Calendar: Go to Google Account → Security → Third-party apps with account access, or disconnect in BLUME settings
    • Xero: Disconnect in BLUME settings, or revoke access in Xero's connected apps settings
  • Sync Controls: For Google Calendar, you can choose sync direction (BLUME → Google, Google → BLUME, or both)

8. Compliance with Google API Services User Data Policy

This app complies with the Google API Services User Data Policy, including the Limited Use requirements.

We adhere to Google's requirements for accessing user data:

  • We only request access to Google Calendar data necessary for the synchronization features
  • We use Google Calendar data solely to provide the functionality described in this privacy policy
  • We do not use Google Calendar data for advertising or marketing purposes
  • We do not transfer Google Calendar data to third parties except as necessary to provide the service
  • We maintain appropriate security measures to protect Google Calendar data

9. Cookies and Tracking

We use cookies and similar technologies to:

  • Maintain your login session
  • Remember your preferences
  • Ensure application security
  • Monitor application performance

We do not use cookies for advertising or tracking across other websites. You can control cookies through your browser settings.

10. Children's Privacy

BLUME is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. International Data Transfers

BLUME is operated from New Zealand. Your data may be stored and processed in servers located outside your country of residence. By using BLUME, you consent to the transfer of your data to these locations. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

12. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

Company Name: Floralpro 2025 Ltd

Contact Email: admin@blumequote.com

Country: New Zealand

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification for significant changes

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

This Privacy Policy is effective as of July 06, 2026 and applies to all users of BLUME.