Baby Bloom
Baby Bloom

Privacy Policy

Introduction

This Privacy Notice tells you how Baby Bloom (referred to as "the Company," "we," "us," or "our") collects and processes your information, especially your personal data. We assure you that this Privacy and Personal Data Protection Policy ("Privacy Policy") fully respects and complies with Ukraine's privacy laws, including the Law of Ukraine "On Personal Data Protection."

Useful Definitions

 

To help you understand our Privacy Policy, here's what some important terms mean:

  • Personal Data: This is any information that can identify you, directly or indirectly. This could be your name, ID number, address, contact details, or even online identifiers. It also includes factors specific to your physical, mental, economic, cultural, or social identity.

  • Personal Data Breach: This happens when there's a security incident that leads to your personal data being accidentally or unlawfully destroyed, lost, changed, or accessed without authorization.

  • Controller: This is the person or organization that decides why and how your personal data will be processed. In the context of our services, Baby Bloom acts as a Controller for much of the data we collect.

  • Processor: This is a person or organization that processes personal data on behalf of the Controller.

  • Processing: This refers to any action performed on personal data. This includes collecting it, recording it, organizing it, storing it, changing it, retrieving it, using it, disclosing it, or deleting it.

  • Third Party: This is any person or organization other than you (the data subject), Baby Bloom (the Controller), our Processors, or anyone authorized to process data under our direct authority.

The Controller

 

For personal data where we determine the purposes and means of processing, the Controller is:

Baby Bloom Starokonstyantynivska 22 Khmelnytskyi, 29000 Ukraine Email: info@babybloom.info

Principles we adhere to

 

At Baby Bloom, we're committed to and follow these core principles for processing personal data, as outlined in relevant privacy regulations:

  • Lawfulness, Fairness, and Transparency: We process your personal data legally, fairly, and openly.
  • Purpose Limitation: We collect your data for specific, clear, and legitimate reasons, and we won't process it in a way that doesn't align with those purposes.
  • Data Minimisation: We only collect and process the personal data that is absolutely necessary for the purposes we've identified.
  • Accuracy: We ensure your data is accurate and, when necessary, kept up to date. We take all reasonable steps to quickly erase or correct any inaccurate personal data.
  • Storage Limitation: We keep personal data in a form that allows us to identify you for no longer than is necessary, or as required by law.
  • Integrity and Confidentiality: We process your data securely, protecting it against unauthorized or unlawful processing, as well as accidental loss, destruction, or damage, by using appropriate technical and organizational measures.

Ultimately, we are able to demonstrate our compliance with all these principles, upholding our commitment to accountability.

Collection of Personal Data

 

As the Data Controller, Baby Bloom collects your Personal Data in the following situations:

  • When you contact us directly or indirectly: This includes reaching out via our email, through our partners, or through our social media accounts to get information about our services or ask questions.
  • When you use our services, collaborate with us, or participate in events related to our service delivery.
  • When you complete any of our forms or interact with our social media accounts.
  • When you visit our website or our physical premises.
  • If you are applying for a job with us.
  • If you are one of our employees.

Additionally, please note that we also process personal data that third parties (usually other companies or organizations) share with us when we act as a Data Processor on their behalf. In such cases, those third parties are responsible for properly informing you about how your data is being handled.

Minors’ Personal Data

We collect and process the personal data of minors only when we have verifiable parental consent and are able to control the data collection. For instance, it's not possible for us to control information that is communicated to us online without such controls.

Categories of Data Subjects

 

As the Data Controller, Baby Bloom processes personal data related to the following groups of individuals:

  • Individuals or executives from legal entities who contact us.
  • People who receive our services, or those connected to the delivery of our services. This also includes individuals and employees of our suppliers and other companies we work with.
  • Job applicants seeking employment with us.
  • Visitors to our physical premises, our website, and our social media accounts.
  • Our employees.

When we act as a Data Processor (meaning we process data on behalf of another company), the responsibility to inform you about the categories of data subjects and the personal data being processed lies with that specific Controller.

Kind of Personal Data we may collect about you as the Controller

 

When Baby Bloom acts as the Data Controller, we may collect and process specific categories of your personal information. This is done on a case-by-case basis, not all at once, to fulfill the purpose of data collection and based on the legal grounds described in this Policy:

  • Contact Details: Your name, surname, address, telephone number, email, or details of another person you designate.
  • User Account Information: Details you choose to upload in our applications if you are a user (client) of our services.
  • Occupational Information: Your occupation, position, and company.
  • Agreement Details: Information related to agreements you or involved persons have, such as ID card or passport numbers, ARC numbers, dates and places of birth, nationality, passport issue and expiry dates, service terms, dates, signatures, and amounts.
  • Payment and Transaction Details: Your IBAN, account number, tax number, preferred payment method, payment terms, and depositor's details.
  • Incident Investigation Data: Details about incidents, information on involved persons, or related data.
  • Client or Provider History: Information about satisfaction, transaction details, claims, problems, terms, and data used for assessing individuals and situations.
  • App/Website/Social Media Data: This includes cookies, your full name or nickname, information you publicly disclose and comments on social media, or email attachments.
  • Curriculum Vitae (CV) Data: If you apply for a job with us, this includes information about your studies, competencies, previous work experience, and any other details you provide in your CV.

Please note that we collect additional types of personal data from our employees. They receive this information through internal documents, manuals, policies, and procedures.

Purposes of Processing & the Legal Bases of Data Processing

 

As the Data Controller, Baby Bloom processes your personal data based on specific "legal bases" as defined by relevant data protection regulations (e.g., Article 6 or Article 9 for special categories of personal data).

Most often, our collection and processing of your personal data rely on one of the following legal bases:

  • Your Consent: We process your data when you've given us your clear consent (or explicit consent for special categories of personal data). We will never collect or process special categories of your personal data without your explicit consent.
  • Contractual Necessity: Processing is necessary to fulfill a contract with you, or to take steps you request before entering into a contract.
  • Legal Obligation: We process your data to comply with our legal and statutory duties.
  • Legitimate Interests: We process data to safeguard our legitimate interests, provided these interests don't override your fundamental rights and freedoms.

Here's how these legal bases apply to specific processing purposes:

  • Consent: This applies when you contact us (directly or indirectly) because you're interested in our services or working with us, when you fill out our documents, make a complaint, visit our social media accounts, give us your business card, or agree to receive information from us.
  • Performance of a Contract: This applies when you've agreed to receive our services, when you are our employee or collaborator, during the payment of our liabilities, or when we contact you as part of a contract.
  • Compliance with Legal Obligations: This covers processing needed to meet our legal duties to various authorities like labor law bodies, regulatory authorities, tax, accounting, auditing, and judicial authorities, or in connection with our contractual obligations or during liability payments.
  • Safeguarding Legitimate Interests: This includes processing to improve our services, investigate and manage potential incidents, receive payments, or assess individuals and situations.

Our employees receive specific internal documents detailing the processing purposes and legal bases relevant to their data.

Retention of Data Period

 

We store your personal data only for as long as it's needed for the specific processing purpose and any related, permitted purposes.

  • Data collected due to contractual and legal obligations will be kept even after those obligations expire, as required by the relevant legal framework.
  • Cookies are stored for periods depending on their type, as explained in our Cookies Policy.
  • Personal data you provide as a job candidate is stored for 12 months, or until you withdraw your consent for its processing.
  • Data necessary for our legitimate interests as a Controller will be kept until the reason for its storage no longer exists.
  • Specifically, data we process based on your consent is kept from the moment you give consent until you withdraw it, or until it's no longer necessary to store it.

Information that is no longer needed is securely destroyed or anonymized. We limit access to your personal data to only those employees who need it for a specific purpose.

How we ensure the security of Personal Data

At Baby Bloom, we've implemented strong organizational and technical measures to protect the personal data we collect, especially any sensitive categories of data. We follow international standards, like the ISO 27001:2022 Standard and best practices, to ensure our operations are secure. You can be assured that your personal data is processed securely and legally, as we adhere to strict policies and implement procedures in line with our processing purposes and legal bases.

For example, here are some of the security measures we use to protect personal data against unauthorized use or any other form of unauthorized processing:

  • Restricted Access: Access to personal data is limited to a small number of authorized employees on a "need-to-know" basis. Any necessary data transfer happens through secure procedures.
  • Encryption and Pseudonymization: We use encryption and pseudonymization methods whenever appropriate.
  • Confidentiality & Limited Access: Our employees are bound by strict confidentiality rules and agreements, with classified access limited only to the necessary data.
  • Trusted Collaborators: We carefully select our partners who commit in writing, in line with relevant regulations (e.g., Article 28), to the same data protection obligations. We also reserve the right to audit them as permitted by law (e.g., Article 28(3)(h)).
  • Robust ICT Systems: Our IT systems used for processing personal data include all necessary technical measures to prevent loss, unauthorized access, or other illegal processing. We also continuously monitor access to these systems to detect and prevent unauthorized use early on. While no data transfer over the internet or a website can be guaranteed to be fully protected from cyberattacks, we strive to maintain strong physical, electronic, and procedural security measures to safeguard your data.

For obvious reasons, some of our specific security measures are not publicly disclosed.

Recipients

At Baby Bloom, we minimize who receives the personal data we process as the Controller. We only share your personal data with third parties when it's fully legally justified. When third parties process this data, it's usually for viewing purposes only. In specific circumstances—especially for authorities, legal cases, payments, or incident investigations—the third-party recipient might retain the data.

Specifically, certain personal data we lawfully collect as a Controller may be accessed or disclosed on a case-by-case basis by:

  • Relevant supervisory authorities when fulfilling their roles.
  • Any public or judicial authority if required by law or a court decision.
  • The company's auditor, for necessary data to complete their audit (financial, employment, contracts, and other controls), under strict confidentiality.
  • Legal advocates, for any data required in legal cases, under strict confidentiality.
  • Our collaborating insurance company, but only for the relevant part of the information.
  • Partner banks (of the company, staff, affiliates, or suppliers), strictly for payment-related data.

Territorial Scope

The personal data we collect is processed within the European Economic Area (EEA) and/or an adequacy decision area according Article 45 of the GDPR

Your rights as a Data Subject and how you can exercise them

 

You have important rights regarding your personal data. These include the right to be informed, the right to consent(when applicable), the right of access to your data, the rights of rectification and erasure (where permitted), the right to restriction of processing, the right to data portability, and the right to object. If your data processing is based on your consent, you can withdraw it at any time.

  • Right to be Informed: We fulfill this right through this privacy and personal data protection notice. This information may also be included in some of our forms.

  • Automated Decision-Making: We want to inform you that we do not use software for decision-making based solely on automated processing, including profiling.

  • Right of Consent: We've designed our processes to review all activities and will ask for your consent whenever it's the appropriate legal basis.

  • Right of Access: You have the right to get confirmation from us about whether your personal data is being processed, along with other relevant information. If it is, you have the right to access that data.

  • Right of Rectification: You can ask us to correct any inaccurate personal data we hold about you. You also have the right to have incomplete personal data completed by providing additional information.

    • Note: We can't know about changes to your personal data unless you tell us. Please help us keep your information accurate by informing us of any updates to your personal details that we process.

  • Right to Erasure ('Right to be Forgotten'): We must respond to your request for erasure when:

    • Your personal data is no longer needed for the purposes for which we collected it.
    • You withdraw your consent, and there is no other legal basis for processing.
    • Your personal data has been unlawfully processed.
    • We are legally obligated to erase your personal data.
    • Your personal data was collected in connection with the offer of information society services.
    • Baby Bloom reserves the right to refuse this request if processing is necessary to comply with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of our legal claims (as per relevant regulations, e.g., Article 17 § 3).

  • Right to Restriction of Processing: You have the right to request that we limit the processing of your data when:

    • You dispute the accuracy of your personal data, for a period allowing us to verify its accuracy.
    • The processing is unlawful, and you prefer to restrict its use rather than have it erased.
    • We no longer need your personal data for the purposes of processing, but you require it for the establishment, exercise, or defense of legal claims.
    • You have objected to processing while we verify whether our legitimate grounds override yours.

  • Right to Data Portability: You have the right to receive your data in a structured, commonly used, and machine-readable format. You can also explicitly request that your data be transferred directly to you and/or to another person or organization that will process it, provided:

    • The processing is based on your consent or was done to fulfill a contract you were part of.
    • The processing is carried out by automated means.

  • Right to Object: You have the right to object to the processing of your data at any time when the reason for processing is related to direct marketing.

If you make a written or electronic request regarding any of the above rights, we will assess it and respond within one month of receipt. We will either fulfill your request, provide objective reasons for not fulfilling it, or, given the complexity and number of requests, ask for an extension of up to two additional months (as per relevant regulations, e.g., Article 12.3).

Exercising your rights is free of charge. However, if your requests are clearly unfounded or excessive, especially if they are repetitive, we may refuse to answer or charge you an administrative fee.

If you are dissatisfied with how we use your data or our response after you've exercised your rights, you have the right to lodge a complaint with a supervisory authority.

Personal Data Breach

If there's a breach of the security and integrity of the personal data we process, Baby Bloom will take the following steps (in line with relevant regulations, like Articles 33 and 34, when we are the Controller):

  • Assess the situation to put in place the necessary procedures to limit the breach's impact.
  • Examine the extent of the breach and the sensitivity of the data involved.
  • Evaluate the risk and its potential impact on your rights and freedoms.
  • Work to minimize any damage that has been or could be caused.
  • If required, notify the National Personal Data Protection Authority within 72 hours of becoming aware of the breach.
  • Assess the impact on your privacy and take appropriate measures to prevent the incident from happening again.

If Baby Bloom is acting as a Data Processor during a breach, we will inform the Data Controller as soon as possible.

Links to other Websites

Our website might have links to other sites that Baby Bloom doesn't operate or control. If you click on one of these third-party links, you'll be taken to that site. We strongly recommend that you review the Privacy Policy of every site you visit. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services.

Contact details with the National Data Protection Authority

If you are dissatisfied with how your data is handled or our response to your privacy rights requests, you have the right to lodge a complaint with the Ukrainian Parliament Commissioner for Human Rights (Ombudsman), who acts as the supervisory authority for personal data protection in Ukraine. You can contact them via email at hotline@ombudsman.gov.ua.

For additional information and terminology related to data protection regulations, you can refer to the official legal texts, such as those found on https://zakon.rada.gov.ua/laws/show/2297-17#Text (for the Law of Ukraine "On Personal Data Protection").

Contact us

 

If you have any questions, want to make a request about your rights, or have any other concerns related to personal data protection, you can always contact Baby Bloom.

You can reach us by email at info@babybloom.info, or by mail at:

Baby Bloom Starokonstyantynivska 22 Khmelnytskyi, 29000 Ukraine

We primarily communicate in English or Ukrainian.

Policy Update

This policy was last updated on July 10, 2025. We may review it again if there's a significant change, and any updates will be available on our website with a clear effective date.