Privacy Policy
Last updated: 16 March 2026
Everything's Computer LLC ("we," "us," "our") operates Fernbloom, a booking and payments platform for independent practitioners. This privacy policy explains how we collect, use, store, and share your personal data when you use our website at fernbloom.co and our application at app.fernbloom.co (together, the "Service").
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
1. Data controller
The data controller for personal data collected through the Service is:
Everything's Computer LLC
Email: support@fernbloom.co
We do not currently have a Data Protection Officer, as we do not meet the threshold requiring one under Article 37 of the GDPR. For all privacy-related enquiries, please contact us at support@fernbloom.co.
If you are a client of a practitioner who uses Fernbloom, the practitioner is the data controller for your booking and session data. We act as a data processor on their behalf. This policy covers our processing activities; your practitioner's own privacy practices may differ.
2. What data we collect
Data you provide directly
Account data (practitioners)
- Name, email address, phone number
- Practice name, profession, location, timezone
- Profile photo or logo
- Booking page URL (slug)
- Authentication credentials (via Google or Microsoft OAuth)
Account data (clients)
- Name, email address, phone number
- Authentication credentials (via Google OAuth or magic link)
Booking and payment data
- Programs purchased, session history, booking dates and times
- Payment amounts, transaction records, Stripe customer identifiers
- We do not store credit card numbers. Payment card data is processed directly by Stripe.
Data we receive from third parties
We also receive personal data from the following sources:
- Google and Microsoft (via OAuth): your name, email address, and profile information when you sign in with your Google or Microsoft account
- Google Calendar and Microsoft Calendar: calendar availability, free/busy information, and event details when you connect your calendar
- Stripe: payment confirmation data and transaction status
- Practitioners: if you are a client, your practitioner may provide us with your name, email, and phone number to create your account
Data collected automatically
Usage and analytics data
- IP address, browser type, device type, operating system
- Pages visited, features used, session duration
- Referral source
Calendar data
- Calendar availability and free/busy information from connected Google or Microsoft calendars
- Calendar event details for sessions created through Fernbloom
- OAuth access tokens and refresh tokens (stored encrypted with AES-256-GCM)
Communication data
- Email addresses and message content for transactional emails (booking confirmations, reminders, payment receipts)
3. Whether providing data is required
Providing your name and email address is necessary to create an account and use the Service. If you do not provide this data, we cannot provide the Service to you.
Providing your phone number is optional but may be required by your practitioner for booking purposes.
Connecting a calendar (Google or Microsoft) is optional. If you choose not to connect a calendar, availability must be managed manually within Fernbloom.
4. How we use your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide the Service (accounts, bookings, payments, calendar sync) | Performance of contract (Art. 6(1)(b)) — necessary to deliver the service you signed up for |
| Send transactional emails (confirmations, reminders) | Performance of contract (Art. 6(1)(b)) — necessary to keep you informed about your bookings |
| Process payments via Stripe | Performance of contract (Art. 6(1)(b)) — necessary to process your purchases |
| Sync with Google or Microsoft calendars | Consent (Art. 6(1)(a)) — granted when you authorise the calendar connection during OAuth |
| Analyse usage to improve the Service | Legitimate interest (Art. 6(1)(f)) — our interest in understanding how the Service is used so we can improve its reliability, performance, and user experience |
| Prevent fraud and abuse | Legitimate interest (Art. 6(1)(f)) — our interest in protecting the platform and its users from fraudulent or abusive activity |
| Comply with legal obligations (tax records, fraud prevention) | Legal obligation (Art. 6(1)(c)) |
5. Third-party services and data processors
We share personal data with the following third-party services, each acting as a data processor:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase (AWS infrastructure) | Database, authentication, file storage | All account, booking, and session data |
| Stripe | Payment processing | Name, email, phone, payment card data, transaction amounts |
| Google (OAuth, Calendar, Meet) | Authentication, calendar sync, video meetings | Google account identity, calendar events, availability |
| Microsoft (Azure AD, Calendar, Teams) | Authentication, calendar sync, video meetings | Microsoft account identity, calendar events, availability |
| Resend | Transactional email delivery | Email addresses, names, booking details |
| Vercel | Application hosting and deployment | HTTP request data, IP addresses |
| Google Analytics | Website analytics | IP address, device info, page views, interactions |
| PostHog | Product analytics | Usage events, device info, anonymised identifiers |
| Google Fonts | Font delivery | IP address, browser user-agent (implicit via CDN request) |
We require all processors to handle your data in compliance with applicable data protection laws. Where processors are located outside the European Economic Area (EEA), transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards.
6. International data transfers
Everything's Computer LLC is based in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to the United States and processed there. No adequacy decision currently covers all US-based processors. We ensure appropriate safeguards for these transfers through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
- The EU-U.S. Data Privacy Framework, where applicable
You may request a copy of the safeguards we use for international transfers by contacting us at support@fernbloom.co.
7. Cookies and tracking
We use cookies and similar technologies for:
| Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, session management, security | Session / 30 days |
| Analytics | Google Analytics and PostHog usage tracking | Up to 2 years |
| Preferences | Remembering your settings and choices | 1 year |
You can control cookie preferences through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.
8. Data retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:
- Account data: retained until you delete your account
- Booking and session data: retained for the duration of the practitioner's account, plus 7 years for financial record-keeping obligations
- Payment records: retained for 7 years as required by tax and accounting regulations
- Analytics data: retained for up to 26 months
- Calendar tokens: deleted when the calendar connection is revoked or the account is deleted
When you delete your account, we delete or anonymise your personal data within 30 days, except where retention is required by law.
9. Your rights
Under GDPR and other applicable laws, you have the following rights. Exercising these rights is free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests.
- Access: request a copy of the personal data we hold about you
- Rectification: request correction of inaccurate or incomplete data
- Erasure: request deletion of your personal data ("right to be forgotten")
- Restriction: request that we limit how we use your data
- Portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interest, including any direct marketing
- Withdraw consent: withdraw consent at any time for processing based on consent (e.g., calendar sync). Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, contact us at support@fernbloom.co. We will respond within 30 days.
If you are a client of a practitioner using Fernbloom, please contact your practitioner directly for requests related to your booking and session data. They are the data controller for that information.
Right to complain
You have the right to lodge a complaint with a supervisory authority. If you are in the UK, you can contact the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
If you are in the EEA, you can contact your local data protection authority. A list of EEA data protection authorities is available at edpb.europa.eu.
10. Automated decision-making
We do not currently make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you.
11. Data security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS) and at rest
- AES-256-GCM encryption for stored OAuth tokens
- Role-based access controls
- Regular security reviews
12. Children's privacy
The Service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
13. Changes to this policy
We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "last updated" date. For significant changes, we will notify you by email.
If we intend to process your personal data for a purpose other than that for which it was collected, we will inform you of that new purpose and any relevant additional information before doing so.
14. Contact us
If you have questions about this privacy policy or our data practices, contact us at:
Everything's Computer LLC
Email: support@fernbloom.co